Scope Policy to LDAP Computer Group

Would also like to know how to scope smart groups (users and devices) based on what AD group(s) a user is in also.

I don’t think this can be done in Jamf Pro.

We live by smart groups based on AD groups in other MDMs 🤷‍♂️

@jonohayes When I want to scope something to an AD group I use 'All Computers' as 'target, and add the group in question to 'Limitations'.

I have to say I find it confusing how some categories can be used as target, others as limitations and yet other as exclusion.

Ah yes, we ran into the same situation when we were bound, but now that we are not, we use ldap groups with users and change the frequency to once per computer as our users only have a single device.

Just an update on this. My ticket with Jamf Support came back with a response that Jamf Pro doesn't have a builtin functionality to query LDAP computer groups - only user groups.

Unfortunately for me, I can't use user groups since not all our Macs are 1:1. Some are shared and most software license models are based on device and not user. Jamf Support did suggest that this could potentially be done by creating a script that can run on each device and return all the LDAP computer groups that device is a member of. Then, I could use an extension attribute and a smart group to pull all those devices in.

I'm pretty green with writing scripts, however, I'm sure someone else in the world had the same need and could have written something up. I'll do some further research. If not, then now's the time to learn scripting.

In Primary School we base smart groups of LDAP groups so we can dynamically move students around classes. College up we use smart groups based of LDAP groups for topics so the student device gets apps and settings based on what classes they are enrolled into.

All this info is feed into AD from the school management system automatically. This is a big hole in Jamf Pro, LDAP fields just don't cut it 🤷‍♂️