Exclude LDAP users from Restricted Software?

junderwood
New Contributor III

Hello JAMFNation!

I'm a relative noob. My company has restricted DropBox via the "Restricted Software" feature in JAMF. How do I add LDAP users to the exclusions list? Not seeing an obvious answer to this elsewhere on JAMFNation.

We already have a few LDAP users on the exclusions list for this restriction, I just need to add one more. But when I select "Scope" and then try add an additional exclusion, I get only the option to exclude computers, buildings, groups, or departments.

Thanks!

1 ACCEPTED SOLUTION

junderwood
New Contributor III

We were running v9.61. Just updated to v9.65 and the issue is now resolved. I guess it stopped working at some point in 9.61, but 9.65 fixed it. LDAP exclusions option appears as it should. Thanks for the help!

View solution in original post

9 REPLIES 9

mm2270
Legendary Contributor III

EDIT: Ah, I didn't read your post fully. I see that you tried the steps below. Sounds to me like your JSS isn't actually tied into your LDAP environment. You need to go into System Settings > LDAP Servers and make sure you add your LDAP servers there before the option will be available to you in anything else within the JSS UI.

EDIT 2: It may also be a permissions issue. Are you the one who added in the original LDAP exclusions? If not, ask the admin who set them up if you have the proper JSS permissions to do it. You may not have that.

Go into your JSS and into the Restricted Software item in question.
Click on Edit if necessary to make sure you're in the Edit mode.
Click on the Scope tab, then on the Exclusions tab
Click the +Add button. In the view that comes up, assuming you've connected your JSS to your LDAP environment, you should see a tab called LDAP/Local Users. Click on that.
Add in the LDAP account by the name you want to add to the Exclusion.
Click Save.

junderwood
New Contributor III

Yes, to clarify, I use the same steps you outlined in your response (pre edits), and the tab for LDAP users is not present. The LDAP servers have been added to our environment, I can see them in System Settings > LDAP Servers. I used the "Test" button there and they verify.

The admin who set up the LDAP, the software restrictions, and the exclusions is no longer available, that's why I posted the question here. Was hoping maybe I was looking in the wrong place for LDAP exclusions. Anyone know why this option would be missing?

mm2270
Legendary Contributor III

Are you logged in as a full JSS Admin when you do this? I'm still thinking there may be a permissions issue at play. Either that or the LDAP connection isn't working anymore. Do you see LDAP options for Users/Groups as either a Scope or Exclusion if you set up a test policy and set the trigger to something like "login" That's one of the triggers that allows you to choose either Scope or Exclusions to use LDAP information.

junderwood
New Contributor III

I am logged into full JSS as an Admin (I have all privileges activated on my account), v.9.61. I see "LDAP Users" as a Scope/Exclusion option if I create a test "Policy" with login trigger. I searched my own user there and was able to add myself as an exclusion to the test policy.

However, if I create a test "Software Restriction," the LDAP exclusion option is not present. Are you certain this is where the LDAP exclusion option should be? You see it in your JSS under software restrictions?

mm2270
Legendary Contributor III

Yes, I just went in right now to one of our Restricted Software items, clicked on it, clicked Edit, then on Scope, then on Exclusions. When I click the Add button there, I see a list of tabs, one of which is LDAP/Local Users. When I click on that, I see a field where I can add in a name for the exclusion.

You aren't seeing this? What JSS version are you on?

junderwood
New Contributor III

We were running v9.61. Just updated to v9.65 and the issue is now resolved. I guess it stopped working at some point in 9.61, but 9.65 fixed it. LDAP exclusions option appears as it should. Thanks for the help!

Naren
New Contributor III

Just for clarification, Does this LDAP exclusion take only individual user accounts or Can we add Active Directory Security DL which has multiple users in it? Do it work this way?

sdagley
Honored Contributor III

@Naren It works on Groups as well

Naren
New Contributor III

@sdagley , Thanks for confirming it. Appreciate it.