Scope Self Service policy to Active Directory User Group

jaalvidr
New Contributor II

Maybe it's not supported or maybe I'm doing something wrong but when I try to create a Self Service policy and scope it to an AD user group it doesn't show up for the user. The same policy scoped just a computer or computer group works fine. Also, when I change the trigger to login it works. Is this normal behavior or am I missing something here?

2 ACCEPTED SOLUTIONS

mm2270
Legendary Contributor III

Are you making your users log in to Self Service, or does it just launch and come right up to the Featured policies page?
I don't use SS policies based on AD groups, but I think for it to work, users have to log in to the application. Or is it supposed to use the built in $3 to determine the user and group?

View solution in original post

jaalvidr
New Contributor II

Looks as though you have to have to require users to log in to Self Service in order to scope to and AD group. Thanks for you help.

View solution in original post

8 REPLIES 8

mm2270
Legendary Contributor III

Are you making your users log in to Self Service, or does it just launch and come right up to the Featured policies page?
I don't use SS policies based on AD groups, but I think for it to work, users have to log in to the application. Or is it supposed to use the built in $3 to determine the user and group?

tkimpton
Valued Contributor II

One way may be to use an extended atribute to get the console user and possibly using dscl to grep the specific AD group yoy are looking for. You could then scope the extended attribute to your Self Service policy. I haven't done this mind, but its the route I would probably look down.

mm2270
Legendary Contributor III

Oh, I think I know what the issue may be, now that I re-read your post. If you're only adding in User Groups and not Computers or Computer Groups, it won't show up for anyone. Adding a User/User Group into a Policy Scope is a limiter. Meaning, it takes the main computer group above and removes any that don't have users logged in that fall into the AD group you've specified.
So, if you add "Assign to All Computers" or add some Smart/Static Groups in, THEN add your AD groups, only the users that are in the AD groups will see it, and only if they are looking at Self Service on one of the Macs that falls into the primary group.

Does that makes sense?

jaalvidr
New Contributor II

Thanks for the assistance so far, we don't have users provide a username/password to use Self Service it just logs them in automatically. Maybe that's the issue. As far as the policy itself, I do have it scoped to both the computer and the user and when I change the trigger to login it works fine so I don't think that there's any issue as far as how I scoped it. Maybe I'll change the "End User Authentication" method to require a login and see if that works then.

I'll think about the extended attribute option maybe as a last resort if it comes down to it.

jaalvidr
New Contributor II

Looks as though you have to have to require users to log in to Self Service in order to scope to and AD group. Thanks for you help.

mm2270
Legendary Contributor III

Thanks for the update. That's good to have a confirmation on that.

daworley
Contributor II

This issue is relevant to a feature request I submitted to kerberize the Casper applications.

https://jamfnation.jamfsoftware.com/featureRequest.html?id=20

Feel free to up vote if you agree.

FDA
New Contributor

same issue....how do you log into Self Service?