Help

Trouble with OS X Self Service Policies Limited to AD Groups

Go to solution
cpdecker
Contributor III

Posted on ‎08-28-2015 10:46 AM

Hello folks,

I hope everyone is doing well and that all the school system admins out there are having a smooth transition back.

I am having a problem with some of our Self Service policies in OS X. The ones in question will display "Gathering Information..." along with a very quick progress bar when the user attempts to install them. Nothing actually gets installed on the machine and no policy logging event is generated by the action. I thought something was possibly corrupt with these policies or their packages until I removed their AD group limitations and set them to "All Computers" or "Specific Computers" only. When the AD limitations are gone, they work like a charm through Self Service.

Has anyone else experienced this? Any ideas? Thanks as always!

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
shanejorgensono
New Contributor

Posted on ‎08-29-2015 05:57 PM

@cpdecker What you are seeing is most likely defect D-008830.

--Self Service policies that include all computers in the policy scope and are limited to LDAP users or LDAP user groups fail to run on a computer if users are not required to log in to Self Service and an LDAP user is assigned to the computer.

When limiting Self Service Policies to LDAP Groups, authentication for Self Service is required. It is the authenticating of Self Service that then tells the JSS which policies are available for that user.

I recommend to file a case with your TAM, to attach to the defect.

View solution in original post

0 Kudos
11 REPLIES 11

Go to solution
emily
Valued Contributor III
Valued Contributor III

Posted on ‎08-28-2015 10:52 AM

So unless I'm misremembering here, policies scoped to AD groups should be "All Computers" with a limitation set to the group. Is that the case here? And are you sure you're using the right security groups? And have the packages replicated to the appropriate distribution points?

0 Kudos

Go to solution
andrew_nicholas
Valued Contributor

Posted on ‎08-28-2015 11:08 AM

Do you have more than one domain, with users from one domain being in the limited security groups from the other AD?

0 Kudos

Go to solution
andrew_nicholas
Valued Contributor

Posted on ‎08-28-2015 11:24 AM

@cpdecker Does your Self Service require login? I was able to replicate this with my test JSS if I turned Self Service to require no login, but once I changed it to "Allow users to log in" I was able to deploy a package correctly. I was logged in as an AD user on 10.10.5 with 9.65 of Self Service.

0 Kudos

Go to solution
scottb
Honored Contributor

Posted on ‎08-28-2015 11:33 AM

Like @emilykausalik and @andrew.nicholas , we use AD groups for Self Service.

*Require Login to Self Service.

*Set scope: "All computers", Limitation: AD Group

Works great. Not sure if it's supposed to work without a login to SS, but the above is how we work things.

0 Kudos

Go to solution
cpdecker
Contributor III

Posted on ‎08-28-2015 11:45 AM

Our scoping options are:

Targets: All Computers
Limitations: School1 Office, School1 Teachers
Exclusions: None

We only have one distribution point and it is up and functional. The logic for the AD group memberships and scoping options appear to be correct (both in my head and in Casper) since the policy wouldn't even appear as an option in the self service portal if it were incorrect.

We also only have one domain.

We do not require login for the Self Service portal but we have associated the AD usernames with the computers. This can be confirmed since the AD username shows at the top right of the SSP. Making the users log in to their AD account to access the SSP isn't ideal for us. This was working during last school year but admittedly wasn't tested much over the Summer.

So, if I were to take the scoping options above and remove the limitations from them, the policy works fine. Thanks for all responses so far!

0 Kudos

Go to solution
cpdecker
Contributor III

Posted on ‎08-28-2015 11:46 AM

Also as another note this appears to be affecting Mavericks and Yosemite.

0 Kudos

Go to solution
scottb
Honored Contributor

Posted on ‎08-28-2015 11:49 AM

Since we all failed to ask, what version of the JSS are you running?

0 Kudos

Go to solution
andrew_nicholas
Valued Contributor

Posted on ‎08-28-2015 11:53 AM

To go along with what @scottb asked, my test JSS instance that demonstrated the issue is 9.73.

0 Kudos

Go to solution
emily
Valued Contributor III
Valued Contributor III

Posted on ‎08-28-2015 11:54 AM

I'm sure this isn't helpful but it seems warranted now:
8719e3abafa149a18e79c2bbeef97867

0 Kudos

Go to solution
cpdecker
Contributor III

Posted on ‎08-28-2015 12:04 PM

I will accept it as a failure on my part for not providing: 9.73 :)

If this turns out to be an official bug we can adjust our workflow for now to get around it until it is dealt with. I will make sure I get in touch with my JAMF Support Personnel.

Thanks all--any additional input is still greatly appreciated. I may try rebooting the server this weekend and seeing if the issue still persists :)

0 Kudos

Go to solution
shanejorgensono
New Contributor

Posted on ‎08-29-2015 05:57 PM

@cpdecker What you are seeing is most likely defect D-008830.

--Self Service policies that include all computers in the policy scope and are limited to LDAP users or LDAP user groups fail to run on a computer if users are not required to log in to Self Service and an LDAP user is assigned to the computer.

When limiting Self Service Policies to LDAP Groups, authentication for Self Service is required. It is the authenticating of Self Service that then tells the JSS which policies are available for that user.

I recommend to file a case with your TAM, to attach to the defect.

0 Kudos