Jamf 10.32 and AzureAD - Cannot use LDAP group memberships for policies?

abfajerman
New Contributor II

I'm trying to scope and limit policies to group memberships derived from AzureAD (via Cloud Identity Provider). I can query for directory users and get "true" for membership, and I can search for the group and add it to the Limitations section of the policy. But when I try to test the policy on a Mac that was enrolled by a user in that group, the policy isn't available; the Mac doesn't even come up in the policy logs. If I try this with a regular LDAP connection, the logic works. Is this a bug of some kind or is there some limitation in place? Or perhaps I missed a step to linking the local/enrollment user and the AzureAD groups that the user is in?

3 REPLIES 3

Tribruin
Valued Contributor II

This has been a problem with me for a while now. I can scope to LDAP (Azure) groups to Policies, but not to Profiles. 

abfajerman
New Contributor II

I can't scope either of them. I'll go back and check my settings but it shouldn't be this tricky to implement.

danny_b
New Contributor II

The LDAP limitations in scoping require the local macOS username to match a directory username. My guess is to check the attribute mapping for the username field in the LDAP Server setting vs. the Cloud Identity Provier setting in Jamf Pro. Did you also try whether a login to Self Service made the policy show up / the Mac fall into the scope?