Policy Creation Question

ChrisTech
Contributor

I've been looking through some policies, and noticing that they have been running at each check-in.

The policies are set to install the package at reoccurring check in, ongoing. It's supposed to update inventory when done. The smart group is set for "does not have" package installed by Casper.

Shouldn't the JSS know that the package has been installed and prevent the policy from installing the package? Or should these policies be set for Once Per Computer? I'm trying to fix some policies that others have written and make sense of this. Thanks for any information.

ChrisTech

7 REPLIES 7

chriscollins
Valued Contributor

It shouldn't run again once the computer drops out of the smart group due to the inventory update. If it's still running then I'd check the criteria of your smart group as something is probably off.

ChrisTech
Contributor

Thanks for the reply chriscollins. Does it matter if the first criteria of the Smart Group is the package that I am using to either exclude or include? IE the "Does not have" or "has". When I set that as the first item, the policy stopped looping. Possibly could be something wrong with the other Computer Groups that were included as well..

The group criteria was:
AD Bound
and Packages installed by casper (Does not have) Chrome
and Local User Accounts (Does not have) foo
or Local User Accounts (Does not have) bar

ChrisTech

davidacland
Honored Contributor II
Honored Contributor II

If the group is set to "doesn't have x package", the policy should be scoped to target that group. If it's "does have x package", the policy should be set to exclude that smart group.

Personally I try not to use exclusions or limitations too much in policies. They always seem like a good idea at the time, but when you are troubleshooting them 6 months later they can be overly confusing.

I generally like to include all the logic in the smart group and use the "should have it but doesn't" method.

I would check whether the group is working on a test Mac, manually running an inventory update before and after installing the package to see if the smart group is working as expected. If it is, there may be something going wrong with the inventory update on the policy (I've had that loads of times).

ChrisTech
Contributor

I agree it can be overly confusing! The reason for the exclusions was due to state testing. The Smart Group was to target only machines that didn't have those two accounts. I ended up making a Smart Group that targeted the two accounts and used that with the Smart Group that I was fixing and used the "not a member of" and it's working great. I also found another policy was using that Smart Group and it was looping. I checked the JSS this morning and the Smart Group is working as it should. What helped me figure it out was to just do the math - some machines had both accounts while some only had one. Adding up the total number of machines minus the Smart Group exclusion and viewing the Smart Group after showed that I was on the right track. Hat tip to chriscollins for pointing me in the right direction.

I appreciate everyone's responses.

ChrisTech

kerouak
Valued Contributor

Why would you set it to 'ongoing'???
If the Application is installed, then why would you want to try and keep on installing it??

Set it to 'once per computer'

???

mm2270
Legendary Contributor III

Ongoing can be useful under certain circumstances. As long as the Smart Group is set up properly to exclude machines that already have the product installed, its not a problem to use Ongoing. Using Ongoing can ensure that if the software is removed, and its something that you require on your Macs, the policy will run again to install it the next time that Mac falls into the Smart Group. If its not set to Ongoing, then flushing the policy log, either by way of re-imaging, or manually flushing all logs or just that one log from the machine's inventory would be necessary to have it run again.

Granted, there aren't many times you will want to use that setup, but its not the most unusual thing to do.

davidacland
Honored Contributor II
Honored Contributor II

I was about to say the same as @mm2270

We use ongoing most of the time and use smart groups to control who gets what and when. Once per computer can be a bit limiting, plus the worry of policies re-running when policy logs get flushed.