Scope
- Last UpdatedSep 3, 2024
- 6 minute read
Scope gives you granular control over which computers, mobile devices, and users receive remote management tasks. For example, you can use scope to ensure that a policy to install desktop publishing software only runs on computers in the Design department, or that a book is only distributed to students in a particular class. Scope can be based on the following items:
Individual computers, mobile devices, or users
Computer, mobile device, or user groups
Departments
Buildings
Directory service or local users
Directory service user groups
Note:Jamf Pro may experience performance issues if too many directory service groups are included in the scope of an object. If you need to use multiple directory service criteria within a scope, consider creating a smart group with those criteria, and then scope to that smart group instead.
Network segments
Classes
iBeacon regions
The items available vary depending on the remote management task you are configuring the scope for. For example, only book scope can be based on classes.
Scope cannot be based on personally owned mobile devices.
For most remote management tasks, configuring the scope involves adding targets, limitations, and exclusions. (The process varies depending on the remote management task you are configuring the scope for.)
Adding Targets
Targets are the computers, mobile devices, or users that receive the remote management task. You can add all computers, mobile devices, or users, or you can add a combination of items (e.g., specific computers, groups, buildings).
- On the Targets pane, use the pop-up menus to choose items to add to the scope.Note:
The pop-up menu selections are additive, meaning one pop-up menu selection does not override another. For example, if you select and as targets for a computer configuration profile, the configuration profile will be distributed to all enrolled computers, as well as any computers that the chosen users are assigned to.
- If you chose to add specific items, do the following:
- On each tab, click Add for the items you want to add.
- On each tab, click Add for the items you want to add.
Adding Limitations
Adding limitations to the scope of a remote management task allows you to do the following:
- Limit the task to specific users in the target—
For example, if you want a certain application to open at login for specific users regardless of the computer they use, you can use all computers as the target and add specific users as limitations.
- Limit the task to specific network segments in the target—
For example, if you want each computer in a department to install a package but only while on the company’s production network, you can use the department as the target and add a specific network segment as a limitation.
- Limit policies and configuration profiles to devices in the target when the devices are in a specific iBeacon region—
For example, if you want to install a configuration profile on mobile devices when they are in a specific iBeacon region, you can add the iBeacon region as a limitation.
- On each tab, add items as needed:
To add a network segment, click the Network Segments tab, and then click Add for the network segment.
To add a directory service or local user, click the Directory Service/Local Users tab. Then enter the username in the search field and click Add.
To add a directory service user group, click the Directory Service User Groups tab, enter the name of the group in the search field and click Search. Then click Add for the group you want to add.
Important: Jamf Pro does not use a computer's User and Location information to process LDAP limitations. If you add a directory service user or group as a limitation, Jamf Pro will only apply the limitation if the user currently logged into the computer matches the directory service user exactly.
Adding Exclusions
Adding exclusions to the scope of a remote management task allows you to exclude specific computers or mobile devices, groups, buildings, departments, users, user groups, or network segments. For example, if you want to restrict an application for everyone except the head of the department, you can add them as an exclusion.
You can also add iBeacon regions as exclusions to the scope of policies and configuration profiles. For example, if you want to prevent a mobile device from having a configuration profile installed when it is in a specific iBeacon region, you can add the iBeacon region as an exclusion.
- On the Exclusions pane, click Add.
- On each tab, add items as needed:
To add a directory service or local user, click the Directory Service/Local Users tab. Then enter the username in the search field and click Add.
To add a directory service user group, click the Directory Service User Groups tab, enter the name of the group in the search field and click Search. Then click Add for the group you want to add.
To add another type of item, click the appropriate tab and then click Add for the item you want to add.
Important: Jamf Pro does not use a computer's User and Location information to process LDAP exclusions. If you add a directory service user or group as a exclusion, Jamf Pro will only apply the exclusion if the user currently logged into the computer matches the directory service user exactly.
Removing Targets
For most remote management tasks, removing a target from the scope also removes the remote management task from the device the next time the device checks in with Jamf Pro. However, some remote management tasks—such as policies or PreStage enrollment—are not removed from the device after the target is removed from the scope.
For information on how a feature behaves when a target is removed from the scope, see the documentation for that feature.