Smart Group membership based on EntraID membership

Fjordmonkey
New Contributor II

New and somewhat confused JAMF-user here, and thus: silly questions.

I'm using Entra as my Cloud Identity provider and I'm trying to create a smart user group based on membership in an Entra-group (JAMF_KLA) in order to build configurations for said usergroups. But I cannot for the life of me get it to work (nor do I know if it's actually possible).

Looked at the mapping of both the SUG and in the CIP-setup, and everything there looks like it should work. Can also do a test against various users, and it works (User that is in the Entra-group gets green checkmark, user that is not in group gets red checkmark). Which tells me that the lookup is working.

I see that I can also add users from a Directory Service from the Settings-menu. However, is that only for admins/auditors? I see that there's an option for Enrollment Only. Does this mean that the imported users do *not* have access to the JAMF-console?

1 ACCEPTED SOLUTION

obi-k
Valued Contributor III

This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

• You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

• From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

• I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

Screenshot 2024-04-02 at 12.15.31 PM.png

View solution in original post

9 REPLIES 9

obi-k
Valued Contributor III

This should be doable, especially if your LDAP test lookups are working. It sounds like it is.

My first note would be to put a ticket in with your Jamf Support and see if you can get help there. They helped me with this...

• You could implement an EA with the Directory Service Attribute Mapping and "memberOf" to pull in group memberships.

• From there, you'd create a smart group with criteria for that EA to build configurations for the EntraID memberships.

• I look up these groups after the EA is run, and search for the membership in the computer, inventory, and extension attribute listings.

Screenshot 2024-04-02 at 12.15.31 PM.png

Fjordmonkey
New Contributor II

Thanks, will have a look!

Fjordmonkey
New Contributor II

Had to check the box "Collect user and location information from Directory Service" under Settings - Device Management - Inventory Collection before I had the option of using the Directory Service Attribute Mapping. Will test further, but looks promising.

Thanks for the help and response!

obi-k
Valued Contributor III

Nice catch. We had this checked already, but good to add to notes.

If it helps, I replicated this for iOS mobile devices and Macs. Should work for you if you have Macs too.

mtory
New Contributor

@obi-k Hey Obi-K I was trying this for Directory Service Attribute Mapping and "memberOf' for Entra ID and isn't working. Could this be a mapping issue?

Any thoughts?

obi-k
Valued Contributor III

• When you go to a computer or a device inventory tab, and Extension Attributes, are there LDAP groups listed under EA?

• Did you do an inventory update on the device/s

• When you run an LDAP "test" connection, is it successful under Settings, LDAP Server?
• Did you check the box on "Collect user and location information from Directory Service" box under Settings, Inventory Collection?

mtory
New Contributor

Hey Obi-k

LDAP Server settings are no longer set up, though use to be. 
Question if you used the same EA that we used for LDAP when it was configured and just changed the input type from LDAP to Directory Service Attribute Mapping.. could this be the problem as some devices that still showing the old ldap file paths.

 

Would I need to delete this original EA and reset it up?

deboerOT
New Contributor

I'm trying to implement this as well after our migration to Entra (cloud identity provider) from LDAP. "memberOf" definitely does not work.

trevoredwards
New Contributor III

Anyone figure this out? 

Trying to create a mobile device Smart Group based on membership of a shared Entra group, but can't quite get it figured out. 

memberOf definitely doesn't work.