Create Self Service Policies Only Jamf Admins Can Use


I'm hoping I'm missing something obvious but I'm stumped. I want to have a number of policies available in Self Service that are only available when a member of the IT team is logged into Self Service on that computer.

For example, if an employee is having problems, we can log into Self Service and run an policy to gather diagnostics and save it to Jamf.

But these policies should not be available all the time. 

So the goal is to have them scoped to "All Computers" but use Limitations for specific Jamf Pro admin users.

But... when I go to use one of these tools, they start and then disappear and say "This item is no longer available."

If I take away the user limitation, they work just fine; but I can't have these laying around all the time.

What am I doing wrong?

2. Scope - Limit.png1. Scope - All.png3. SS - Pre-Login.png4. SS - Login.png5. SS - Now Logged In.png6. SS - No Longer Available.png


Honored Contributor II

Im having a similar issue with policy limitations I have a ticket with JAMF on. However for mine, I can limit to a user name without issue but I cannot limit to a group.


For users, the user name must match what is logged in to service and what is in the IDP. If you check JAMFs Cloud Identity Providers/LDAP Servers and perform a test against chad, is that user account pulling up?

Valued Contributor II

I have some policies that are scoped to only specific LDAP groups. I'm not sure if this will help but my scoping is setup as "All Computers" and "Specific Users". My limitation is set to two LDAP groups. Here are some screenshots. I noticed your scope is set to "All Users". I have my policy setup with an ongoing frequency because I want these users to be able to use the policies again. This policy in my screenshot allows the users to change a specific smart group that their Mac is assigned to.

Contributor III

I created an "ICT Team" Smart User Group that looks at the position titles that we pull in from our Okta LDAP integration and scoped the policies to that group

New Contributor III

You can create a group inside Users called "IT Team" and add all the members inside. 

Once you do, instead of using Limitations, you can use Specific users -> Choose the group "IT Team"
Set computers to "Specific computers" (this way its not available to all computers)
Remove anything on Limitation.

Scenario: when you are controlling the user/client's computer, you can go to self-service -sign in as yourself (IT member) and the app would be available.

Contributor II

Hey Chad! I always have followed the method @sudoErase laid out for this & it's worked for me. I would also just check your Self Service login settings to make sure you have login enabled or required.