JAMF Gsuite LDAP Group Support

cemaccict
New Contributor II

Hi

I have been at an issue for weeks with no solution in sight with attempting to make JAMF work to support BYOD devices with self enrolment using Google Suite as the LDAP server.

The two main objectives of our JAMF setup is to:
- Deploy profiles to BYOD Mac devices with users required to self-enrol and profiles deployed on group memberships.
- Deploy purchase MAC applications to users based on group memberships.

Currently we have JAMF setup to use GSuite as our cloud provider for both SSO and LDAP.
We are able to successfully test that a user exists in Google Suite as well if the user exists in a Group as a member.
This means we are able to create an LDAP group successfully as well as users are able to successfully enrol if they are a member of that group.

Being a BYOD environment we have no way of knowing which user owns which device and the only way we can deploy profiles and applications is by LDAP group memberships.

The challenges start when we attempt to deploy a profile/application based on the LDAP group membership where we try to deploy the app scoped to all users and then limited to the LDAP group. We have not been able to get this to work correctly. However, we are able to deploy the profile/application scoped to the user with no issues at all if we list the user as the target or set the scope to all users.

Is anyone else using GSuite as their LDAP service and have you managed to build it to deploy profiles/applications based on group memberships?

Thanks
Byron

1 ACCEPTED SOLUTION

cemaccict
New Contributor II

Update
We have now resolved this issue by setting a machine base extension attribute, setting the input type to LDAP Attribute Mapping.
We can then create a smart group to test this attribute as to whether the user is a member of a specific LDAP group.

View solution in original post

3 REPLIES 3

cemaccict
New Contributor II

Apologies, forgot to mention we are using JAMF cloud.

cemaccict
New Contributor II

Update
We have now resolved this issue by setting a machine base extension attribute, setting the input type to LDAP Attribute Mapping.
We can then create a smart group to test this attribute as to whether the user is a member of a specific LDAP group.

joeharden
New Contributor II

I am seeing similar behavior with iPads and app installation based on Gsuite group membership.