Jamf Nation Community

Alright, I guess we'll keep LDAP integration then.

Thanks @tomhastings !

Glad to help! As you get further into the process, feel free to ask me any other questions.

We used to scope to the AD groups but then created Smart User Groups based on AD credentials (like username starts with grad year) and then over the summer we just update the criteria (i.e. 10th grade is now '21). This helps avoid having to go in and modify the scope of apps and config profiles. It has been a huge time saver; we set this up when we moved to the cloud and it now takes about 2 minutes to get everything switched over and ready for the new year :)

That's some really awesome tips you guys, thank you! I'm wondering if you can answer this as well:

Hey there, we're in the process of completely eliminating User-based deployment and just wondering if it would be wise to un-scope the users that we'll be switching from user to device deployment under the VPP invitation tab. This will probably prevent that pop up that shows up to assign VPP content if you launch Self service if I understand this tab correctly.

Also, I'm worried about the iPads that already accepted the VPP invitation in the past. If I unscope the apps under the user tab on the said iPads, will this trigger a prompt for an iTunes account?

Thank you in advance!

@tomhastings @thejenbot

I did the transition over a summer so there was no negative impact to users, but here is what I remember: With user based app deployment the app should remain on the iPad after you un-scope, but wise to test to be sure. Save any data to the cloud service of your choice, wipe the iPad and proceed with Device management, there should be no prompt for an iTunes account.

I wanted to chime in on what we are going through right now concerning User-VPP and Device-VPP.

We transitioned years ago but didn't move all the user-vpp assignments to device-vpp right away. Everything was working as intended so no big deal right? Wrong!

We have been working with JAMF Support the last month about VPP issues where JSS was not reporting the same number of licenses for an App that Apple School Manager (ASM) had reported. Turns our having both user and device VPP running at the same time is a no-no.

Step 1 to fix is to go thru all our remaining user-vpp assignments in JSS and remove them. However, you need to follow the correct process:
1. Unscope the assignment
2. Un-check all the apps in the list
3. Then hit Save.
4. Wait for the "Recalculating licenses" message to disappear from the assignment. (its in blue lettering)
5. Once the "Recalculating licenses" is gone, you can delete the assignment OR re-scope if there are ebooks still needed

After these are all done, we are going to "reset" the VPP accounts in JSS. Not sure how, but JAMF support is going to "go into the DB and remove ALL the VPP info for each account. Re-download the VPP token and have the JSS re-sync all the VPP (apps, icons, etc..) info. It can take a day or two for each VPP account."

We have 7 VPP accounts.

@lehmanp00

Hello, just wondering about the last part of Jamf going into the DB and remove All VPP info for each account. What exactly does that achieve? I'm thinking if I should call in Jamf support and have them do this for us as well? We only use 1 VPP account for deploying apps.

Basically, JAMF is going to wipe all the app data and force the JSS to re-sync with ASM. Thats how it was described to me. They said apps would not be pulled from devices nor would scoping's be effected. Just the backend app data. JAMF wants to make sure that the data in our JSS and the data in ASM are the same because, right now, they are off.

The only reason we are doing this is because the license counts for some apps are not the same in JSS and ASM. If you are not seeing this, I wouldn't worry about it.

I remember them doing this for us in the past and our issue was the app wont deploy unless I go in and refresh the license. It keeps on saying that the app is pending and not available for install and doesn't use any license automatically after scoping. They told me that we had a corrupted VPP token so they probably did something similar, they also had me re-upload VPP token.

LDAP integration is the way to go...basically I use the Position field in Jamf as it can be set by users and applied to devices. Each account at our district has either <3 digit building code>-Staff or <3 digit building code>-<expected grad year> or Administrator

@blackholemac

Agreed, here is our mappings. All of them are used in different SMART groups, advanced searches etc..

JSS = AD

Building = Site ID (School 2 letter code)
Room = Description (which is the Classroom Teacher name in AD)
Phone = Department (grade level)
Position = Job Title (Grad year)