Exclude a Site From a Policy

akw0045
New Contributor III

Does anyone know of a good way to exclude a site from a Policy? I have our security policies deployed to all sites but a new group coming in has different needs. It would be easier to exclude them from the current policy and let them create their own, than to clone the current policy for all sites (minus the new one).

As far as I can see, I can't scope by site or create a smart group based on a site.

Any suggestions?

9 REPLIES 9

hdsreid
Contributor III

you can make a smart group based on the building name
scope -> exclusions -> building to exclude them OR you can choose the group here
then make a new policy and assign it to only that group

edit: nevermind i confused site terminology in jamf with location, my bad

ega
Contributor II

We have an EA that stores the site in the computer inventory and then we use that to make a smart groups which could be used as an exclusion. The EA is a script that uses the UUID of the device to lookup it's Site and then record it in device inventory. All of this pain in the neck to work around Jamf not exposing Site as a scoping item.

stevewood
Honored Contributor II

@akw0045

We use a few different methods, one being the EA that @ega mentioned, but if you do not want to wait for an EA to populate you can use a Smart Group.

Create a Smart Group for the site and set the criteria to something that is always true, or false, like computer name not like <blank>. Or better, since a NULL character could sneak it's way in there and that wouldn't technically be blank:

Computer Name Matches REGEX ^s*?

That works for us. Of course, we do not use any criteria at all but we've been told that shouldn't work.

Sorry for bumping such an old thread, but just wanted to give a shoutout to @stevewood for the smart group suggestion. I've played with it a bit today and it seems to work perfectly! Exactly what I was looking for, thank you!

Brad_G
Contributor II

Even easier, if you create a smart group in a site with no criteria, by default all devices match. We name the search group All Computers - Site - SiteName.

You could then exclude this group from your policy.

Rohitds14
New Contributor III

i want to exclude a site from all the policies (not one by one), and all policies are set to site=none,
Any way i can achieve that.
Thanks in advance

stevewood
Honored Contributor II

@Rohitds14

Only way other than editing each individual policy would be to use the API to do so. You can create a script that loops through all of your policies, or you can read a CSV file of individual policy IDs to update.

Just know that if there is a scope other than "All Computers" on the policies you will need to read in the existing scope and add it back as you update the policy via API. If you only update the policy via API with the exclusion I believe it will wipe out the existing scope.

If your scope is All Computers on all of your policies and you just want to add an exclusion, the tags would be like this:

<policy><scope><all_computers>true</all_computers><exclusions><computer_groups><computer_group><id>ID</id></computer_group></computer_groups></exclusions></policy>

You would put the ID # of the group to add where it says "ID" above. If you have multiple, you just add more <computer_group><id>ID</id></computer_group> sections.

Make sense?

leslie
Contributor II

Agree with @stevewood - script + API. Test thoroughly though. Believe it's still an issue that policies scoped to users and user groups would not show those members when the policy is viewed in the API. i.e. you'll lose those objects from the scope if modifying via script and API.

Rohitds14
New Contributor III

@stevewood @leslie thanks for the idea.. Will have a look.