Posted on 06-11-2024 02:04 AM
Hi there,
I am trying to automate some processes based on our LDAP integration.
At this we have a stable integration with our LDAP and all the tests are successful. (Settings: System > LDAP servers).
Group Names and GIDs are found. So far I was able to use the information for some configuration profiles. Now I want to use it for associating specific devices with a smart computer group but I am somehow stuck.
Ultimately, it should result like this: If user is member of a specific LDAP group, then the user's device to be associated automatically with a specific computer smart group.
In system > computer management, I created custom "extension attributes" to map the "Directory Service Attribute" "gidNumber" to the LDAP attribute for "GID".
But it does not seem to work. Any idea what I am missing?
06-11-2024 02:59 AM - edited 06-11-2024 03:03 AM
The way you can do it is to set the scoping as:
Targets: All Computers or Specific Computer Group
Limitations: Members of LDAP group
You cannot directly scope to an LDAP group.
Edit: You might be able to do an Extension Attribute that does a `dscl` query of the users group memberships (and maybe even filter it so if they are a member, it displays a true/false boolean) then base the computer group membership from that.
06-11-2024 06:47 AM - edited 06-11-2024 06:48 AM
As @Tangentism said this is done with a policy directly, not through a Smart Group. You would target all devices, or a group of devices, then assign a limitation to the LDAP group you want to target to limit the scope to users with the LDAP group within the targeted scope.
One thing to note is Jamf has no good way to know what a user's group membership is unless they log in to Self Service. In domain bound situations logging in to Self Service is not necessary, but in 2024 you should not be domain binding macOS.
It would look something like this. This policy is targeting all Macs and is limited to Mac_Users so only users with the Mac_Users LDAP group can see the policy.
Posted on 06-26-2024 02:46 AM
@AJPinto @Tangentism Thank you for your speedy response and sorry for my late response. I was in was able to also challenge the problem during the Jamf Nation event in Berlin directly with several Jamf reps from DE and US. It looks really like a blind spot. Accept for BYO, where you have more focus on assigning e.g. VPPs based on the Business Apple ID, there is not (yet) much implemented when it comes to think Identity first. At this stage it is clear, that MDM is centered about a device but if you look across the entire ecosystem of services (jamf pro, radar, protect) policies, dynamic group assignments can be a huge lift if it is read from the IdP. Let's see how it progresses. At least they saw the potential benefit to inherit more from the IdP.
Thank you!
Posted on 08-16-2024 01:15 AM
Couldn't agree more.
They want us to focus on security but a better integration with Cloud IdP is one of the pieces of the puzzle.
Posted on 08-16-2024 01:32 AM
I started now to "hack" the setup a bit. In my cloud IdP I am setting a numeric identifier in the user's phone number value (we do not use it). This parameter I read in Jamf and assign the machine to specific configurations. I just create no smart computer groups based on the phone number and use this for scoping. Ultimately this would work more scaleable...
Posted on 09-18-2024 05:38 AM
and it works :)