Help

smart groups with no criteria

lynnp
New Contributor

Posted on ‎09-22-2015 05:31 PM

I'm using Casper 9.65 and noticed today that if you remove all criteria from a smart group, the default is that the group contains all machines. This seems crazy!

The problem is that I was changing a smart group that had a number of policies scoped to it. I removed the criteria and then saved it thinking that it would select no machines while I chose new criteria. Oops! Now all the policies scoped to this relatively small group of machines are now being run on every machine we own. Seems super dangerous.

Why would I ever want the default behavior for smart groups to be this way? Is this still the case with newer versions of Casper?

0 Kudos
4 REPLIES 4

mpermann
Valued Contributor II

Posted on ‎09-22-2015 06:54 PM

@lynnp I was bitten by this little problem when I first started. Since then, one of the first things I do is to uncheck the Enable box in General as I am creating any new policy or at the beginning of modifying a policy. I save the policy with the box unchecked and then I can take a look at the scoping and verify everything is the way I want it before I enable the policy.

0 Kudos

scottb
Honored Contributor

Posted on ‎09-23-2015 06:14 AM

If there is a guy or gal here who hasn't found out something like this the hard way, they aren't trying!
I've done a few things along those lines in learning Casper, and well, one thing for sure - you don't forget next time!
I'm super careful now, and the first thing I do is what @mpermann does - flip off "enable". This goes with almost any changes I make or even new policies, groups, etc.
If it's a critical and potentially problematic policy, I'll ask another teammate to check it first. Even something like a mistake on the AM vs PM in the start time can bite you...

0 Kudos

jhuls
Contributor III

Posted on ‎09-23-2015 07:06 AM

I learned the hard way as well and had some choice words about jamf after that. I now use enable but it's hard to communicate this to others who might work within Casper for the first time because it simply doesn't make sense to have something designed this way. The way I deal with it now is I've made it a rule to my part-timer that only I create and edit smart groups to prevent accidents from happening.

Not the best solution because what happens when I'm out? It's the best I've found though to keep accidents from happening to our CIO's and President's secretary's systems since they have Macs.

0 Kudos

mm2270
Legendary Contributor III

Posted on ‎09-23-2015 07:10 AM

I agree its nuts that this is the default behavior. In thinking about it recently though, I realized that Smart Groups are following the same method more or less as advanced searches. If you open up a new advanced search and don't enter any criteria, then click Search. it by default pulls up all Macs in your JSS. So Smart Groups with no criteria are operating the same way.

That being said, I do think JAMF needs to figure out some way to make Smart Groups operate differently and if no criteria is selected or added that it defaults to no computers. The primary huge difference between an advanced search and a Smart Group is that a search can't be scoped to a potentially destructive policy, whereas Smart Groups can. Its a really dangerous default how this is right now!

The good news is there is a Feature Request around this here, and its Under Review. The bad news is the request is coming up on 2 years old! I would really like to see JAMF push this one up the ladder and get it addressed sooner rather than later to avoid disasters. Its been like this for too long now.

0 Kudos