Jamf Nation Community

@mhasman - we do exactly that here. As was said, you scope your policy (limit it) by LDAP group. Works very well.
You say you "can not assign" - what exactly do you mean?

I wonder do not scope by LDAP group but create individual JSS User Accounts by LDAP accounts, collect those to JSS User Group, and then assign the policy to this JSS User Group - if possible

@davidacland @scottb - I got it! I see how to limit by JSS User Group. It does non pop-up with available list of users/groups, but works by name. Thank you!

UPD. Tested. It works, but not exactly how I want.

In the policy scope under "Limitations" I can add LDAP account, LDAP Group and any account which is already added to "JSS Use Accounts" (there is no pop-up list with "JSS Use Accounts" when adding). But it still does not work for "JSS User Groups".

The idea is to add few LDAP accounts to "JSS Use Accounts", then collect those to "JSS User Group", and assign policy to that particular group of users. Yes, policy should be scopped to "All computers" and limited by JSS User Group. Now if works for LDAP groups only, right?

Wonder if I should add it to the Future Requests.

I'm lost. Are the users assigned (in AD, prior) to the correct scoped LDAP group that you're limiting to?
I might be mis-reading your post, but I have no issues limiting Self Service options to members of LDAP AD groups.

Maybe put in a sample of the workflow you need?

Scott, adding LDAP group to Scope-Limitations works great. But I wonder to add "JSS User Group" to Scope-Limitations anyhow

@mhasman - OK, I think I know what you mean. I created a group that I believe is what you want. I can't do it at this moment, but I will post it up in a screen shot as soon as I can...

@mhasman - it's really kinda convoluted. It took me about 20 mins to figure out how I did it before.

So let me see if I have what you want. I create a group "Test". Within that group I want to add either an LDAP user or LDAP group or both?

I'm in a pinch here at work, so I may not be back here today...sorry. Maybe in the meantime someone else can assist. Just make sure that the policy is scoped to Self Service before you try to add groups, etc. as they won't show up until you do.

Like that :)

Scott, I appreciate your help!

>Within that group I want to add either an LDAP user or LDAP group or both?

Just LDAP users, please

@mhasman - I apologize. I was thinking about the groups one can create and use to give rights to aspects of the JSS - it does not allow that in the Policy section. I see now what you meant and I'm sorry I confused the two. Voted up your request. We should indeed be able to add local groups to the scope - it's the only one that's oddly omitted there. Sorry for the confusion.

Thank you Scott!

JSS Users are meant to be completely separate from client Users.
Are you able to have all of these JSS admin users added to a group in your AD, and then scope it that way?