Software restrictions not releasing on status change

fredmin
New Contributor III

I've put in place software restrictions for student laptops that don't meet specific criteria, mainly an encrypted drive. The restriction is scoped to a smart group and exemption placed on a second smart group.

Here's the workflow: Laptop A needs to use an app, but to do so it must have a fully encrypted HDD. It does not, so it is in the unencrypted smart group and the software restriction is applied. The end user encrypts the drive and runs the Self Service shortcut to update the inventory after the encryption process is completed. The computer is removed from the unencrypted smart group and placed into the encrypted smart group which is overtly exempted in the software restriction. However, when the user tries to run the software, the restriction is still in place and they continue to receive the message associated with the restriction.

I can remove the client software, re-enroll the laptop and that will fix the restriction problem on that laptop, but that only resolves that laptop. My expectation is that this would be done automatically and remotely. These users are rarely on-site anymore and do not usually have the time to return to campus to have us resolve this manually.

Has anyone else run into this??

3 REPLIES 3

pblake
Contributor III

Do you have a full inventory update at the end of the encryption policy?

jhalvorson
Valued Contributor

If you issue the following command, it will update the restriction policy list

jamf manage

The list of apps will update on the client, but then there is a small grace period for one of the jamfsoftware LaunchDaemons to honor that change to the list. I don't know the frequency, but it seems to be less than 90 second.

You could include the "manage" command with the Self Service policy that also runs the inventory process. Also note, that if your inventory policy is using the built-in Maintenance - Update Inventory, there is purposely a long delay before it will actually happen. JAMF says it's to avoid users that click on a lot of items in Self Service, and if each has a check for update which would trigger multiple updates.

Instead of using the built-in Maintenance - Update Inventory, you might try a Self Service policy that has a Files and Process - Execute Command that does both the inventory update and the management command in one-line. Try this...

sudo jamf policy; sleep 10; sudo jamf manage; sleep 10

The sleep should add pauses to give the appearance to the user that something is processing with Self Service. You might have to adjust the values to get the restrictions to work.

chrisdaggett
Contributor II

Similar situation, same problem. I have restricted software that I want restricted while they are at school but not at home. Setup 2 smart groups @home and @school (based on ip). Restrictions are scoped only to @school smart group.

Restrictions arent releasing even hours after they have checked in with a different IP and are no longer in the @school smart group.

I pushed out sudo jamf manage and that updated them, once. Unfortunately they next day they came back in and it didn't update in reverse (they were back in the @school smart group but nothing was being blocked).

I don't really WANT to run sudo jamf manage at check-in, but it currently appears to be the only way I can get this to work.