Help

Policy Scope Exclusion?

Go to solution
ShakataGaNai
New Contributor III

Posted on ‎04-02-2013 01:05 PM

Is there anyway, for policies, to scope an exclusion list? IE: I'd like to have FV2 encryption deployed to all machines EXCEPT a select group/smart group.

Thanks

0 Kudos
Reply
2 ACCEPTED SOLUTIONS

Go to solution
mm2270
Legendary Contributor III

Posted on ‎04-02-2013 02:01 PM

@Joel, that would only really work if the OP was looking to exclude Macs with FV2 already active. If he is looking to exclude, say, all VIP or C Level exec Macs, that would be more complicated with the current suite. For that, something like an Extension Attribute would help that could identify those Macs. For example, dropping a hidden file onto said Macs that could be read back to the JSS in a script based EA.

Another possibility is to use the method I outline in this FR thread, to create an EA that would pull in JSS Computer Group Memberships, then apply any Macs for exclusion into a Static Group. Finally, create a Smart Group that would use something like JSS Comp Groups | Is Not Like | "Your Static Group Name" and any other criteria you might want in it, such as FileVault 2 status or whatever.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=25

View solution in original post

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎04-02-2013 07:54 PM

Assuming you have some way to identify the machines, like data in the Location tab of the machines, you could use a Smart Group to do the exclusion.

For example, we are an advertising agency, so I use the department to indicate if a machine is a creative, account service, project manager, etc. I then use the Room to indicate which client team the machine is on. If I wanted to enable FileValut on all of the machines on the JAMF team except for the creative machines, I can create a Smart Group that has the following:

Department is not creative Room is JAMF

external image link

Is that what you're looking to do?

View solution in original post

0 Kudos
Reply
6 REPLIES 6

Go to solution
dpertschi
Valued Contributor

Posted on ‎04-02-2013 01:12 PM

No, but it is planed in version 9...

https://jamfnation.jamfsoftware.com/featureRequest.html?id=138

0 Kudos
Reply

Go to solution
Joel_Peasley
Contributor
Contributor

Posted on ‎04-02-2013 01:31 PM

You can use a Smart Group to gather this information. Just use FileVault 2 Status under Storage information. This should be able to help you identify which computers are encrypted with FileVault 2.

0 Kudos
Reply

Go to solution
mm2270
Legendary Contributor III

Posted on ‎04-02-2013 02:01 PM

@Joel, that would only really work if the OP was looking to exclude Macs with FV2 already active. If he is looking to exclude, say, all VIP or C Level exec Macs, that would be more complicated with the current suite. For that, something like an Extension Attribute would help that could identify those Macs. For example, dropping a hidden file onto said Macs that could be read back to the JSS in a script based EA.

Another possibility is to use the method I outline in this FR thread, to create an EA that would pull in JSS Computer Group Memberships, then apply any Macs for exclusion into a Static Group. Finally, create a Smart Group that would use something like JSS Comp Groups | Is Not Like | "Your Static Group Name" and any other criteria you might want in it, such as FileVault 2 status or whatever.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=25

0 Kudos
Reply

Go to solution
ShakataGaNai
New Contributor III

Posted on ‎04-02-2013 07:27 PM

@mm2270 That is a correct assumption.

It seems the answer is "No, it isn't possible at this time". Suck.

0 Kudos
Reply

Go to solution
stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎04-02-2013 07:54 PM

Assuming you have some way to identify the machines, like data in the Location tab of the machines, you could use a Smart Group to do the exclusion.

For example, we are an advertising agency, so I use the department to indicate if a machine is a creative, account service, project manager, etc. I then use the Room to indicate which client team the machine is on. If I wanted to enable FileValut on all of the machines on the JAMF team except for the creative machines, I can create a Smart Group that has the following:

Department is not creative Room is JAMF

external image link

Is that what you're looking to do?

0 Kudos
Reply

Go to solution
ShakataGaNai
New Contributor III

Posted on ‎04-03-2013 09:27 AM

@stevewood Oh, that's excellent. We don't use room currently, so I can just tag those machines that I want to manually exclude as something like "NoFV". Perfect!

0 Kudos
Reply