Customer Trigger [only] policy doesn't allow LDAP Group Limitation

CCNapier
Contributor

Just checking this is expected:

Any policy I create that ONLY has a custom trigger DOES NOT display the "LDAP GROUP" on the Scope Limitations section.

In theory this means that anyone that knows a trigger name can invoke it and we can't limit it to, say, technicians. I assume this has something to do with SU required to invoke triggers (IIRC).

-edit-
However, if you set the LDAP GROUP limitation BEFORE you set it as customer trigger only, it appears to remain (although may not work).

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The only triggers that can use LDAP groups or LDAP users are Login, Logout and Self Service to my knowledge. All other triggers, like custom triggers, cannot use LDAP information, because the LDAP info for the logged in user doesn't get captured at those times. Only on the above triggers.

As far as the scope limitation remaining if you set it before, I have a feeling that is a bug since I doubt it will work once all of the main triggers mentioned above are removed from the policy.

View solution in original post

3 REPLIES 3

mm2270
Legendary Contributor III

The only triggers that can use LDAP groups or LDAP users are Login, Logout and Self Service to my knowledge. All other triggers, like custom triggers, cannot use LDAP information, because the LDAP info for the logged in user doesn't get captured at those times. Only on the above triggers.

As far as the scope limitation remaining if you set it before, I have a feeling that is a bug since I doubt it will work once all of the main triggers mentioned above are removed from the policy.

CCNapier
Contributor

Fair enough, the bug is inconsequential if the trigger is behaving correctly anyway.
From an academic point of view, it is a little shame that a trigger can be invoked by anyone that has SU though, but we have no real reason to prevent the few policies we have set this way.

mm2270
Legendary Contributor III

Yeah, I get what you're saying with that. Maybe it would make sense to move those into Self Service policies where you might be able to make use of LDAP groups and have a tech 'log in' to Self Service as them for it to show up. That may not always be a possible scenario. There is always this though: https://jamfnation.jamfsoftware.com/featureRequest.html?id=2365

There are some other ideas I have on what you may be able to do to prevent unauthorized calling of the policy trigger, but it would be kind of tricky and may not even be worth the effort.