How LDAP Integration Works:
Jamf Pro allows you to integrate your Jamf server with an LDAP server for several reasons. First off, this integration allows your Jamf admins to login to the Jamf server using their LDAP credentials, instead of having to make a new username and password through the Jamf Sever. It also allows your general users to login during enrollment of their iOS devices or computer. This, in turn, will pull any LDAP attributes you have mapped through your Jamf server into their macOS/iOS devices inventory record. By default, these are the attributes pulled from LDAP (however, you can add more attribute mappings through an extension attribute):
This information can be useful for many reasons. First off, you know who has what macOS/iOS device, and some very useful information about them. You can use this information as variables in iOS configuration profiles. Most importantly, though, you can use information like building, department, or position to scope applications or settings to computers and mobile devices.
The last part is what I’m going to be focusing this article on.
How Buildings and Departments work in the Jamf sever
If you go to Settings > Network Organization in the Jamf webapp, the first two icons you see are related to Buildings and Departments. This allows you to create your own unique buildings and departments that you can put computer and mobile devices into. Each has one building or department it can be part of, and only one. Applications and settings can be directly scoped to buildings and departments.
If you want to assign a computer or mobile device to a particular building/department, you can edit it under the device inventory record and navigating to User and Location. It’s also worth noting that you can’t put a device into a building or department unless you make them first through Settings.
If you are integrated with LDAP, everything from User and Location is filled in automatically with information from LDAP. This is all great, except when there is a discrepancy with what’s in LDAP and what’s in the Jamf server.
The Potential Problem
Lets say jjohnsmith is in the Minneapolis building in LDAP, but there is no Minneapolis building inside of Network Organization > Buildings in the Jamf server. When jjohnsmith enrolls into Jamf, it will pull all his information in properly but the building will be blank since there is no corresponding building in the Jamf server to put him into.
This problem can be easily rectified by creating a Minneapolis building through the Jamf webapp. However, this is case and space sensitive, and if you have hundreds of buildings and departments, this can be a tedious process. Also, if the Jamf server doesn’t have a corresponding building to the LDAP mapping, you don’t get an error, it just doesn’t put the device into that building. This can be incredibly frustrating, because you’re not warned that there is even a problem, or if the problem has to do with Jamf or LDAP.
Well, I’m calling this “a solution,” but it really is just a script to save you a lot of time. First off, export ALL of the unique buildings and departments you have in your LDAP server. There are a lot of different ways to do this depending on what type of LDAP server you have and how it’s setup. Once you get the information, though, save two documents, one with only the unique values for Buildings and another with the unique values for Departments, and then download this script – https://github.com/schasta218/Mass-add-buildings-departments/ – and run it from Terminal by running sh /path/to/document.
The script is pretty simple. It parses through each row of the document, grabs the name, and uses the Jamf API to create the building/department inside of your Jamf server.
And there you go! I may have saved you an hour of tedious work, and possibly a couple minor typing mistakes that could have created problems later on.
Monitoring the problem
Like I said, my “solution” isn’t really much of a solution as it is something that saves you a little bit of time, because if a new department or building is created inside your LDAP server, it’s not automatically going to be created in the Jamf server. Therefore, it might be a good idea to monitor this problem. The best way to do this is through a Smart Mobile Device Group and Smart Computer Group. You’ll need to create one of each.
First, create a Smart Group and select Send email notification on membership change. This will ensure Jamf administrators get an email if a computer/mobile devices falls into this group, allowing you to take action immediately.
Next, create two criteria as shown below:
Now, if a computer or a mobile device is not in a building or a department, you will get an email about it, allowing you to immediately rectify the problem!