Deploy Packages Based on AD Group Membership?

frank
New Contributor III

Hi everyone,

I'm new to the world of Casper and have setup a trial of 8.6 while I wait for the product to be purchased at work. I've setup policies and smart-groups and have linked the LDAP Server Connections to our internal AD server which works fine for delegating permissions to who has access to the web portal of Casper.

Question is how do I go about setting up a package to deploy to a end user based on the computer object being part of a AD group? All Mac's are bound to AD and i'd like to replicate the way we deploy packages on windows with Casper for Mac users.

The idea behind this is that our service desk reps only need to add computer objects to defined security groups in AD for the application to be deployed. This is how it's currently setup for our windows users and it works well.

The Self Service portal will be expanded in future but for now we are only going to host printers and possibly some freeware apps while we manage package deployment for licensed via AD groups.

I tried creating a smart group but it only allows me to define attributes based on inventory data (MAC address, hostname, CPU type...) where what I really need is to able for it to link to a AD security group and deploy based on the hostname membership as it will be the same hostname in AD as it is in Casper.

Is this possible or does AD integration only extend to delegating permission to Casper's web portal only?

Regards,

Frank

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

I don't think the JSS has any way of directly bringing in security groups from Active Directory for anything other than users. I may be wrong and someone may correct me on this.

With that said, you'd need to have each Mac itself query Active Directory and see if it can find a list of its group memberships. You could probably gather this information during your routine inventory updates using an extension attribute and store each machine's groups list in its JSS record. Then you could use a smart group for each application to verify that a Mac 1) Has a particular AD group listed in its extension attribute and 2) Doesn't have the software installed.

Your policy could be scoped to install software only when machines get added to your smart group.

We don't assign Macs to groups here so I'm kind of flying blind about what to check. If you run this command (Mac OS X 10.7 or 10.8) do you see the groups listed for one of your machines? (Change YOURDOMAIN and ComputerName to something in your network.)

dscl "/Active Directory/YOURDOMAIN/All Domains" -read /Computers/ComputerName$

View solution in original post

7 REPLIES 7

frank
New Contributor III

Anyone?

talkingmoose
Moderator
Moderator

Haven't tried this myself but you could probably use a dscl command to have the Mac look at its groups list in AD for the name of a group. Are your software install groups following a specific naming convention?

A policy could run on a routine basis (such as every 15 minutes) to make the query.

I posted a few tips for how to read AD using dscl. In your case you'll want to explore the Computers options.

https://jamfnation.jamfsoftware.com/discussion.html?id=4615

Maybe this will get you started. Others may very well have other better ideas for accomplishing what you're needing.

frank
New Contributor III

Thanks for the link talkingmoose. Yes we have naming conventions for the AD groups which will be referenced for software to be deployed.

I assume the method you suggested would mean each package would need to have this AD query built-in as a script. So would every Mac be in scope for every package as a policy but only deploy on the output of the script to if the computer is a member of the AD group?

Ideally this check would be done between the JSS and AD servers rather than the client running up too 100 policies (we have around 100 packages) to check for AD membership for package deployments every 15min?

talkingmoose
Moderator
Moderator

I don't think the JSS has any way of directly bringing in security groups from Active Directory for anything other than users. I may be wrong and someone may correct me on this.

With that said, you'd need to have each Mac itself query Active Directory and see if it can find a list of its group memberships. You could probably gather this information during your routine inventory updates using an extension attribute and store each machine's groups list in its JSS record. Then you could use a smart group for each application to verify that a Mac 1) Has a particular AD group listed in its extension attribute and 2) Doesn't have the software installed.

Your policy could be scoped to install software only when machines get added to your smart group.

We don't assign Macs to groups here so I'm kind of flying blind about what to check. If you run this command (Mac OS X 10.7 or 10.8) do you see the groups listed for one of your machines? (Change YOURDOMAIN and ComputerName to something in your network.)

dscl "/Active Directory/YOURDOMAIN/All Domains" -read /Computers/ComputerName$

frank
New Contributor III

talkingmoose Thanks for your help....i guess i need to submit a feature request to have the JSS query AD for computer objects memberships for policy scopes. I rather have just the JSS do that query rather than every policy for every mac in it's scope hitting AD with membership queries.

talkingmoose
Moderator
Moderator

I'll vote it up!

mm2270
Legendary Contributor III
i guess i need to submit a feature request to have the JSS query AD for computer objects memberships for policy scopes.

Hi Frank. I don't think you'd need a query running for every policy. You could create an Extension Attribute that runs a script to query the computer group membership and echo back the results.
Then, based on that, you could create Smart Groups and use those for scoping to your policies.
One thing though, since inventory can run at the end of a policy (if enabled) in actual practice it may turn out to be doing that query every 15 minutes anyway, especially for a new Mac brought into management.