Help

Policy Scope to Directory group

nexus0000
New Contributor II

2 weeks ago

I have been trying to scope a policy to an Azure directory group however im not having any luck.

In the settings JAMF thinks the user is a member of the directory group so that part all seems ok.

In the policy i scoped it to all managed devices with a limitation of the directory group but it doesnt seems to run at all.

I have tried both a Self-Service policy and a policy that runs on check-in but neither seems to work.

When i remove the group limitation the policy works fine.

Is there anything else i need to do to get the group limitation working?

0 Kudos
Reply
3 REPLIES 3

sdagley
Esteemed Contributor III

2 weeks ago

@nexus0000 That is the way it should work (at least with a on-prem AD LDAP connection). You might want to open a support case with jamf and see if you're experiencing "PI103644 - PI-009562 Using the 'memberOf' attribute with Azure LDAP integrations returns no results." 

0 Kudos
Reply

AJPinto
Esteemed Contributor

2 weeks ago

If you have Jamf Connect, it polls AD for the users group membership and stores it in a plist. You can read that plistwith an Extension Attribute, and make Smart Groups based on group membership and target things to those Smart Groups. There are other ways to do this, but this is the easiest I found. I have never cared for how Jamf handles exclusions and usually just avoid this feature when possible.

 

#!/bin/zsh

#*=============================================================================
#* Script Name: User_AD_Grouping_JAMF_Connect
#* Created:
#* Author:
#*=============================================================================

ActiveUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }' | tr "[a-z]" "[A-Z]"`

if [ -f "/Users/$ActiveUser/Library/Preferences/com.jamf.connect.state.plist" ]; then
	AD_Groups=$( /usr/bin/defaults read "/Users/$ActiveUser/Library/Preferences/com.jamf.connect.state.plist" UserGroups )
	echo "<result>$AD_Groups</result>"
else
	echo "<result>Has not signed in to JAMF Connect</result>"
fi

 

Reply

CLanganki
New Contributor II

2 weeks ago

The limitation to directory groups in policies works in connection with Self Service and the login there.

0 Kudos
Reply