Prune icon indicating copy to clipboard operation
Prune copied to clipboard

Published 20 hours ago verified publisher icon BIG-RAT

Prune listing policies that are enabled and scoped to static user groups

Open gtdragon980 opened this issue 2 years ago • 3 comments

When using Prune to scan policies in the JSS, it will not consider policies that are using static user scopes as being "In Use". I saw several enabled and scoped policies in the "Unused" list of policies when testing this.

gtdragon980 avatar Nov 08 '22 16:11 gtdragon980

Nice catch, and unfortunately this looks to be an issue with the API as scoped users, smart user groups, and static user groups information is missing when you view a policy through the API. For example here is a policy and configuration policy scoped exactly the same. policy (scope) xml:

<scope>
  <all_computers>false</all_computers>
  <computers/>
  <computer_groups>
	<computer_group>
	  <id>172</id>
	  <name>laptops</name>
	</computer_group>
  </computer_groups>
  <buildings/>
  <departments/>
  <limit_to_users>
	<user_groups/>
  </limit_to_users>
  <limitations>
	<users/>
	<user_groups/>
	<network_segments/>
	<ibeacons/>
  </limitations>
  <exclusions>
	<computers/>
	<computer_groups/>
	<buildings/>
	<departments/>
	<users/>
	<user_groups/>
	<network_segments/>
	<ibeacons/>
  </exclusions>
</scope>

Configuration Profile (scope) xml:

<scope>
  <all_computers>false</all_computers>
  <all_jss_users>false</all_jss_users>
  <computers/>
  <buildings/>
  <departments/>
  <computer_groups>
	<computer_group>
	  <id>172</id>
	  <name>laptops</name>
	</computer_group>
  </computer_groups>
  <jss_users/>
  <jss_user_groups>
	<user_group>
	  <id>2</id>
	  <name>Group 1</name>
	</user_group>
	<user_group>
	  <id>27</id>
	  <name>Test Smart Grp</name>
	</user_group>
  </jss_user_groups>
  <limitations>
	<users/>
	<user_groups/>
	<network_segments/>
	<ibeacons/>
  </limitations>
  <exclusions>
	<computers/>
	<buildings/>
	<departments/>
	<computer_groups/>
	<users/>
	<user_groups/>
	<network_segments/>
	<ibeacons/>
	<jss_users/>
	<jss_user_groups/>
  </exclusions>
</scope>

Notice the policy is missing the jss_users and jss_user_groups keys. I might suggest openning a ticket with Jamf Support to get the issue addressed.

BIG-RAT avatar Nov 10 '22 15:11 BIG-RAT

Thanks for the quick response. I will reach out to Jamf support and let them know about this finding.

gtdragon980 avatar Nov 10 '22 16:11 gtdragon980

Thank you. I'd encourage others encountering this issue to do the same as I discovered I'd mentioned this years ago. The more people it impacts the more likely it is to get addressed.

BIG-RAT avatar Nov 16 '22 19:11 BIG-RAT