Posted on 10-15-2014 11:58 AM
Is there a way to limit a Self Service item to be visible under a local admin account only? We do not want to require log in to Self Service. I would like licensed applications to be able to be installed by technicians when logged into the local admin account.
I have tried to set the policy to Self Service, and set the scope to All Computers with a Limitation to LDAP/Local User with the local admin name selected, but it does not show up when logged in as that user.
Thanks!
Solved! Go to Solution.
Posted on 10-17-2014 11:29 AM
We had a policy that we wanted to only be accessible by technicians. We scoped the policy to all computers that would use it. But under the limitations tab(under scope), it allows you to specify ldap groups or users that are the only ones allowed to access the policy when you log into self service.
So under any account (admin or not) you can open self service and see all policies available, but until you login with the technicians AD account under the login tab at the top right of Self Service, the scoped policy that you just setup will be invisible.
This makes it very easy to install certain "technician only" policies without ever having to log out of the users machine.
Posted on 10-15-2014 12:03 PM
@perweilerg, in the JSS is the local admin showing as the username for the Mac when opening Self Service?
It may take a little time for the JSS to update & then reflect the scoped policies.
Posted on 10-15-2014 12:17 PM
@bentoms can you please explain in more detail? I don't understand where you are asking me to look.
I have let the policy sit overnight, so I don't think time is the problem.
Posted on 10-15-2014 12:23 PM
@perweilerg, ok. So where is the JSS getting it's user information?
Something like: https://macmule.com/2014/05/04/submit-user-information-from-ad-into-the-jss-at-login-v2/?
Or manually entered?
Posted on 10-15-2014 12:48 PM
@bentoms It is getting it from AD and from Inventory. The local account is collected during Inventory.
Posted on 10-17-2014 10:56 AM
I'm curious. Is there a reason you can't scope that sort of thing? I know that's not what you're here to ask and you probably have a good reason. However, I've always had luck managing this via the various methods for segregating policies in the JSS.
Posted on 10-17-2014 11:29 AM
We had a policy that we wanted to only be accessible by technicians. We scoped the policy to all computers that would use it. But under the limitations tab(under scope), it allows you to specify ldap groups or users that are the only ones allowed to access the policy when you log into self service.
So under any account (admin or not) you can open self service and see all policies available, but until you login with the technicians AD account under the login tab at the top right of Self Service, the scoped policy that you just setup will be invisible.
This makes it very easy to install certain "technician only" policies without ever having to log out of the users machine.
Posted on 10-17-2014 11:44 AM
Sure, and that makes sense regarding how you'd like it to work. I was just asking about:
"I would like licensed applications to be able to be installed by technicians when logged into the local admin account."
Rather, why should these things only be installed by technicians and not users. I'm just wondering about the core of your issue.
Posted on 10-17-2014 12:03 PM
You could always just get approval then scope the policy with the software to the user to install. That way a technician doesn't need to be involved at all.
Posted on 10-17-2014 01:18 PM
@jturnage I have a number of apps and policies scoped this way. Our support is sort of distributed and we've been really hands off on heavy handed management so users are still accustomed to calling a tech. I just have an Internal Only category that gets scoped to a couple AD/LDAP groups for those policies. i have some tools in there like removing the various flavors of antivirus we have around, CC full install, AD Bind, etc... It works really well for our environment, I'd like to just be automating more of this stuff but it's not my call, this is a happy medium.
Posted on 10-24-2014 12:17 PM
I have the policy scoped to users, but it was not working. It was due to not having login enabled in self service. Once I enabled that as suggested it is working. Thank you!
Generally users can install unlicensed software, but since the Adobe CS 6 licenses are per machine, we don't want users logging in and installing it on any machine. I think I need to manage the licenses better in Casper, so I can scope the licensed Macs.
@jturnage I do not see a login tab in self service. I only see a login screen at first launch.