I have software I only want certain users to install in Self Service, so I go to the policy's Scope, and Targets, and set it to Specific Users, and add the users. I also only want those users to see the policy if their machines are in certain smart groups (widget.app is a certain version), so I change Target Computers to Specific Computers and select the smart groups.
The Targets scope though only behaves as an "or". So if any of the selected groups and users are true the policy is valid.
Is the only way I can do this to have a smart group that looks for the opposite condition of my existing targeted smart groups and add that to the exclusions?
You need to add the Users into the Limitations tab, not the regular Targets tab under scope. So, add the Smart Groups under "Targets", then click on "Limitations" and click + and you should see the LDAP/Local Users tab show up. Click that and add the users there. It will use the Smart Group as the main targets, but limit the policy to only the usernames or groups you've added.
Edit: I forgot to mention that when adding in users under Limitations, you can't just click down an existing list like you can with the Targets tab. You have to enter the short names in manually, one at a time, which kind of sucks to be frank. I'm not sure what accounts for the difference between those 2 sections.
It'd be nice if Jamf could make the Limitations > Users section work the same as it does under Targets. As far as I can tell, there's no validation done on the names you type in. It will add anything you put there, even if it's not a real user or misspelled. It really should work better than this.