Posted on 07-31-2018 06:45 AM
Hi All,
I have a scenario where we have multiple support desks.
Each support desks need to support the devices they manage.
The problem i see is, if i use Sites, and enroll devices against different sites, with each site being a different desk. The problem is, enrolled devices cannot be part of two different sites.
So one service desk cannot support devices in another.
The other scenario i have thought of is, using static and smart groups, but how can i restrict our support desks to only see certain smart or static groups.
Each tech will log in with their AD credentials to Jamf Cloud.
Any ideas or solutions?
Thanks in advance
Simon
Posted on 07-31-2018 06:59 AM
It would be possible to fashion something that let the user switch site on the client Mac, see:
https://www.jamf.com/jamf-nation/discussions/24261/change-the-site-with-an-easy-script
Alternatively you could go for the open option and let the support desks see each others Macs. We do this, though have a restriction on what the helpdesk staff can do using group based access. We don't allow them to delete anything or create any form of configuration, but they can look up computers and read the polices or script we use.
Posted on 07-31-2018 03:07 PM
If i understand correctly this is quite simple as we have multiple IT teams in different countries that can manage each others devices in multiples sites if they are in the roughly the same timezone.
Eg: The Canada HelpDesk can manage macs in a USA Site & vice versa while not being able to manage or see devices in other sites like UK, France, Germany etc.. or change any of the global Jamf settings held in the higher "Full" JSS site like the FileVault polices or the global Wifi profile etc...
Here is an example setup:
1) For the devices, you enrolled in them only to the site they are located
eg: Canadian mac's are enrolled in the Canada site & USA mac's are enrolled in the USA site (as you say, a device can only be present in a single site)
2) create AD User Groups for each physical HelpDesk
eg: Canada HelpDesk & USA Helpdesk
3) Then create Groups in Jamf from the AD LDAP groups by linking them to the corresponding AD groups you created for each HelpDesk
In Jamf limited each group access to the corresponding Site
eg: Canada Jamf Group linked to the Canada HelpDesk AD group which can only mange the Canada Site
USA Jamf Group linked to the USA HelpDesk AD group which can only manage the USA site
4) Back in AD, add your users in the Canadian HelpDesk & the users in USA HelpDesk to each others AD groups that you created.
i.e John Doe is a member of both the Canadian and USA HelpDesk AD groups
Then when any of these users log in to the JSS (or Jamf apps), the JSS will accept that the user can manage each sites that they are member of in each AD group.
The SITES menu in the JSS will only show the HelpDesk user the sites they can manage - the USA & Canada sites
They can then use the SITE menu to swap between managing between sites very easily.
The only limitation is that unlike full admins (which have no site defined and access the "Full" JSS across every sites) they can't combine devices together (i.e create a single advanced search available to both site which to show all devices combined in both Canada & USA)
For our usage, the device naming convention carries the 2 digit ISO country code, so if the USA HelpDesk they receive a request to help a user with a mac with a name beginning with "CA", they know to swap to the Canadian SITE to search for that device
I hope the above helps.
Posted on 08-01-2018 02:10 AM
Hi,
Seems like you have exactly the same situation as our company.
This for the response I will try your setup, seems like i missed the part where i should "fix" it on AD instead of trying to find an over complicated solution in jamf.
Thanks
Simon