Smart Group membership based on EntraID membership

Fjordmonkey
New Contributor II

New and somewhat confused JAMF-user here, and thus: silly questions.

I'm using Entra as my Cloud Identity provider and I'm trying to create a smart user group based on membership in an Entra-group (JAMF_KLA) in order to build configurations for said usergroups. But I cannot for the life of me get it to work (nor do I know if it's actually possible).

Looked at the mapping of both the SUG and in the CIP-setup, and everything there looks like it should work. Can also do a test against various users, and it works (User that is in the Entra-group gets green checkmark, user that is not in group gets red checkmark). Which tells me that the lookup is working.

I see that I can also add users from a Directory Service from the Settings-menu. However, is that only for admins/auditors? I see that there's an option for Enrollment Only. Does this mean that the imported users do *not* have access to the JAMF-console?

1 ACCEPTED SOLUTION

obi-k
Valued Contributor II

This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

• You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

• From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

• I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

Screenshot 2024-04-02 at 12.15.31 PM.png

View solution in original post

4 REPLIES 4

obi-k
Valued Contributor II

This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

• You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

• From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

• I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

Screenshot 2024-04-02 at 12.15.31 PM.png

Fjordmonkey
New Contributor II

Thanks, will have a look!

Fjordmonkey
New Contributor II

Had to check the box "Collect user and location information from Directory Service" under Settings - Device Management - Inventory Collection before I had the option of using the Directory Service Attribute Mapping. Will test further, but looks promising.

Thanks for the help and response!

obi-k
Valued Contributor II

Nice catch. We had this checked already, but good to add to notes.

If it helps, I replicated this for iOS mobile devices and Macs. Should work for you if you have Macs too.