Scope Policy to LDAP Computer Group

Contributor III

Looking to see if any of the other MacAdmins out there knows how to scope a policy to an AD computer group. All my Macs are bound to AD. I'm looking to setup a process for our licensed applications where the computers are placed into a particular AD group, then, those in that group are queried and pulled into a Smart Group or Policy.

I haven't been able to find anything within the Smart Group criteria to target, or, in the policy Scope. It appears you can use limitations for LDAP User groups, however, not LDAP Computer groups.

Any help is greatly appreciated.


New Contributor III

Would also like to know how to scope smart groups (users and devices) based on what AD group(s) a user is in also.

I don’t think this can be done in Jamf Pro.

We live by smart groups based on AD groups in other MDMs 🤷‍:male_sign:

Valued Contributor

@jonohayes When I want to scope something to an AD group I use 'All Computers' as 'target, and add the group in question to 'Limitations'.

I have to say I find it confusing how some categories can be used as target, others as limitations and yet other as exclusion.


Ah yes, we ran into the same situation when we were bound, but now that we are not, we use ldap groups with users and change the frequency to once per computer as our users only have a single device.

Contributor III

Just an update on this. My ticket with Jamf Support came back with a response that Jamf Pro doesn't have a builtin functionality to query LDAP computer groups - only user groups.

Unfortunately for me, I can't use user groups since not all our Macs are 1:1. Some are shared and most software license models are based on device and not user. Jamf Support did suggest that this could potentially be done by creating a script that can run on each device and return all the LDAP computer groups that device is a member of. Then, I could use an extension attribute and a smart group to pull all those devices in.

I'm pretty green with writing scripts, however, I'm sure someone else in the world had the same need and could have written something up. I'll do some further research. If not, then now's the time to learn scripting.

New Contributor III

In Primary School we base smart groups of LDAP groups so we can dynamically move students around classes. College up we use smart groups based of LDAP groups for topics so the student device gets apps and settings based on what classes they are enrolled into.

All this info is feed into AD from the school management system automatically. This is a big hole in Jamf Pro, LDAP fields just don't cut it 🤷‍:male_sign: