Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Applying Configuration Policies to AD Group

Created: 26 Nov 2012 | 3 comments

Hi All

I am wanting to assign a Mobile Configuration Policy to an Active Directory Group that I have imported into the Altiris Console. The catch is that the group contains a list of AD user objects that I would like to pickup the policy when those named members enroll their device with their credentials. Is this possible?

Is there a better way of achieving the same outcome?

The functionality that I am trying to provide is locking down the delivery of iOS profiles to only authorised users, typically mailbox profiles to the enrolled users.

Cheers

JK

Comments 3 CommentsJump to latest comment

mclemson's picture

Why not restrict enrollment to authenticated users?

Home > Mobile Management, Settings > General Enrollment.  Check 'Enable authentication check' then click the blue + sign to add an LDAP server (e.g. company-dc.company.local:389).  This restricts enrollment to only authorized users.  If you don't want to use all AD users, add Allowed Groups on the same screen before proceeding to restrict to only the AD users that are part of a specific AD security group.

If you still need to use a filter, you need to select all the devices whose enrolled user is a member of the AD organizational group that syncs with the AD OU.  Post back if you need help with that query.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com

jeroenk's picture

Hi

I am already using restricted enrollment via an AD Group. My problem is that I have devices that are not 1 : 1 relationships and shared by many.

In those cases, We dont want the mail profile deployed to the iOS device of the user that has enrolled the device. Can Altiris NS allow for the deployment of Mobile Configuration Profiles based on an AD group?

I am quite new to Altiris, would that query be dynamic in that it could be run every 10 minutes or so to keep the filter valid?

Thinking a bit further about it, it would seem logical to use a filter that would deploy the Mobile Configuration profile (with Mail) to all members of the group and all not in the group dont get the Mail Config Profile.

Cheers

JK

mclemson's picture

The mail profile that will be delivered will have a blank username and password.  Mobile fills in device name based on the enrolled username, and password is provided by the user.  If you have a device shared by Bob, Susie, Joe, and Karen, and it was enrolled by Susie, it will get Susie's e-mail.  If you need it to have the PublicRelations@company.com e-mail instead, create a specific profile that doesn't leave username blank but instead puts in 'publicrelations' or 'publicrelations@company.com' and deploy it to that device.

Mike Clemson, Senior Systems Engineer, ASC
Intuitive Technology Group -- Symantec Platinum Partner
intuitivetech.com