Does anyone know of a good way to exclude a site from a Policy? I have our security policies deployed to all sites but a new group coming in has different needs. It would be easier to exclude them from the current policy and let them create their own, than to clone the current policy for all sites (minus the new one).
As far as I can see, I can't scope by site or create a smart group based on a site.
We have an EA that stores the site in the computer inventory and then we use that to make a smart groups which could be used as an exclusion. The EA is a script that uses the UUID of the device to lookup it's Site and then record it in device inventory. All of this pain in the neck to work around Jamf not exposing Site as a scoping item.
We use a few different methods, one being the EA that @ega mentioned, but if you do not want to wait for an EA to populate you can use a Smart Group.
Create a Smart Group for the site and set the criteria to something that is always true, or false, like
computer name not like <blank>. Or better, since a NULL character could sneak it's way in there and that wouldn't technically be blank:
Computer Name Matches REGEX ^s*?
That works for us. Of course, we do not use any criteria at all but we've been told that shouldn't work.
Only way other than editing each individual policy would be to use the API to do so. You can create a script that loops through all of your policies, or you can read a CSV file of individual policy IDs to update.
Just know that if there is a scope other than "All Computers" on the policies you will need to read in the existing scope and add it back as you update the policy via API. If you only update the policy via API with the exclusion I believe it will wipe out the existing scope.
If your scope is All Computers on all of your policies and you just want to add an exclusion, the tags would be like this:
You would put the ID # of the group to add where it says "ID" above. If you have multiple, you just add more
Agree with @stevewood - script + API. Test thoroughly though. Believe it's still an issue that policies scoped to users and user groups would not show those members when the policy is viewed in the API. i.e. you'll lose those objects from the scope if modifying via script and API.