Smart Group Default Scope

andrew_nicholas
Valued Contributor

Good Morning All,

I was preparing an experimental policy sequence this morning using the smart group scope/exclusion method, when I realized that the smart group set as scope had accidentally not been populated with any criteria. Apparently this defaults to include all machines within the JSS, and while my policy was only SS based and didn't do anything adverse, I can't help but imagine doomsday scenarios. Does anyone know if this is expected behavior/a bug or if I should just submit a Feature Request instead?

Thanks!

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

The Feature Request for this is here: https://jamfnation.jamfsoftware.com/featureRequest.html?id=1659
Please go and vote this up AND post your thoughts on the thread. As you can see the FR is more than 2 years old now and JAMF has done nothing about it (though its "Under Review") They need pressure from all Casper Suite customers to change this dangerous default behavior. Because no-one is immune to this pitfall unless you don't use Smart Groups at all, or don't create policies to deploy to your managed systems - and you're highly unlikely to find anyone in that boat.
Although its actually mentioned in the full Casper Suite admin guide documentation (pg 256, Step 6, item e) I don't feel its called out prominently enough, given how serious this could be under the wrong circumstances.

I actually don't know what JAMF's waiting for to address this. I feel this should have been changed by now.

View solution in original post

5 REPLIES 5

thoule
Valued Contributor II

Yes, I Smart Group with no criteria means all machines. This is current behavior - can't say 'expected' as I don't know how many people have done it. I don't think it's a huge risk, as most people will see how many machines are in the smart group as the last step of creating it. At least I do!

I'd like to see a 'computer count' number on the Scope settings page so I have an idea how many machines I'm targeting. Right now, I disable the policy and then view log to see how many are there to make sure I didn't screw up the target/limitation/exclusion...

mm2270
Legendary Contributor III

The Feature Request for this is here: https://jamfnation.jamfsoftware.com/featureRequest.html?id=1659
Please go and vote this up AND post your thoughts on the thread. As you can see the FR is more than 2 years old now and JAMF has done nothing about it (though its "Under Review") They need pressure from all Casper Suite customers to change this dangerous default behavior. Because no-one is immune to this pitfall unless you don't use Smart Groups at all, or don't create policies to deploy to your managed systems - and you're highly unlikely to find anyone in that boat.
Although its actually mentioned in the full Casper Suite admin guide documentation (pg 256, Step 6, item e) I don't feel its called out prominently enough, given how serious this could be under the wrong circumstances.

I actually don't know what JAMF's waiting for to address this. I feel this should have been changed by now.

andrew_nicholas
Valued Contributor

Thanks!

scottb
Honored Contributor
I'd like to see a 'computer count' number on the Scope settings page so I have an idea how many machines I'm targeting. Right now, I disable the policy and then view log to see how many are there to make sure I didn't screw up the target/limitation/exclusion...

That would be swell. At least if you had a quick glance you could see that the policy you intend for 20 objects isn't scoped for 1200 quickly. That would be a nice touch.

Look
Valued Contributor III

Yep this is probably the worst bug/feature in Casper at the moment from the potential to completely destroy your environment through no real fault of your own.