Making two user groups that can only do certain things within Jamf

New Contributor

We want to have two user groups one that can only do ios devices and one that can only do desktops and laptops. How can we do that?


Valued Contributor

Take a look at Jamf Pro Admin Guide - User Accounts and Groups

Create the two groups and assign specific access rights.
Then Create your accounts and in Access Level select Group Access, and in Group Membership select the group to add to.

New Contributor

I got that but what do i pick in the list of rights I do not want to not have something unchecked that should be checked.

Contributor III

@faheemy , you may want to look into using Sites

Valued Contributor
  1. Create a list of tasks the agent would need to perform their work.
  2. Assign permissions which grant those rights.

Note: You may need different tiers of access for each platform (mac/mobile) such as (tech level 1, tech level 2, etc). The permissions will stack.
Recommend to create a sample account for each group to test the desired level of access.

It is my understanding that using sites is not recommended unless in very large organizations. Sites can be difficult to work around if needed.

New Contributor

What i want to do is give say bob anything in computers tab 100 percent of it and give mary anything in the devices tab 100 percent of it. But bob can not do anything in the devices tab and mary can not do anything in the computers tab.

Valued Contributor

While logged in as Jamf Admin:

Jamf Pro User Accounts & Groups, New, Create Standard Group, Next
Give it the desired name such as Computer Support User Group, select Privileges (that's where you will assign rights); for now focus on Jamf Pro Server Objects and start with the Read level settings, and Jamf Pro Server Actions and select what you think may be needed there.
Click Save

Jamf Pro User Accounts & Groups, New, Create Standard Account, Next
Give it a desired username such as CST1 and fill out the, Full Name, Email Address, Password. Set the Access Level to Group Access, Select Group Membership and check Computer Support User Group and select Save.

Repeat the process for your other (iPad) group.

Then, using a different browser or different client test the functionality of access rights needed for each group.
If you create a user and assign in to both: Computer Support User Group, and Mobile Support User Group, that person will access to both. Also if you create Computer Support User Group level2 and assign more rights to that if your user is also part of the first Computer Support group, their rights will be combined.

The key is to first find out the desired objectives, then create the groups, and tweak. Don't forget to document what you find.
Also there are different ways to accomplish a right such as the ability to delete a policy log. There are different ways about it and one gives access via the policy itself and one via the computer object as an example. And test what you assign.

You may also use the Clone feature where you clone a group (useful for testing or tiered access).
Test, Document, Tweak, Test, Document
Hope this helps.