Jamf Nation Community

mhasman · ‎06-11-2015

Hello,
Would you please recommend me the best workflow to get policy assigned to JSS User Account/Group? We use LDAP, and I can collect JSS User Accounts to the group, but can not assign the policy to that group of JSS users. The idea is to get some policies available in Self Service when particular user is logged in to Self Service - on any computer. Hope that possibility is available in JSS somewhere, and I just can't find where is it.
Thanks!

davidacland · ‎06-11-2015

Hi, you need to scope to the computers but then limit by ldap group.

scottb · ‎06-11-2015

@mhasman - we do exactly that here. As was said, you scope your policy (limit it) by LDAP group. Works very well.
You say you "can not assign" - what exactly do you mean?

mhasman · ‎06-11-2015

I wonder do not scope by LDAP group but create individual JSS User Accounts by LDAP accounts, collect those to JSS User Group, and then assign the policy to this JSS User Group - if possible

mhasman · ‎06-11-2015

@davidacland @scottb - I got it! I see how to limit by JSS User Group. It does non pop-up with available list of users/groups, but works by name. Thank you!

mhasman · ‎06-11-2015

UPD. Tested. It works, but not exactly how I want.

In the policy scope under "Limitations" I can add LDAP account, LDAP Group and any account which is already added to "JSS Use Accounts" (there is no pop-up list with "JSS Use Accounts" when adding). But it still does not work for "JSS User Groups".

The idea is to add few LDAP accounts to "JSS Use Accounts", then collect those to "JSS User Group", and assign policy to that particular group of users. Yes, policy should be scopped to "All computers" and limited by JSS User Group. Now if works for LDAP groups only, right?

Wonder if I should add it to the Future Requests.

scottb · ‎06-11-2015

I'm lost. Are the users assigned (in AD, prior) to the correct scoped LDAP group that you're limiting to?
I might be mis-reading your post, but I have no issues limiting Self Service options to members of LDAP AD groups.

Maybe put in a sample of the workflow you need?

mhasman · ‎06-11-2015

Scott, adding LDAP group to Scope-Limitations works great. But I wonder to add "JSS User Group" to Scope-Limitations anyhow

scottb · ‎06-11-2015

@mhasman - OK, I think I know what you mean. I created a group that I believe is what you want. I can't do it at this moment, but I will post it up in a screen shot as soon as I can...

scottb · ‎06-11-2015

@mhasman - it's really kinda convoluted. It took me about 20 mins to figure out how I did it before.

So let me see if I have what you want. I create a group "Test". Within that group I want to add either an LDAP user or LDAP group or both?

I'm in a pinch here at work, so I may not be back here today...sorry. Maybe in the meantime someone else can assist. Just make sure that the policy is scoped to Self Service before you try to add groups, etc. as they won't show up until you do.

mhasman · ‎06-11-2015

Like that :)

mhasman · ‎06-11-2015

Scott, I appreciate your help!

mhasman · ‎06-11-2015

>Within that group I want to add either an LDAP user or LDAP group or both?

Just LDAP users, please

scottb · ‎06-11-2015

@mhasman - I apologize. I was thinking about the groups one can create and use to give rights to aspects of the JSS - it does not allow that in the Policy section. I see now what you meant and I'm sorry I confused the two. Voted up your request. We should indeed be able to add local groups to the scope - it's the only one that's oddly omitted there. Sorry for the confusion.

mhasman · ‎06-11-2015

Thank you Scott!

Simmo · ‎06-11-2015

JSS Users are meant to be completely separate from client Users.
Are you able to have all of these JSS admin users added to a group in your AD, and then scope it that way?

Jamf Nation Community

How to assign policy to JSS User Group