Jamf Nation Community

Hi @colorenz 

Thank you for your answer.

We only use between 1 and 5 groups in scopes per object.

Do you have an LDAP server also configured in addition to an Azure cloud IdP?

ok, maybe the problem is there then.
We have both configured. We don't dare to remove the link with Active Directory because we don't know the exact consequences with the access to self service, Jamf Remote and Jamf admin.

We use the Azure login for the self service with MFA. We do not have Jamf remote and Jamf Admin in use.

OK. Thank you for your help.
We will continue the tests by trying to remove the link with our Active Directory.

On the other hand, if I understood correctly, for access to JSS with Azure AD groups, it will be necessary to create standard groups and users in JSS with the same name as the groups and users in Azure AD?

Thank you very much for your help.

We will test all of this.

Maybe update to 10.34 first. They PI affected a lot components... SSO Login / Scoping / The Computer Management Tab...

Thanks for the advice

We updated our dev instance. We will do this on our production.

indeed it appears to be exactly the same symptom.

Well, we just have to hope that Jamf fixes this problem in the next releases.

Thank you for taking the time to research, it's super nice

Hello, 

I have another question.

Is it mandatory to activate SSO to access JSS with an Azure AD account?
Because with SSO, I do it well (by creating the standard groups/users corresponding to the Azure AD groups/users).
But without SSO, this is no longer possible.

It's normal.

Thank you

Unfortunately, I can't tell you that. We do it that way so that we can also use MFA.

A year and 10+ Cloud instance upgrades later and the problem hasn't gone away. Can't use Azure AD groups for limitations. And the hassle of re-creating all Azure AD groups in JAMF is not feasible. 

Yes mapping is setup correctly

Yes Testing a user/group shows up correctly

Yes we are only using Cloud Azure AD no on-Prem Connection.

Yes we are targeting all computer specific user (Limitation Azure AD Group) no exclusions and the software does not show up in Self-Service. 

Has anyone else had any luck? we only use JAMF for macOS not for Iphone/Ipad (Intune only for those) 

Hey.

Yes, this is still an issue. I contacted Jamf Support last month and they replied:

"I have checked the PI104479 and it is still opened. Issue was investigated in depth and it would likely require a significant change across the board in how scoping works and is designed. Our developers team is working on finding the best solution for the situation. Unfortunately, we do not have ETR for the issue yet."

We're now on Jamf Pro 10.44.1 and yet this issue is still there.

And yet we are now Jamf Pro 11.0, and the issue still has not been addressed..

This is working now after having Jamf Cloud Ops turn on a tool. Submit a support ticket to have "the Knob" turned on for your cloud instance. This tool allows for Azure AD group limitations to function for user lookup. It is off by default.

The scenario we tested for:

Users are given licenses for adobe product in Azure

The install application is configured in JAMF PRO for all users limited to the Azure AD group {xxxxxx}

Application installs, and Uninstall break fix only shows for the limiting group set in scope.

Requirements:

Self-service SSO must not be forced {Login Method: Allow users to login | Cannot be set to required}

Additionally, the user must be assigned to the computer in the inventory record as this is what Jamf Pro uses to determine the membership for the scoping.