Scope policy to Azure AD group PI

KyleEricson
Valued Contributor

I know there was a PI issue for not being able to scope policies to Azure AD groups at check-in. 

If you signed into Self Service and had the policy set for Self Service it would work, but setting the policy to check-in with scope to All Computers and a limitation of the Azure AD group didn't work.

 

Has anyone heard if this is fixed Jamf didn't give me a PI issue for this?


Hire me as an independent contractor.
4 REPLIES 4

andymcp
New Contributor III

I was given PI-010002 for a version of this issue at one point but I've also been told it has been resolved... which it's not. I'd like to use Azure AD groups for config profile exclusions and eventually be able to use Azure AD groups as a "Limitation". Both of these worked with our on-prem AD but do not function with Azure. It's been very frustrating because I can't get a straight answer as to what LDAP scoping features work with Azure Cloud IdP and which ones don't or what the roadmap is for Azure to have feature parity with traditional LDAP servers.

KyleEricson
Valued Contributor

@andymcp Thank you for this info I will email Jamf to get a new PI for this.


Hire me as an independent contractor.

KyleEricson
Valued Contributor

@andymcp 
Hey just got this from support can you see if you still have this issue?

Thank you for sharing that Jamf Nation thread. I was able to pull up that known issue mentioned by the other poster PI104062 - PI-010002 which has the following description: "When Azure is configured as a cloud identity provider, Jamf Pro sometimes fails to correctly handle the directory workflows for Azure groups (e.g., scope limitations)." Request_BadRequest ERROR can be found when scoping to all users and limiting using an AzureAD group and we see a failure when doing a group lookup despite mappings being set correctly and the application being configured in Azure AD. Does this sound like the issue you were looking for? What version of Jamf Pro are you running? It appears this issue was marked closed as of Jamf Pro 10.34. Are you still experiencing the Request_BadRequest ERROR if we look in the server logs when trying to scope this way?


Hire me as an independent contractor.

BTron
New Contributor

When speaking to support I received this bug #:

PI104479 - Directory based (LDAP, Azure) Limitations/Exclusions do not work for macOS.

My workaround for this is pretty involved, but hey it works...

This is an Extension Attribute to check if Azure AD users belong to Azure AD groups by calling to the API. Then you can create smart groups using the extension attribute. 

#!/bin/zsh

#API Username and Password
username=""
password=""
url="https://company.jamfcloud.com"
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
echo $loggedInUser

#Variable declarations
bearerToken=""
tokenExpirationEpoch="0"
aduser="$loggedInUser@company.com"

#AD group you are checking membership against
adgroup=""

getBearerToken() {
	response=$(curl -s -u "$username":"$password" "$url"/api/v1/auth/token -X POST)
	#checks if OS is below 12
	if [[ $(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}') -lt 12 ]]; then
		bearerToken=$(echo "$response" | /usr/bin/awk -F \" 'NR==2{print $4}' <<< "$bearerToken" | /usr/bin/xargs)
		tokenExpiration=$(echo "$response" | grep "expires" | awk '{ print $3 }' | sed "s/\"//g")
	else
		bearerToken=$(echo "$response" | plutil -extract token raw -o - -)
		tokenExpiration=$(echo "$response" | plutil -extract expires raw - | awk -F . '{print $1}')
	fi
}

checkTokenExpiration() {
	if (("$tokenExpirationEpoch" > "$(date +%s)"))
	then
		echo "Token valid until the following epoch time: " "$tokenExpirationEpoch"
	else
		echo "No valid token available, getting new token"
		getBearerToken
	fi
}

invalidateToken() {
	responseCode=$(curl -w "%{http_code}" -H "Authorization: Bearer ${bearerToken}" $url/api/v1/auth/invalidate-token -X POST -s -o /dev/null)
	if [[ ${responseCode} == 204 ]]
	then
		echo "Token successfully invalidated"
		bearerToken=""
		tokenExpirationEpoch="0"
	elif [[ ${responseCode} == 401 ]]
	then
		echo "Token already invalid"
	else
		echo "An unknown error occurred invalidating the token"
	fi
}

checkTokenExpiration
membership=$(curl -X POST "$url/api/v1/cloud-idp/1/test-user-membership" -H  "accept: application/json" -H  "Authorization: Bearer ${bearerToken}" -H  "Content-Type: application/json" -d "{\"username\":\"$aduser\",\"groupname\":\"$adgroup\"}" | grep "isMember" | awk '{ print $3 }')
echo "<result>$membership</result>"