Policy run restriction

Not applicable

Here is one for the group.

We are still using version 5.13 here in Saint Paul and plan to upgrade later this fall. However, I'm using more policies to make changes as we migrate to Active Directory, too. [When it rains it pours] Anyway. The policies I'm trying to run at login or on our "every60" task for scoped groups run regardless if the computer is on our network or at home. Is there a way that I can tell the policy only to run on our school network? I have network segments for many of the buildings which are subnets, but I can't seem to make a network segment that is just on the SPPS network, including subnets. I get the error "The Network segment entered is not valid" Example, a single building is -, but If I want to include anything on the SPPS network, I would need -, that doesn't work. I can't enter 10.x.x.x. either.

The real question then is how do I keep policies from running on a computer that is off our network for certain policies? Main issues is the client can't make the AFP connection. I could go in and check each network segment I've created under the scope tab, but that is over 80 network segments to check. I suppose it would work though.

I'm expecting to make these types of policies available over HTTP in version 6 which would take care of this issue, right?

Thanks for the help.

Nathaniel Lindley

Learning Systems Specialist
Educational Technology
Saint Paul Public Schools
Saint Paul, Minnesota
nathaniel.lindley at spps.org
phone: 651-603-4929


Contributor III

Hi Nathaniel!

Well, you are going about it correctly. The way to restrict the scope of the policy to run only on your network is by network segments. 5.13...that seems like a distant memory already, and I can't recall what it could and could not do compared to 6.x. I have a network segment that includes all of our LAN, and almost all of my policies are scoped to use that.

As far as the errors specifying your NAT addresses, you may need to address support on that one.

I can only assume that your enabling HTTP access for distribution points will fix your issue as long as those distribution points have valid routable addresses from the Internet or valid DNS entries for external DNS, and are actually accessible from the Internet.

Craig E