Uninstall/Install of Restriction Profiles Based on Regions Determined by Public IP Fails

mbischo
New Contributor

Greetings!

I currently work at a school which manages students' iPads through Jamf School, which works really well in most cases.

We have configured a dynamic group whose member scope is based on a region which is determined by the school's public IP which is fixed. In most cases this setup works flawlessly.

However, with some devices this does not work, which means that upon returning home and even rebooting their devices students' iPads are still treated as if they were on campus. I can only undo this by manually refreshing the device status/network details. Even when the iPads receive a new IP, Gateway etc. from their home dhcp server, the public IP is unaltered and thus the restriction profile is not removed. This can not be explained by a flawed configuration of the private networks either, since in case of siblings one iPad uninstalls the restriction profile as expected, whereas the other does not.

This also "works" the other way around: When students arrive on campus and connect to the school's LAN, they still "carry" their home public IP "around" which is why the restriction profile is not installed.

Again, selecting all devices and performing a refresh as a bulk action solves this problem but it this is not a feasible approach...

Any help is greatly appreciated!

Cheers

Mark

5 REPLIES 5

mbischo
New Contributor

I do not really see how the reply is relevant!?

However, the only workaround that I have come up with is to make the students refresh their device details via the Jamf Student App. Still, I would like to know if there is a real solution to the problem.

AntD
New Contributor III
New Contributor III

The public IP address (and much more data) is only updated in the Jamf School console with a check-in, the device isn't able to dynamically report information back to MDM without first being asked to (hopefully DDM will help with this in the future.

To my understanding, the check-in cadence for devices in Jamf School is every 2 hours, which is likely why you are finding devices still show as the 'wrong'  IP when at home (and why refreshing the device fixes the problem) You might find that using time-based profiles will give you better results.

 

Failing that and still wanting to use the location based way my advice would be to explore the API. There are end points which will let you search through devices and then refresh them via a script. You could automate this script so that a certain times of the day (say the start and end of school) you are refreshing devices at a more regular cadence via the API (and therefore getting faster results).

I wouldn't recommend checking the devices in so regularly during the entire day but for short bursts to tackle this issue, I wouldn't see a problem. Of course, you are effectively creating time-based rules but based on a location.....so if you've not looked into the API before, you might want to check out the in product time based feature first

mbischo
New Contributor

Thank you very much for your suggestions/insights.

To my mind time-based profiles are too blunt and instrument because the times when students leave school simply vary way too much.

The 2h check-in frequency is another thing I was wondering about: Why can't this be set to a lower value? I remember reading that the interval in Jamf Pro is 15 minutes?

I will definitely look into the API but I would like to see an option to change the check-in frequency as well. Should this perhaps be a feature request?

user-BIbRuJIXgh
New Contributor II

We have the same problems. It would be Great, if students could push their new location or the frequency could be faster

mbischo
New Contributor

I found out that students can push their location using the Jamf student app. This works for our students and could be considered a solution.

Students open the app, tap on their profile icon, tap on their device, and then tap on refresh (outlined from memory).