Ok, for a while now I wanted to be able to scope policies based on AD Group membership. While building out policies I noticed, this can only be done during login/logout. Finding this out was kinda frustrating, so I decided I was going to come up with a way to do it. So I present you with a little tool that I created to Import AD security Group memberships into JSS.
Before I get to the meat of the script, I want to layout some "guidelines" of the tool. One, our users are the only ones using the machine so it works in a sense of one to one. We are not a school so we don't have computer labs, this simplifies the solution. Two, a lot of our users are external so they are not always able to use and extension attribute during checkin to get up to date AD info.
Disclaimer: If you are not comfortable doing any of the following prerequisites, do not attempt this.
So, here we go. These are the prerequisites for this tool.
1) Create an EA named: AD Group Membership (You can change the name, but you must change it in the script as well)
2) Create an RestAPI account for the script to use to communicate with JSS.
3) Create a ReadOnly mysql account for the tool to query your JSS database.
4) Your JSS needs to be bound to AD, or atleast be able to communicate with AD for Lookups.
5) LaunchDaemon or CronJob needs to be setup for tool to be able to run at set intervals.
Now, I will explain a little on how this tool works. First it will query you mysql database for each computer, then for each computer it will query mysql for the "user" of that computer. Now that it has that info, it will query AD for the "user's" security group membership. Then it takes this info and checks it against the info that is in JSS(did this so its not constantly updating the records for every computer). If it sees a change, it will update the JSS, if it does not see the change it will then move to the next computer.
Now that you have the Security Groups for each user in their computer account, you can then start to scope smart groups based on their security groups.
This is accomplished by doing a smart group with the following example:
This will then grab all of the users who have this security group in there EA.
Now that everything has been explained, here is the script.
If you have any questions, please let me know.
