Enrollment Question

tduffy
New Contributor

Hello,

I'm new to using Casper and I have a questions of user enrollment.

Our Casper instance is connected to Active Directory and when I go through the user enrollment process I get to the section that's labeled "Assign to User" but when I put my username in the field and search all I see our my computer names that are in Active Directory.

Is this the way it should be? What does this function do? Am I linking the user to the computer at this point?

Thanks for your assistance!

Terry

1 REPLY 1

cpdecker
Contributor III

We use this feature to attach devices (iPads and Macs) to Active Directory usernames. When you attach a device to an AD name this way (via enrollment or manually in the JSS inventory record for a particular device after enrollment), the JSS will create the same username in its own database but it does tie back to the matching AD username. For instance, the JSS can perform an AD lookup for user 'cdecker' when it finds it associated with a device, but if the username 'cdecker' is changed or deleted from Active Directory, the JSS database will still have it. If you want to delete it or change it in the JSS, you'd still have to do that manually on the JSS side. If the AD username were changed to 'cpatrick' (in the event of a last name change, e.g.), the inventory record would have to be manually updated for any devices which were tied to cdecker in order to maintain an appropriate AD lookup.

Be aware also that if you use an AD name that matches a JSS user account name (like what you would use to sign into the JSS web GUI), my experience has been that the associated name will not be populated or changed from whatever it previously was in the inventory record.

This setup allows us to scope Apps, policies, config profiles etc. to Active Directory groups. For a specific example, we might have App X that we purchased only for 3rd graders at School A. Since our AD user account creation is automated via a script that pulls in data from our student information system, we don't have to get a list of 3rd graders and assign App X to them and then maintain that list in the JSS interface, we simply scope that App to all users and LIMIT it to the AD group "School A 3rd Graders". When the JSS goes to assign the App, it knows that devices Y and Z belong to a user in the School A 3rd Graders group, and assigns the license to those iPads.

If you do have username objects in AD but can't see them when you do a lookup, you might have your LDAP server mappings set up incorrectly or the account you're using for the login may have insufficient permissions to see the relevant part of your domain. You can test user, group, and group membership status lookups by going to JSS Settings > LDAP Servers > Specific Server > Test. This will help you figure out if your LDAP settings are correct.

I am not an expert on this topic or any topic but this is just my 2 cents--I hope it is helpful.