Posted on 03-13-2020 09:28 AM
I'm setting up some new policies, and I'm scoping them to specific computers or small groups of computers. However, almost every time I set up a narrow scope like this, there are an additional 20 or so computers that show up. One time I scoped the policy to a particular subnet, and that seemed to work properly. But every other time, even if the scope is specifically for just one computer, these extra computers show up.
Any suggestions on what's going on or where I can look? I'm guessing it's something in the configuration of those extra computers (it's the same ones every time), but I can't seem to figure out what it is.
Thanks in advance for your assistance.
Solved! Go to Solution.
Posted on 03-13-2020 11:31 AM
@carlito On the Targets page for your Policy's Scope is it set to Specific Computers and Specific Users?
Posted on 03-13-2020 09:30 AM
@carlito Are you using a Smart Computer Group to target your Policy? If yes, do the extra computers show up when you View the Smart Group?
Posted on 03-13-2020 09:35 AM
@sdagley No, I'm scoping it to the particular computer(s) directly. Under scope I target it to Specific Computers and then I add the computer(s) directly.
Posted on 03-13-2020 10:50 AM
I double-checked. One of the groups I did use a Smart Group for, targeting computers 10.9 and below (Operating System less than or equal to 10.9.5). And in that group there are some 10.14 and 10.15 machines that show up for some reason. But the rest of the policies are scoped to target computers specifically, not by Smart Group. The same extra computers do show up in all instances though.
Posted on 03-13-2020 10:50 AM
@carlito If you're enabling a Policy for a static list of computers I'd recommend creating a Static Computer Group, and use the group as the policy's target. It's much easier to script, or use a tool like MUT, for modifying the membership of a Static Computer Group than it it to modify the target scope of a policy.
Posted on 03-13-2020 11:27 AM
Thanks for the suggestion. I created a static group and added just 2 computers into it. I rescoped the policy to target that static group. It's still showing the extra 20 computers. Is that the expected behavior? Do I need to recreate the policy?
Also, I'm still trying to track down why those same 20 extra 10.14 and 10.15 machines would show up in a smart group targeted to 10.9 machines.
Posted on 03-13-2020 11:31 AM
@carlito On the Targets page for your Policy's Scope is it set to Specific Computers and Specific Users?
Posted on 03-13-2020 11:43 AM
Ah, that was it. I had them set to All Users, not understanding how All Users works. I switched them to Specific Users and now they work as designed. (Those extra machines had users attached to them based on how they were enrolled, which I believe is why they showed up with All Users.) I did a little reading on how All Users/Specific Users works, and I think I'm set now. Thank you very much for your assistance @sdagley.