Posted on 04-03-2018 02:08 AM
What is the best way of Using Jamf, in regards to applying policy´s
Is it possible in jamf to apply policies to OU´s - or AD groups - or both ?
What is the best practice in regards to that. Today all Mac computers are created in AD the same location as windows computers are. So question is if it would make sense to split up in separate AD group or use OU´s to apply JAMF policies
Posted on 04-03-2018 05:24 AM
You can setup a smart group looking for a certain user group a user is in. I dont think that will work for computers. Beside that you can bind computers to a certain OU with the AD bind policy.
Posted on 04-03-2018 08:59 AM
Apple doesn't speak GPO, so GPO workflows, such as applying something to an entire OU, doesn't apply to Jamf.
You can, however, scope user AD groups for policies and configuration profiles.
Posted on 04-03-2018 09:44 AM
Depends on what your end goal is. For us we generally create smart-groups looking for certain X (files, apps, directory, etc) and then the policies apply to those smart groups. In other situations, its a deploy to all. All depends on how you need it to work.
Posted on 04-03-2018 09:57 AM
Came up with a workflow that helped in several companies:
Get assigned user:
#!/bin/bash
# Create folder
/bin/mkdir -p /Library/COMPANY/APIscripts
/bin/chmod -R 755 /Library/COMPANY/APIscripts
/usr/sbin/chown root:staff /Library/COMPANY/APIscripts
# Parameters
apiUser="$4"
apiPass="$5"
jssURL="$6"
outputFile="/Library/COMPANY/APIscripts/checkAssignedUser.txt"
uuid=$( /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | /usr/bin/grep UUID | /usr/bin/awk '{ print $3 }' | /usr/bin/sed -e s/"//g )
assignedUser=$( /usr/bin/curl -s -k -u ${apiUser}:${apiPass} ${jssURL}/JSSResource/computers/udid/${uuid} | /usr/bin/xpath '/computer/location/username/text()' 2>/dev/null )
/bin/echo ${assignedUser} > ${outputFile}
exit 0
Get LDAP groups for assigned user:
#!/bin/bash
# Create script folder
/bin/mkdir -p /Library/COMPANY/LDAP
/usr/sbin/chown -R root:wheel /Library/COMPANY/LDAP
/bin/chmod -R 755 /Library/COMPANY/LDAP
# Parameters
ldapUser="$4"
ldapPass="$5"
ldapUrl="$6"
ldapDns="$7"
assignedUser=$( /bin/cat /Library/COMPANY/APIscripts/checkAssignedUser.txt )
outputFile="/Library/COMPANY/LDAP/LDAP_Groups.txt"
# LDAP query
if ping -c 1 "${7}" &> /dev/null
then
echo "LDAP reachable, running query..."
/usr/bin/ldapsearch -LLL -H "${6}" -x -D "${4}" -w "${5}" -b "dc=XXXX,dc=XXXX,dc=XXXX" sAMAccountname="${assignedUser}" | grep memberOf | cut -f2 -d "=" | cut -f1 -d "," > "${outputFile}"
else
echo "LDAP not reachable, exiting..."
fi
exit 0
Check assigned user per LDAP group:
#!/bin/bash
ldapGroup="NameOfLDAPgroup"
#---- Do not edit below ----
file="/Library/COMPANY/LDAP/LDAP_Groups.txt"
if grep -q "${ldapGroup}" "${file}"; then
echo "<result>Member</result>"
else
echo "<result>NotAMember</result>"
fi
Then create your Smart Computer Groups.
PS, we went with ldapsearch
to avoid searching local dscl
cache.
HTH,
Don
Posted on 04-03-2018 10:22 PM
Thanks for the response. When saying applying policies, it is not windows policies I am thinking about, but when applying policies from Jamf to fx. OU or Ad groups. But as I can understand it is AD groups that is supported