Help

Scope Criteria Load Order

Go to solution
_aDiedericks
Contributor

‎11-22-2022 01:54 AM - edited ‎11-22-2022 02:00 AM

Hi there,

 

I'm currently seeing behaviour from jamf scoping with exclusions.

We have 1 configuration that applies based on "All manage devices" excluding "Devices on macOS Ventura without Sophos Monterey Config Installed".

The problem is, it looks like when enrolling the device, if scope criteria is checked for "All managed devices" before "Devices on macOS Ventura without Sophos Monterey Config Installed" criteria then it will install on that Ventura device anyway as if the device is actually not part of "Devices on macOS Ventura without Sophos Monterey Config Installed" scope exclusion.


Screenshot 2022-11-22 at 11.50.46.png

 

I cant think of a way around this except to somehow get the criteria checked for "Devices on macOS Ventura without Sophos Monterey Config Installed" first. 

 

Most likely what's happening is that jamf has to perform a task to verify if the criteria of the config profile existing is met but the device is already part of all managed devices and not part of the exclusion YET until that task is completed.

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
mickgrant
Contributor III

Posted on ‎11-22-2022 03:12 PM

All Devices is probably triggering the install before the mac has had time to run an inventory update and be populated into the smart group.

The workaround I would use for this is not scoping the application to "All Devices" with an exclusion but by Scoping it to a new Smart Group with setting like this:
Computer Group > Not Member of > Devices on macOS Ventura without Sophos Monterey Config Installed

By Doing it this way, even if it's convoluted, you are ensuring that the primary scope smart group is ALWAYS populated correctly before the app gets sent out. 

View solution in original post

Reply
2 REPLIES 2

Go to solution
mickgrant
Contributor III

Posted on ‎11-22-2022 03:12 PM

All Devices is probably triggering the install before the mac has had time to run an inventory update and be populated into the smart group.

The workaround I would use for this is not scoping the application to "All Devices" with an exclusion but by Scoping it to a new Smart Group with setting like this:
Computer Group > Not Member of > Devices on macOS Ventura without Sophos Monterey Config Installed

By Doing it this way, even if it's convoluted, you are ensuring that the primary scope smart group is ALWAYS populated correctly before the app gets sent out. 

Reply

Go to solution
_aDiedericks
Contributor
In response to mickgrant

‎11-22-2022 10:00 PM - edited ‎11-22-2022 10:04 PM

Hi @mickgrant thanks for your response this is actually the conclusion I came to myself, I've done this yesterday and even added an extra criteria to check if the device has said profile making it so that this smart group would have to wait until an inventory update is done as well before it can propagate.

I tested it between Monterey to Ventura upgrade and Ventura fresh install and things work as intended. Thanks.

0 Kudos
Reply