Jamf Nation Community

akw0045 · ‎01-29-2020

Does anyone know of a good way to exclude a site from a Policy? I have our security policies deployed to all sites but a new group coming in has different needs. It would be easier to exclude them from the current policy and let them create their own, than to clone the current policy for all sites (minus the new one).

As far as I can see, I can't scope by site or create a smart group based on a site.

Any suggestions?

hdsreid · ‎01-29-2020

you can make a smart group based on the building name
scope -> exclusions -> building to exclude them OR you can choose the group here
then make a new policy and assign it to only that group

edit: nevermind i confused site terminology in jamf with location, my bad

ega · ‎01-29-2020

We have an EA that stores the site in the computer inventory and then we use that to make a smart groups which could be used as an exclusion. The EA is a script that uses the UUID of the device to lookup it's Site and then record it in device inventory. All of this pain in the neck to work around Jamf not exposing Site as a scoping item.

stevewood · ‎01-29-2020

@akw0045

We use a few different methods, one being the EA that @ega mentioned, but if you do not want to wait for an EA to populate you can use a Smart Group.

Create a Smart Group for the site and set the criteria to something that is always true, or false, like computer name not like <blank>. Or better, since a NULL character could sneak it's way in there and that wouldn't technically be blank:

Computer Name Matches REGEX ^s*?

That works for us. Of course, we do not use any criteria at all but we've been told that shouldn't work.

isaacnelson · ‎07-16-2021

Sorry for bumping such an old thread, but just wanted to give a shoutout to @stevewood for the smart group suggestion. I've played with it a bit today and it seems to work perfectly! Exactly what I was looking for, thank you!

Brad_G · ‎01-29-2020

Even easier, if you create a smart group in a site with no criteria, by default all devices match. We name the search group All Computers - Site - SiteName.

You could then exclude this group from your policy.

Rohitds14 · ‎04-22-2020

i want to exclude a site from all the policies (not one by one), and all policies are set to site=none,
Any way i can achieve that.
Thanks in advance

stevewood · ‎04-22-2020

@Rohitds14

Only way other than editing each individual policy would be to use the API to do so. You can create a script that loops through all of your policies, or you can read a CSV file of individual policy IDs to update.

Just know that if there is a scope other than "All Computers" on the policies you will need to read in the existing scope and add it back as you update the policy via API. If you only update the policy via API with the exclusion I believe it will wipe out the existing scope.

If your scope is All Computers on all of your policies and you just want to add an exclusion, the tags would be like this:

<policy><scope><all_computers>true</all_computers><exclusions><computer_groups><computer_group><id>ID</id></computer_group></computer_groups></exclusions></policy>

You would put the ID # of the group to add where it says "ID" above. If you have multiple, you just add more <computer_group><id>ID</id></computer_group> sections.

Make sense?

leslie · ‎04-22-2020

Agree with @stevewood - script + API. Test thoroughly though. Believe it's still an issue that policies scoped to users and user groups would not show those members when the policy is viewed in the API. i.e. you'll lose those objects from the scope if modifying via script and API.

Rohitds14 · ‎04-22-2020

@stevewood @leslie thanks for the idea.. Will have a look.

Jamf Nation Community

Exclude a Site From a Policy