Jamf Nation Community

We currently are in testing phase so at present no laptops are enrolled. But when they are will I be able to set this scope to all active directory users and potential new ones? In other words I am not looking to scope based on an AD user. I am looking to scope based on the entire AD group. So if a new user logs in to his laptop with his AD account he will automatically be included in this scope based on the fact that he is an AD user and not individually based.

Thanks for your help!

Yup. We have a policy that is set to run at logon ONLY for users who are members of a particular AD group. Local (non-AD) accounts that logon do not get that policy. Any new AD accounts that get added to that particular group will run it if/when they logon.

So is there a smart group that you have put together for this? If so how is it set up?
I see that I can add individual users as a scope but I don't want to manually add each potential AD user, I would rather have the scope based on a smart group that automatically adds users to that group based on the fact that they are AD users.

Thanks!

I have the policy assigned to Smartgroups which restricts the policy being ran on only those machines. The smartgroups are based on the computername and OS.

Next, I limit the policy based on AD user groups. If you click on "Add User Group" under "Limit this Policy to the following Users" you will be able to type in and lookup your AD group that your users are a member of.

So if the machine isn't a member of the smartgroup: Policy won't run.
If the machine is a member of the smartgroup but the user logging in is NOT a member of the AD user group: Policy won't run.
Machine IS member of smartgroup and user IS member of AD group: Magic happens.

I wish there was a nice/easy way to plug in a screenshot here...

When you say click on "Add User Group" under "Limit this Policy to the following Users" where is that exactly? I see under Scope for the policy an option to add individual users...but that is not it, right?

Thanks!

I see it now. It appears not to be an option to an already set up policy. I guess you only have that choice when creating a new policy. Now if I can find what the name of the AD groups is.

Thanks, I wil let you know how I do!

Thanks for your help today, while we ended up not using it for now, it did open the discussion on creating a group in AD for just OS X users as opposed to just simply domain users. I could see us using this down the road, thanks for your help and patience!