Smart group based on LDAP organisational unit

timlings
Contributor

Hi

All of our users in JSS come from our LDAP (Active Directory). In the LDAP, students are organised into OUs based on year groups, e.g. Year4 etc.

Is there a way I can make a smart user group based on the year that a student is in? This way, when they log in as part of the iPad setup (DEP), I can then scope apps etc to students automatically.

Any help would be appreciated! I suspect it might be something to do with extension attributes but I am a bit stuck.

Tim

2 ACCEPTED SOLUTIONS

timlings
Contributor

Ok, I've found a workable solution.

  1. Go to system settings > LDAP servers > your server > mappings
  2. Under 'position' I have put the mapping 'memberOf', which pulls all of the groups that the user is part of, apart from their main one. Thankfully, this means the group I am interested is displayed! For more information on that visit https://msdn.microsoft.com/en-us/library/windows/desktop/ms677980(v=vs.85).aspx.
  3. When this is populated when a new user enrols, I can then make a smart group based on the text in the 'position' field.

Hope that makes sense and will be helpful to someone!

View solution in original post

RLR
Valued Contributor
Ok, I've found a workable solution. Go to system settings > LDAP servers > your server > mappings Under 'position' I have put the mapping 'memberOf', which pulls all of the groups that the user is part of, apart from their main one. Thankfully, this means the group I am interested is displayed! For more information on that visit https://msdn.microsoft.com/en-us/library/windows/desktop/ms677980(v=vs.85).aspx. When this is populated when a new user enrols, I can then make a smart group based on the text in the 'position' field. Hope that makes sense and will be helpful to someone!

Out of curiosity, what's the difference doing it this way as opposed to assigning an app via an actual LDAP group (assign app to all mobile devices then limit it to an LDAP user group).?

View solution in original post

10 REPLIES 10

exno
Contributor

hmm you could use dscl in bash script to read the user information and build an EA that lists the group, then Create a smart group based on the EA.

Here is a blogpost from 2013 Speaksgeek about the topic

and theApple Dev Man page for DSCL

someone may have an easier method to use but this is something to start with at least. I'll poke around to see if i can give a better starting step, without AD it's hard to test though (lucky unlucky i guess lol)

- I am @exno or @exnozero on almost everything that exists.

daniel_behan
Contributor II

This is a good place to start looking.

https://jamfnation.jamfsoftware.com/discussion.html?id=6311

mm2270
Legendary Contributor III

I may be wrong, but I see that @timlings mentioned an iPad up top in the OP. If so, no EA "scripts" are going to be of any help here. Mobile devices can't run a script when they submit inventory like a Mac can.

That being said, Mobile Devices can have LDAP Attribute based Extension Attributes added to them in the JSS, but I believe it needs to be something you can easily map to from your LDAP environment. If the only way to grab the exact info you want would be to pass the data through commands like awk/sed to get the right output, you're not going to be able to do that for mobile devices.

timlings
Contributor

Ok, I've found a workable solution.

  1. Go to system settings > LDAP servers > your server > mappings
  2. Under 'position' I have put the mapping 'memberOf', which pulls all of the groups that the user is part of, apart from their main one. Thankfully, this means the group I am interested is displayed! For more information on that visit https://msdn.microsoft.com/en-us/library/windows/desktop/ms677980(v=vs.85).aspx.
  3. When this is populated when a new user enrols, I can then make a smart group based on the text in the 'position' field.

Hope that makes sense and will be helpful to someone!

RLR
Valued Contributor
Ok, I've found a workable solution. Go to system settings > LDAP servers > your server > mappings Under 'position' I have put the mapping 'memberOf', which pulls all of the groups that the user is part of, apart from their main one. Thankfully, this means the group I am interested is displayed! For more information on that visit https://msdn.microsoft.com/en-us/library/windows/desktop/ms677980(v=vs.85).aspx. When this is populated when a new user enrols, I can then make a smart group based on the text in the 'position' field. Hope that makes sense and will be helpful to someone!

Out of curiosity, what's the difference doing it this way as opposed to assigning an app via an actual LDAP group (assign app to all mobile devices then limit it to an LDAP user group).?

timlings
Contributor

@RLR That is a fantastic idea - I hadn't thought of that! That certainly seems a bit more straightforwards...

Thanks

Tim

cdenesha
Valued Contributor II

@timlings @RLR

There are a couple of differences.

First, setting an LDAP limitation for each app instead of collecting the data once per Inventory Update will most likely add a lot of load to the LDAP server, which can increase the log size on that server and add communication time between the JSS and LDAP. I've heard it might cache a lot of it, but I much prefer Smart Groups.

Second, Smart Groups are more flexible in case you want to scope to one but exclude another.

For either method, you'll want to be careful when students switch grades, if the apps they are getting change and they are Managed apps. If you unscope a Managed app it will immediately uninstall.

Our district already uses the Position field for something else. I may try to take over the Room field for AD attribute memberOf... I do know that creating an Extension Attribute of the LDAP attribute memberOf only brings in the first group membership and not them all like it does for the LDAP mapping. I've got an open Case on it now.

If I can't use memberOf what I do is install a webclip of the school home page - one per grade each with a different name. This profile will be in Inventory even if they remove the webclip from their screen. I can then create the SG based on this being in their Inventory.

TIP: try not to make a situation where you have to edit the App Scoping every year. What I do:
1. Create the initial SG based on above
2. Create SGs for each grade that point to the SGs in step 1. I use names like '_Grade 12 - update criteria annually'
3. Use these SGs as the scope for apps, or create Building SGs of multiple grade levels with the SGs of step 2.
4. Every year I just have to change one SG per grade level, being careful to add the year to the new SG before removing it from the old so apps don't get deleted.

Let me know if this isn't clear..

chris :)

cdenesha
Valued Contributor II

Hi @timlings,

Take a close look at the data coming over from the memberOf field for the Position field you are mapping - in my testing just now it is acting the same way as when I populate an Extension Attribute (it only brings in the first group membership and not them all).

chris

RLR
Valued Contributor

What @cdenesha has said is correct. We are currently using LDAP user groups to assign some apps and we've experienced apps uninstalling from iPads because the groups have changed or the LDAP group has been moved to a different OU.

What I'm going to do this year is populate the Department field in AD with the Students year group and use the attribute mappings to create smart groups. So the Casper Department and Position field can be populated with the Active Directory Department Field. These can then be used to create Mobile and User smart groups.

DavidN
New Contributor III

I am having trouble getting LDAP extension attributes and smart groups working. I'm attempting to use  "MemberOf". (See below). Should this show all of the AD groups the user belongs to? Is there a way to create an extension attribute to show a particular group such as "Is a member of marketing" ?

Screen Shot 2022-05-02 at 4.14.36 PM.png