Jamf Nation Community

gabester · ‎11-01-2013

Short time reader here, newbie Jamf admin to boot.

Stood up JSS 8.6 and upgraded to 9.1.1 and just tonight to 9.2, have a large org with lots of devices and complex network.

Most networks are analogous to buildings which usually contain one or more specific departments, such that the departments are often (but not always) unique to each building. Almost every building also has a server that can act as the jamf distribution point. I've defined the buildings, departments, distribution points, and network segments.

It sounds like I can run recon on a network segment manually and get it to apply the building and department values to discovered devices. That's generally undesireable as I have hundreds of network segments. Can a recon also assign dept/building to an already discovered device? (At best my reading of the docs suggests maybe.)

It seems like the "override" checkbox in the Network Segments should provide what I am looking for - to automatically assign based on IP (network location) the dept/building values that devices ought to generally have. The docs suggest that this will stamp devices coming into the segment with the overriding dept/building values assigned to that segment... but what happens with devices that have blank values that already reside within that segment? If I change the segment scope later will that impact devices that were previously outside the segment? What do I need to do after defining a segment to get the dept/building values to apply to the devices entering that segment - so far I've tried rerunning a jamf recon from devices within the network segment but that doesn't seem to apply the overriding dept/building values to a blank or incorrectly populated device.

I'd really prefer to avoid creating a bunch of computer groups or searches and manually applying the buildings and departments. JAMF generally seems like a great product so I hope I'm just missing something obvious!

gabester · ‎11-06-2013

Defect ID D-005656 was created last week in regards to the specific behavior exhibited when an all encompassing Network Segment was included.

View solution in original post

bentoms · ‎11-01-2013

Hi @Sterritt,

AFAIK, every time the client contacts the JSS it updates the IP for it's record & should then have it's dept/building assigned to it via it's network segment if the override option is ticked.

BUT.. this may be only pre-v9 behaviour.. which very of the JSS are you running?

gabester · ‎11-01-2013

Thanks for that information... As I indicated, we started out on 8.x, went to 9.11 and just upgraded last night to 9.2 because I was advised that upgrading should fix the issue where I'm not seeing network segment department/building overrides actually take effect on devices within those segments (i.e. changing devices' recorded department/building values.)

Can anyone clearly outline for me what the process of making this work should be? Perhaps I've just gone about things in the wrong order. If the devices are already showing in jamf, whether they were enrolled or not and then I created the network segments and established the department/building values and ticked the override checkbox, would it still apply to devices that are already within the defined network segment? If I change a network segment scope from a.b.c.0-255 to d.e.f.0-255 would that suddenly apply the overrides to a device at d.e.f.2? What can I do to force a contact to apply this value - something like ssh into the box and run sudo jamf recon?

Many thanks - I think my inexperience is just causing me to miss a fundamentally obvious step. Or something's wrong with my JSS.

gabester · ‎11-02-2013

Followed up with Jamf support. While most of the network segments I'd put in place via a bash script from a csv were /20 or /21, someone had put in place an "All external IPs" address which was defined as 1.1.1.1 to 255.255.255.255. Apparently this uncovered a bug because the most restrictive network segment should apply to the device (i.e. all my intranet IPs should have had their settings including overrides apply.)

So if you're on JSS 9.2 and your network segments don't seem to be doing what they should, try changing the scope if any larger all-inclusive networks to see if their subnets will begin to work as they should!

bentoms · ‎11-02-2013

@Sterritt. Glad you got it sorted. We have an external DP so would've found the same thing.

Do you have a defect ID you can share? Also, could you mark your post above as the answer (for future questions).

gabester · ‎11-06-2013

Defect ID D-005656 was created last week in regards to the specific behavior exhibited when an all encompassing Network Segment was included.

GabeShack · ‎03-14-2014

Just wondering if there has been any movement on this defect. We have an external facing JSS in our DMZ and basically had anything that reported an IP outside of our network get an override of their distribution point to our DMZ JSS. This has been failing since the overrides of network segments are now not happening.
Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

gabester · ‎03-16-2015

I opened a ticket with JAMF support - if memory servers they had to go into the DB - which was upgraded from 8.7x to 9 something, and fix some record there to allow this to work right. But I think that was actually for the fact that network segment overrides weren't working properly, not the "all external IPs" bug.

Gabe, it's apropos I notice and respond to this a year after you; I've been meaning to reach out to you as a fellow Gabe to ensure others don't get our identities confused!

Jamf Nation Community

network segment overrides question: need to stamp devices with department, building