Mac Apps via VPP

kerouak
Valued Contributor

So,

We have 60 Licences for ARD.

We scoped it to a number of AD Groups.

It's set to 'make available in Self Service.

Now, It states that all 60 licences are in use, even when they have not been installed on some of the devices..

So, I then removed some of the AD groups scope so that there are less than 60, however, It still states that all 60 are in use??

After removal of the groups, I refreshed the content for ARD, no joy!

I'm confused??

How the heck does that figure??

Anyone got any ideas??

T.I.A

6 REPLIES 6

AtillaTheC
Contributor II

VPP counts against what its scoped to, not necessarily what has it installed. It could be waiting for an inventory update to release the unscoped groups. 

kerouak
Valued Contributor

Yeah, I've decided to use EA's and groups.. 

Better that way and it does what it says on the tin..:-)

 

jamf-42
Valued Contributor II

we are deploying a large amount of apps. are you saying each needs it own EA / Smart Group.. can you share the EA / Smartgroup logic?

donmontalvo
Esteemed Contributor III

mdls is your friend. Set your $appPath and let'r rip.

#!/bin/bash
# Check Apple App Store type:
#     AppStoreVPP (the app was installed via VPP)
#     AppStore (the app was installed via App Store)
#     NotAppStore (the app was installed some other way)
#     NotInstalled (not installed)

appPath="/Applications/Xcode.app"

if [ -e "$appPath" ]
then
checkAppStore=$( mdls "$appPath" -name kMDItemAppStoreHasReceipt )
checkVPP=$( mdls "$appPath" -name kMDItemAppStoreReceiptIsVPPLicensed )
if [[ "$checkAppStore" == "kMDItemAppStoreHasReceipt = 1" ]] && [[ "$checkVPP" == "kMDItemAppStoreReceiptIsVPPLicensed = 1" ]]
then
echo "<result>"AppStoreVPP"</result>"
elif [[ "$checkAppStore" == "kMDItemAppStoreHasReceipt = 1" ]] && [[ "$checkVPP" == "kMDItemAppStoreReceiptIsVPPLicensed = 0" ]]
then
echo "<result>"AppStore"</result>"
else
echo "<result>"NotAppStore"</result>"
fi
else
echo "<result>"NotInstalled"</result>"
fi   


 

--
https://donmontalvo.com

kerouak
Valued Contributor

The way it was, Scoped to all computers and all users, then limitations were set by AD Groups..

It didn't seem to pick up that there were limitations and based it on the All computers all users..

 

Bol
Valued Contributor

Pretty sure there's been ongoing known issues with jamf and limiting scopes via ad / ldap groups for the longest time. Easier to avoid and group another way as kerouak answered