Exceptions in MacManage policy scoping

Policy inheritance prevents MacManage scoping exceptions in child policies - but we can build around that with creative use of flex policies.

Exceptions in MacManage policy scoping

MacManage is a great way to empower your users to self-remediate simple issues. Need an app installed but you're not an administrator? If it's listed in MacManage, you don't have to contact IT, you can just find it and install it yourself. Mail messages not showing up properly? Try rebuilding your Spotlight index using a script put into MacManage by your Addigy administrator.

One key limitation of MacManage for MSPs is that inheritance is immutable. Let's say you have a parent policy where all of your clients live. 99 of them want all the same apps, so you add those apps into your MacManage scoping at the parent policy level. But then one client wants you to hide an app. It can't be done - you'll need to make a brand new copy of the client policy outside of the parent, match all of your pre-existing settings, and manage them separately for the rest of time.


# My Clients
### Client A
### Client B
### Client C
### Client D
In the above example, if you assign your MacManage items for the "My Clients" policy & "Client C" wants to hide an item, there's no way to do it.

With the advent of multi-policy assignation and flex policies, we've finally got a workflow where we can do this - but it's gonna take a little elbow grease.

The architecture

The basic idea to implement this is as follows:

  1. Create separate policies for every MacManage item you want in your "General Library"
  2. Use auto-assignation to make all your client policies be members of each MacManage item's policies
  3. Exempt individual policies - this will hide the MacManage item scoped to that policy

By using the auto-assignation filter [Policy IDs] [does not contain] [list of policies here], you're telling that flex policy that every Mac OTHER than the ones who are members of the policies you select (who are opting out) should have that item in MacManage.

Let's take this one step at a time, with Zoom from Addigy's public software library as an example.

1 – Create the policy

  • Set up your policy hierarchy. This can be anything you like, but here's mine as an example:

    • Flex Policies
      • MacManage Settings
        • MacManage - Apps
          • Macmanage - 1Password
          • MacManage - Adobe Acrobat Reader
          • MacManage - Zoom
          • etc.
  • Create the policy for the app you want to deploy like the example above. I find using "MacManage - " as a prefix for the policy name helpful while searching. For this example, we're creating the policy "MacManage - Zoom"

2 – Scope the app

  • Navigate to your policy, then click Self Service in the left sidebar, followed by the Assignments tab.

  • Click Public Software Library and search for Zoom:

  • Check the box next to the version of Zoom you want to deploy, then click Add/Remove... and Add to Self Service

3 – Enable auto-assignment

  • Click on the Overview or Devices tab, then click on the Auto-Assignment... button on the right

  • Click the Add filter button

  • In the Select a device fact... box, search for and select Policy IDs

  • Click the drop-down menu for contains and select does not contain

  • Click on the Select button to view your policy hierarchy - check the box for any policy to be exempted from seeing this MacManage item

  • Click Save - note that this feature is scalable, it's okay if your view looks like this:

  • Scroll down and click Test Filter Set and Proceed

  • Check the box for Unassign devices that no longer match this filter set to make sure you won't run into problems removing policies in the future

  • Click Close

Now just do that again for every app you want to deploy. I never said it was pretty, but it certainly works. One additional benefit to this method is that you will have a much easier time updating the version of the app that's available in MacManage - you only need to change it in one place, and all the policies that haven't been exempted from it explicitly will be able to access the new version.

I've broken down our MacManage library into two sections - these one-off policies for installers, and a "General Library" that includes the maintenance scripts and uninstallers we like to be available to all of our clients. I've got my fingers crossed that no one asks to hide any of those. If they do, I'll be doing more of this, and each of our Macs will be a member of 50+ policies just for MacManage library listings.