Help

VPP Assignment to LDAP Groups

Go to solution
mgarman
New Contributor III

Posted on ‎06-06-2014 01:22 PM

Scope for a VPP assignment is set to one or more LDAP groups by setting Target Users to All Users, then clicking on Limitations and selecting one or more LDAP user groups (in our case, Active Directory). The users in this group have been assigned to their device (listing them in the JSS), and a VPP Invitation has been made and accepted for all users in each LDAP group.

There are other VPP Assignments to distribute different App sets to different LDAP user groups.

Question - when a user is removed is from one LDAP group in Active Directory (which is scoped to VPP_Assignment_1), and placed into a new LDAP group in Active Directory (which is scoped to VPP_Assignment_2), does the JSS automatically revoke the VPP_Assignment _1 apps and then re-license the user with the VPP_Assignment_2 apps? When/how does this take place given that neither VPP Assignment has been touched?

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
mgarman
New Contributor III

Posted on ‎06-11-2014 12:59 PM

Set up a test. Created two VPP assignments - each to differing LDAP groups and each with a different app. Assigned a user to one of these groups and the device received the app from the appropriate VPP Assignment. Changed the user's group in LDAP and ran an Inventory and Blank Push on their device. The device quickly received the app from the new VPP Assignment and received a revocation of the app from the previous VPP Assignment about 20 minutes later.

View solution in original post

0 Kudos
3 REPLIES 3

Go to solution
cdenesha
Valued Contributor II

Posted on ‎06-08-2014 03:39 PM

The only piece of info I know is that the LDAP info for the user is updated whenever the device's inventory is updated. In 9.2x I populated a field in User & Location from AD and the data was collected within a day.

0 Kudos

Go to solution
mgarman
New Contributor III

Posted on ‎06-11-2014 12:59 PM

Set up a test. Created two VPP assignments - each to differing LDAP groups and each with a different app. Assigned a user to one of these groups and the device received the app from the appropriate VPP Assignment. Changed the user's group in LDAP and ran an Inventory and Blank Push on their device. The device quickly received the app from the new VPP Assignment and received a revocation of the app from the previous VPP Assignment about 20 minutes later.

0 Kudos

Go to solution
freddie_cox
Contributor III

Posted on ‎08-29-2014 10:31 AM

Thanks for this. I was scratching my head why my VPP assignments were going out, seemingly willy-nilly. Running an inventory update on the devices now. I'm less concerned about the revocations as they seem to show up quickly on the VPP side and eventually make it to the client. Testing now!

0 Kudos