JSS - Limitations on applied policies

relliott
New Contributor

Hi,
I am using JSS version 9.32, currently on a trial. I am trying to mount a share at the users login. This is much more difficult than it needs to be for some reason. The Mount share in the Login Items Configuration Profile just does not work on any of my 10.8 or 10.9 clients. The computer is properly attached to the JSS and all the SSL certs and profiles are working. I can apply configuration profiles with no problems. I have downloaded one of the scripts from the JAMF site to run a share map at login. This runs correctly but for the following problems:

  1. Adding a limitation for example an LDAP AD group to the policy, removes it from the computer policy scope, so it does not apply. Removing this limitation re- adds the computer to the policy scope

  2. Exclusions do not work. The policy runs even for local admin users which i have specifically omitted.

  3. Deleting the policy which applies the script does not remove it from the machine. Even after a reboot. I must manually delete the mobile account from the mac in order to refresh it.
  4. No matter what i do, it will not pass through the kerberos details. I always get a login prompt when it runs. I know the ticket is working correctly because if i cancel the login box then do a manual Connect To Server, the share mounts with no further prompt.

Any help or advice would be appreciated !!

6 REPLIES 6

pblake
Contributor III

Do you have push notifications setup on the server? Installing Configuration Profiles I believe goes through APN.

relliott
New Contributor

Hi,

Yes I have APN set up correctly. I can push settings and profiles without issue and they show up on the client, they just dont work reliably..

frozenarse
Contributor II

Are you currently trying to troubleshoot the Configuration Profile or are you looking to get a policy working with a script?

Are you limiting the policy using an LDAP user group?

relliott
New Contributor

I have a script deployed via a policy. The script was downloaded from the JAMF scripts portal page. It is the script to map a share at login. The script works when I assign it to a computer without any other config, however I need this to only run for users in specific LDAP groups. When I apply a limitiation to the policy, then check which policies are applied to the computer, the policy has been removed from the computer. If i remove the LDAP limitation, the policy is then re applied to the computer. There is also the other issues with the exclusions which do not seem to work either.

frozenarse
Contributor II

On the top of the "Policies with this Computer in the Scope" window you should be able to enter in a username and hit 'update' to show a list of polices that will get applied when that particular user logs in.

Having said that.... I can't get policies to work if the LDAP user group contains a large number of accounts (2400+) Limiting with smaller groups does work. This issue popped up for me after upgrading from JSS 8.7 to 9.31

relliott
New Contributor

Yep, I am aware of this. The search returns nothing. There is no issue with any lookups to AD, I can find the users and groups with no problems. What I am confused about is the fact that the computer is taken out the scope of the policy. No matter what LDAP limitation I place upon it, the computer should always be in the scope because it is specifically applied to it.