Off network policies - epic fail

jaferguson
New Contributor II

For those of you also still reading the JAMF Listserve please excuse this duplication.

I have been experimenting with a policy assigned to two network segments that are not included in our internal networks.  Not being a network guy I am not sure if these are configured correctly but here are the network segments I configured in the jss  

Off network segment 1 -> 1.0.0.0 - 9.254.254.254
Off network segment 2 -> 11.0.0.0 - 255.255.255.255

All of our on network segments are 10.x.x.x  - 10.x.x.x (too many to enumerate here)

Both network segments are set up to use the distribution point in our DMZ

I not only limited the policy to these network segment but also to several departments.

The department limitation is working as expected however the network segment limitation is not doing what I want it to do.  I only want the policy to run when the computers check in from off our school networks.

Currently the computers within the scope are running the policy without respect to what network segment they are on.

Is there anything obvious from this information that I have done incorrectly?

Jim Ferguson
Senior Systems Analyst
Technology Services Dept.
Bryan ISD
979-209-1185

2 REPLIES 2

andyinindy
Contributor II

I am trying to do something similar with our software update server config (removing our SUS if they are off-campus). Those network segments look OK to me. Is this still broken for you?

justinrummel
Contributor III

Instant questions:

  • The clients "off network", they are not VPN'd into your LAN, correct?
  • The clients "off network", their LAN is not a 10.x network, correct?

I've been trying to think of a demo script to do things like this. What I've come up with is to check the domain_name value from ipgetpacket to see if the search domain is equal to the internal DNS name.

#!/bin/sh

### Description
#
# Example script to find if you are "in network" based on DHCP value of Ethernet

### Config Variables
domain_name="justinrummel.net"

### Variables
hwParse=`system_profiler SPHardwareDataType | grep "Model Name" | awk -F ": " '{print $2}'`

### Functions
hardware () {
    [[ "$hwParse" == *Air* ]] && { mbair; } || { mbpro; }
}

mbair () {
    echo "MB Air detected"
}

mbpro () {
    echo "MB Pro detected"
    eDevice=`networksetup -listallhardwareports | grep -A 1 "Hardware Port: Ethernet" | tail -1 | awk -F ": " '{print $2}'`
    dName=`ipconfig getpacket "${eDevice}" | grep "domain_name (string)" | awk -F ": " '{print $2}'`

    [[  "$dName" == "$domain_name" ]] && { echo "$domain_name match"; } || { echo "Not matched"; }
}

hardware
exit 0