cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD Property Conditions for Visibility

dbeckner
By Level 10 Champion
Level 10 Champion

We are looking to restrict product access to certain users. Unfortunately these users do not belong to a specific security group so the next best thing that I see is to only include visibility based on a certain AD property. Currently under the AD Property dropdown there are only 3 options -- city, company, and office. Is it possible to add additional properties to this dropdown list or is this a fixed section?

(2) Solutions
CharlesW
By Level 12 Flexeran
Level 12 Flexeran

You should be able to add additional properties beyond he default by going to site management->Active Directory->Property Mapping.  You will see a list of AD properties, some of which may have been populated by a custom user sync (ADGUID for instance).. Anyways, if you want a property to be usable, then you would "edit" the property, and select "allow deployment" for the property.. Once you do this, the property should be selectable in your condition. The following screen capture illustrates:

propertyMapping.png

(Don't forget to select "update")

 

 

View solution in original post

It would have to come from the Active Directory User Discovery attributes that are in SCCM.. I'd expect that you could expand the user discovery attributes to get most things from AD.. If you are able to discover it, then you should be able to add the same into WD_User via a custom query...

View solution in original post

(8) Replies
CharlesW
By Level 12 Flexeran
Level 12 Flexeran

You should be able to add additional properties beyond he default by going to site management->Active Directory->Property Mapping.  You will see a list of AD properties, some of which may have been populated by a custom user sync (ADGUID for instance).. Anyways, if you want a property to be usable, then you would "edit" the property, and select "allow deployment" for the property.. Once you do this, the property should be selectable in your condition. The following screen capture illustrates:

propertyMapping.png

(Don't forget to select "update")

 

 

If the AD property does not exist in the SCCM DB is there a way to import properties directly from AD or is App Portal completely dependent on the user properties that SCCM exposes?

It would have to come from the Active Directory User Discovery attributes that are in SCCM.. I'd expect that you could expand the user discovery attributes to get most things from AD.. If you are able to discover it, then you should be able to add the same into WD_User via a custom query...

Thanks @CharlesW this exactly what I'm looking for.

Sorry to jump on this topic with a related question .. but if users were in a AD group, is there an option to EXCLUDE users based upon AD group membership? Thought I only saw inclusion options under Site & Catalog security. Also if using reverse dns as computer discovery.. is there a way to restrict access based upon client type ? (ex: exclude any Mac devices from accessing App Broker). thxs 

@Ralph_Crowley  - No, admin and catalog security only allow you to add users and groups.. In the absence of this functionality, I think that @dbeckner   was going to restrict access to catalog items via catalog visibility conditions, or (more likely) category security based on AD  Properties.. 

One think which both of you "might" use would be to specify either a licensed collection or licensed view under settings->website.. This allows you to create a collection in SCCM, and based on what you choose, you can either exclude or include devices.. The licensed view does something similar, but it is based on a query run against the App Portal DB.. If the device accessing the site did not meet the criteria, then the user would see "you are not licensed to use this software".. No idea how you would feel about this, but I wanted to present this as an option.

 

Tagging on to this thread, a couple random thoughts...

  1. @dbeckner If you want to include a property in the WD_User table that is not in SCCM, you can use external methods (e.g. PowerShell, SQL SSIS jobs, etc.) to pull the SCCM data and other data sources into your own custom tables in the App Broker database and then configure a custom user sync query that joins the data from those local custom tables.  I previously had to set up an SSIS job in SQL to pull AD information directly via LDAP because the customer didn't have SCCM or Altiris as a data source.  Also, I think at one customer I may have found a way to specify additional user properties that were not part of the custom sync process simply by modifying the vUser view, but I don't recall the exact steps and don't really recommend modifying the view definition of our built-in views.
  2. @Ralph_Crowley If you wanted to exclude certain device platforms like Mac, you could potentially do that by creating a "licensing collection" in SCCM that excludes Mac devices and then use that as the Licensed Collection in App Broker.  OS information should be available in discovery info, but likely wouldn't work for Macs if only using AD discovery, so you'd probably need to enable network discovery or have some kind of integration between SCCM and Jamf or another system that has inventory/discovery information for your Mac devices.  Caveat: I have not tried this, but another customer asked a similar question the other day, which got me thinking about this possibility.
Anything expressed here is my own view and not necessarily that of my employer, Flexera. If my reply answers a question you have raised, please click "ACCEPT AS SOLUTION".