Help

Create Self Service Policies Only Jamf Admins Can Use

chadlawson
Contributor
Contributor

Posted on ‎01-04-2024 01:46 PM

I'm hoping I'm missing something obvious but I'm stumped. I want to have a number of policies available in Self Service that are only available when a member of the IT team is logged into Self Service on that computer.

For example, if an employee is having problems, we can log into Self Service and run an policy to gather diagnostics and save it to Jamf.

But these policies should not be available all the time. 

So the goal is to have them scoped to "All Computers" but use Limitations for specific Jamf Pro admin users.

But... when I go to use one of these tools, they start and then disappear and say "This item is no longer available."

If I take away the user limitation, they work just fine; but I can't have these laying around all the time.

What am I doing wrong?

2. Scope - Limit.png1. Scope - All.png3. SS - Pre-Login.png4. SS - Login.png5. SS - Now Logged In.png6. SS - No Longer Available.png

0 Kudos
5 REPLIES 5

AJPinto
Honored Contributor II

Posted on ‎01-04-2024 01:51 PM

Im having a similar issue with policy limitations I have a ticket with JAMF on. However for mine, I can limit to a user name without issue but I cannot limit to a group.

 

For users, the user name must match what is logged in to service and what is in the IDP. If you check JAMFs Cloud Identity Providers/LDAP Servers and perform a test against chad, is that user account pulling up?

howie_isaacks
Valued Contributor II

Posted on ‎01-04-2024 02:24 PM

I have some policies that are scoped to only specific LDAP groups. I'm not sure if this will help but my scoping is setup as "All Computers" and "Specific Users". My limitation is set to two LDAP groups. Here are some screenshots. I noticed your scope is set to "All Users". I have my policy setup with an ongoing frequency because I want these users to be able to use the policies again. This policy in my screenshot allows the users to change a specific smart group that their Mac is assigned to.

Preview file
148 KB

mickgrant
Contributor III

Posted on ‎01-04-2024 07:50 PM

I created an "ICT Team" Smart User Group that looks at the position titles that we pull in from our Okta LDAP integration and scoped the policies to that group

0 Kudos

sudoErase
New Contributor III

Posted on ‎01-05-2024 07:05 AM

You can create a group inside Users called "IT Team" and add all the members inside. 

Once you do, instead of using Limitations, you can use Specific users -> Choose the group "IT Team"
Set computers to "Specific computers" (this way its not available to all computers)
Remove anything on Limitation.


Scenario: when you are controlling the user/client's computer, you can go to self-service -sign in as yourself (IT member) and the app would be available.

0 Kudos

brockwalters
Contributor II

Posted on ‎01-05-2024 07:59 AM

Hey Chad! I always have followed the method @sudoErase laid out for this & it's worked for me. I would also just check your Self Service login settings to make sure you have login enabled or required.

0 Kudos