"All Users" vs. "Specific Users" vs. Specific computers in SCOPE: need help understanding the logic....


I want to know the logic behind how the various combinations in Scope works.

For example, say I create a policy that is scoped to one computer, without changing the default "All Users."

If this policy is enabled, the logs show that it's being applied or pending to a bunch of computers, even though I specifically scoped it to one computer only.

Changing the user target to "Specific Users" fixes this, but I haven't specified any users. I just know that it works without really understanding why.

Do User targets override Computer targets? What's the priority? The JSS interface provides very little useful feedback. Is there some sort of Venn diagram for this?



In it's very simplest form, All always takes precedent over Specific.

When you first create a policy, it should default to specific computers, specific users.

I could be wrong here, but the JSS assumes that any user, regardless of machine, needs to have Policy X applied when All Users is selected. The reason Specific Users takes the policy and then applies it to the machine (group/building/whatever) you want it to is specifically because of what you said - you haven't told the policy it needs to apply to a user.

This same problem would arise if you put a policy to apply to all computers when you want it to apply only to a single user - all machines would receive the policy.

The only way to "override" All would be through exclusions - there you're saying "I want this policy to go to all machines EXCEPT these."

Valued Contributor II

While duff is correct, I would explain this answer slightly differently. Think of 'Users' and 'Computers' as two separate lists. If you say 'All Users', any computer that has a user assigned to it will be in your target list. If you say "All Computers", then every computer will be in your target list, regardless of user names. So 'All Users' or 'All Computers' will likely get you all machines in your target list.

If I want an app available only to a select set of users, I set it to All Computers, then set Limitations to my target user group. I really don't see the point of the option of 'Users' under scope and find it confusing as well.


It's really kind of bad design that everything else works on the principle that most restrictive wins, but then the distribution is LEAST restrictive wins. If I scope to specific computers, then regardless of users being assigned it should ONLY apply to those computers, not those computer plus anything with a user assignment. It's also pretty terrible that it doesn't explain what "Users" means. From a normal standpoint we think of this as a logged in user. But in JAMF land it means if you used one of their bell and whistle tabs to associate the device with a user in the domain for record keeping. The end result is massive confusion when policies are not behaving as you think you have scoped them and they spill over, not to mention the default is ALL which it really should not be given this behavior.

New Contributor III

On a related note, is there any practical difference between selecting "All Computers" and "All Managed Clients?" in the scope of a policy?

Contributor III

That makes sense on all responses. Now let me play devil's advocate, mostly because this is what we are experiencing. We have two accounts, Both Admins but one is a Hidden account. I apply System Configurations to "All Computers" and "All Users"... But now we cannot get access to the Restricted System Prefs from the hidden Admin account. Is there a way around this, to not apply to the Hidden Admin Account? I have looked for Exclusions and nowhere is there anything to add this specific "User Account" to the list... unless I am missing something?
please fix my errant ways. I do see a bunch of names on the lists but not the Hidden Admin Account. Or maybe I need to create that account in JAMFPRO?