Scope Self Service to only local admin accounts

perweilerg
New Contributor III

Is there a way to limit a Self Service item to be visible under a local admin account only? We do not want to require log in to Self Service. I would like licensed applications to be able to be installed by technicians when logged into the local admin account.

I have tried to set the policy to Self Service, and set the scope to All Computers with a Limitation to LDAP/Local User with the local admin name selected, but it does not show up when logged in as that user.
Thanks!

1 ACCEPTED SOLUTION

jturnage
New Contributor III

We had a policy that we wanted to only be accessible by technicians. We scoped the policy to all computers that would use it. But under the limitations tab(under scope), it allows you to specify ldap groups or users that are the only ones allowed to access the policy when you log into self service.
So under any account (admin or not) you can open self service and see all policies available, but until you login with the technicians AD account under the login tab at the top right of Self Service, the scoped policy that you just setup will be invisible. This makes it very easy to install certain "technician only" policies without ever having to log out of the users machine.

View solution in original post

10 REPLIES 10

bentoms
Release Candidate Programs Tester

@perweilerg, in the JSS is the local admin showing as the username for the Mac when opening Self Service?

It may take a little time for the JSS to update & then reflect the scoped policies.

perweilerg
New Contributor III

@bentoms can you please explain in more detail? I don't understand where you are asking me to look.

I have let the policy sit overnight, so I don't think time is the problem.

bentoms
Release Candidate Programs Tester

@perweilerg, ok. So where is the JSS getting it's user information?

Something like: https://macmule.com/2014/05/04/submit-user-information-from-ad-into-the-jss-at-login-v2/?

Or manually entered?

perweilerg
New Contributor III

@bentoms It is getting it from AD and from Inventory. The local account is collected during Inventory.

Chris_Hafner
Valued Contributor II

I'm curious. Is there a reason you can't scope that sort of thing? I know that's not what you're here to ask and you probably have a good reason. However, I've always had luck managing this via the various methods for segregating policies in the JSS.

jturnage
New Contributor III

We had a policy that we wanted to only be accessible by technicians. We scoped the policy to all computers that would use it. But under the limitations tab(under scope), it allows you to specify ldap groups or users that are the only ones allowed to access the policy when you log into self service.
So under any account (admin or not) you can open self service and see all policies available, but until you login with the technicians AD account under the login tab at the top right of Self Service, the scoped policy that you just setup will be invisible. This makes it very easy to install certain "technician only" policies without ever having to log out of the users machine.

Chris_Hafner
Valued Contributor II

Sure, and that makes sense regarding how you'd like it to work. I was just asking about:

"I would like licensed applications to be able to be installed by technicians when logged into the local admin account."

Rather, why should these things only be installed by technicians and not users. I'm just wondering about the core of your issue.

emily
Valued Contributor III
Valued Contributor III

You could always just get approval then scope the policy with the software to the user to install. That way a technician doesn't need to be involved at all.

Kaltsas
Contributor III

@jturnage I have a number of apps and policies scoped this way. Our support is sort of distributed and we've been really hands off on heavy handed management so users are still accustomed to calling a tech. I just have an Internal Only category that gets scoped to a couple AD/LDAP groups for those policies. i have some tools in there like removing the various flavors of antivirus we have around, CC full install, AD Bind, etc... It works really well for our environment, I'd like to just be automating more of this stuff but it's not my call, this is a happy medium.

perweilerg
New Contributor III

I have the policy scoped to users, but it was not working. It was due to not having login enabled in self service. Once I enabled that as suggested it is working. Thank you!

Generally users can install unlicensed software, but since the Adobe CS 6 licenses are per machine, we don't want users logging in and installing it on any machine. I think I need to manage the licenses better in Casper, so I can scope the licensed Macs.

@jturnage I do not see a login tab in self service. I only see a login screen at first launch.