Jamf Nation Community

LovelessinSEA · ‎08-31-2017

Background:
I have setup AD Security groups that are linked to the JSS.
Users call our service desk and ask for an application, in this example, Adobe Acrobat Pro. The Service Desk adds the user to the respective security group, once the AD syncs the user can see the app in Self Service and install it. Seems pretty straight forward but a lot of our users are a bit spoiled in that they'd like the apps pushed to the machines without intervention.

I cannot figure out how to limit the VPP software to the LDAP group and have the software automatically install.

Is this a limitation or is this an issue with how our SSO and user group mappings are setup in the LDAP settings? I've tried changing the settings for JSS mapping from Username to Email but that doesn't seem to make any difference.

We are AD bound using local accounts with Enterprise Connect.

Thanks in Advance!

cbrewer · ‎08-31-2017

Keep in mind the auto install won't happen until the VPP license assignment happens on Apple's side. Sometimes that license assignment can take an hour or more.

pueo · ‎07-14-2021

Hello @LovelessinSEA

This is a side topic but I wonder if you can show or tell me how you set up your LDAP groups for App Deployment?

My work flow:

Scope App Policy to ALL Managed Devices in Target Tab.
Scope Limitations to the Azure/LDAP Group Citrix-Users
Self Service is turned on for this policy.
User logs into Self Service
Policy is not displaying in Self Service.

Thank you kindly.

a.

LovelessinSEA · ‎07-14-2021

@pueo if you remove the limitation do you see the app show up in Self-Service?

pueo · ‎07-14-2021

Yes.

We are using Azure AD as our cloud iDP and have a cloud hosted Jamf Pro Server. I also have ticket open with Jamf on this topic. Most of the posts I see about this topic are quite dated. It appears it does work just not sure how it works.

LovelessinSEA · ‎07-14-2021

Does a test LDAP lookup work on jamf? Sorry with all these one liner questions but i'm working through the scenarios in my head.

pueo · ‎07-14-2021

No worries about all the questions. I appreciate the help.

Went to my Cloud IdP settings and ran some tests.

Looking up the Group was successful

Looking up the user (me) was also successful.

SMR1 · ‎05-24-2022

Just curious if you were ever able to figure this out. We're currently running in to a similar issue. We're using Azure Cloud Identity Providers. We have our groups setup and can search for the LDAP user group and add it, we've also done the test to see if a user is part of the group. For the users part of the group, it doesn't install and the devices don't show up under the specific software. Thanks

pueo · ‎05-24-2022

Hello

I this topic was brought up again at my company. I reached out to Jamf Support regarding automating packaging installations using AAD Groups and Smart Groups and Policies. Auto install is not going to work very well. Direct the users to Self Service to install themselves seems to be the way to go.

There are a few PI's which may or may not deter your approach:

The first is PI104479, which can result in Directory based (LDAP, Azure) Limitations/Exclusions do not work for macOS failing to run on some machines,
PI104479 can make it a bit unreliable to try and run the policy automatically.
PI104533 - Policies limited to LDAP group can be run by non-eligible users if the previous user was eligible and executed the policy.
- This would be where someone ran a policy from Self Service on a computer, then a different user logs in to the same computer and may be able to run the policy from their Self Service.

Jamf Nation Community

Scoping VPP to LDAP Group and Auto Install