Jamf - OU or AD groups policies

KRIECCO
Contributor

What is the best way of Using Jamf, in regards to applying policy´s

Is it possible in jamf to apply policies to OU´s - or AD groups - or both ?

What is the best practice in regards to that. Today all Mac computers are created in AD the same location as windows computers are. So question is if it would make sense to split up in separate AD group or use OU´s to apply JAMF policies

5 REPLIES 5

tsossong
New Contributor III

You can setup a smart group looking for a certain user group a user is in. I dont think that will work for computers. Beside that you can bind computers to a certain OU with the AD bind policy.

SDamianoINWK
New Contributor III

Apple doesn't speak GPO, so GPO workflows, such as applying something to an entire OU, doesn't apply to Jamf.

You can, however, scope user AD groups for policies and configuration profiles.

easyedc
Valued Contributor II

Depends on what your end goal is. For us we generally create smart-groups looking for certain X (files, apps, directory, etc) and then the policies apply to those smart groups. In other situations, its a deploy to all. All depends on how you need it to work.

donmontalvo
Esteemed Contributor III

Came up with a workflow that helped in several companies:

Get assigned user:

#!/bin/bash

# Create folder
/bin/mkdir -p /Library/COMPANY/APIscripts
/bin/chmod -R 755 /Library/COMPANY/APIscripts
/usr/sbin/chown root:staff /Library/COMPANY/APIscripts

# Parameters
apiUser="$4"
apiPass="$5"
jssURL="$6"
outputFile="/Library/COMPANY/APIscripts/checkAssignedUser.txt"

uuid=$( /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/grep UUID | /usr/bin/awk '{ print $3 }' | /usr/bin/sed -e s/"//g )

assignedUser=$( /usr/bin/curl -s -k -u ${apiUser}:${apiPass} ${jssURL}/JSSResource/computers/udid/${uuid} | /usr/bin/xpath '/computer/location/username/text()' 2>/dev/null )

/bin/echo ${assignedUser} > ${outputFile}

exit 0

Get LDAP groups for assigned user:

#!/bin/bash

# Create script folder
/bin/mkdir -p /Library/COMPANY/LDAP
/usr/sbin/chown -R root:wheel /Library/COMPANY/LDAP
/bin/chmod -R 755  /Library/COMPANY/LDAP

# Parameters
ldapUser="$4"
ldapPass="$5"
ldapUrl="$6"
ldapDns="$7"
assignedUser=$( /bin/cat /Library/COMPANY/APIscripts/checkAssignedUser.txt )
outputFile="/Library/COMPANY/LDAP/LDAP_Groups.txt"

# LDAP query

if ping -c 1 "${7}" &> /dev/null
then
    echo "LDAP reachable, running query..."
    /usr/bin/ldapsearch -LLL -H "${6}" -x -D "${4}" -w "${5}" -b "dc=XXXX,dc=XXXX,dc=XXXX" sAMAccountname="${assignedUser}" | grep memberOf | cut -f2 -d "=" | cut -f1 -d "," > "${outputFile}"
else
    echo "LDAP not reachable, exiting..."
fi

exit 0

Check assigned user per LDAP group:

#!/bin/bash

ldapGroup="NameOfLDAPgroup"

#---- Do not edit below ----

file="/Library/COMPANY/LDAP/LDAP_Groups.txt"

if grep -q "${ldapGroup}" "${file}"; then
    echo "<result>Member</result>"
else
    echo "<result>NotAMember</result>"
fi

Then create your Smart Computer Groups.

PS, we went with ldapsearch to avoid searching local dscl cache.

HTH,
Don

--
https://donmontalvo.com

KRIECCO
Contributor

Thanks for the response. When saying applying policies, it is not windows policies I am thinking about, but when applying policies from Jamf to fx. OU or Ad groups. But as I can understand it is AD groups that is supported