- Jamf Nation Community
- Products
- Jamf Pro
- Re: JAMF Self Service Policy Scoped Only to Local ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2023 01:25 PM
I am trying to create a policy in Self Service that is scoped out to all devices, but is only accessible for a certain local admin account to install/run. When devices are enrolled, a default local admin account is automatically created and we do not use LDAP, so I'm trying to find a way to limit this policy from being run by unauthorized users. Is there any way to accomplish this? Or is there perhaps a way to require admin credentials be entered before the policy can run?
The policy works great when I scope it to a test device, but as soon as I add the local admin account to the limitations, the policy is removed and disappears from Self Service.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2023 08:17 PM
Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.
Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2023 08:17 PM
Scoping to users works when users sign into Self Service, not when signing into the computer itself. So you'd need to enable the ability to sign into Self Service, and make sure local admin account exists as an account you can log into Jamf with as well.
Most commonly, at least that I'm aware of, people scope policies to groups in their IDP that is integrated into Jamf - that way people in specific IDP groups can log into Self Service to get specific additional policies made available to them, regardless of what computer they're at.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-06-2023 06:15 AM
Thank you! I was able to create a user account in JAMF to log into Self Service with and I could view the policy. The policy I created (to bind the machine to AD) isn't working, but I'm thinking that's unrelated and this got me started. Thanks again!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-02-2023 08:46 PM
There is 2 ways you can do this,
1st as dennisnardi said, make it available in self service and scope to that user. So you can from that computer.
If the policy will run if that local account logged in, then you can write a simple script to run policy (adjust triggers the way you want)
#!/bin/sh
loggedInUser=$(stat -f %Su /dev/console)
localadmin="whateveryourlocaladmin"
policyTrigger="put-your-policy-trigger-here"
# Check if the desired account logged in
if [ "${loggedInUser}" == "${localadmin}" ]; then
echo "Local admin logged in. Running policy"
jamf policy -event "$policyTrigger"
exit 0
else
echo "different user exitin"
exit 1
fi
