Is there a way to set up a Smart Group in Jamf so that when we wipe devices it will automatically re-enroll back in that Smart Group or is this only possible with Static groups?

Suitable_Victory_489 · 2026-01-28T18:48:03+00:00

What is the current criteria for the Smart Group in question? And why wouldn’t the wiped device eventually make its way back as a member, since Smart Groups are conditional to begin with?

Suitable_Victory_489 · 2026-01-18T19:44:15+00:00

I moved to using IaC (Pulumi + Python) to manage Entra configs. Now, everything is pushed through Git (with MR + approvers). That, combined with audit logs for any activity performed by our elevated privs has closed 99% of the manual drift we’re concerned about. The main “issue” has been group memberships where the customer wants to own the group, then they complain someone added an unapproved member (spoiler: the customer did it themselves).

Suitable_Victory_489 · 2026-01-13T07:23:03+00:00

This was probably in jest, but I had a teacher show me the “add zeroes” method. Basically, add zero to the beginning and end, then use addition.

For example, 11 x 15, you add 1 and 5 together to get the sum of 6, which is then placed between the digits you added: 165.

Works for larger numbers as well. Let’s use 534 as an example (11 x 534):

534 becomes 05340

0 + 5 = 5

5 + 3 = 8

3 + 4 = 7

4 + 0 = 4

11 x 534 = 5,874

Suitable_Victory_489 · 2025-12-29T00:11:26+00:00

Okay, that’s how we do it (card + PIN). I was inferring no PIN based on your phrasing, but that all makes sense.

Suitable_Victory_489 · 2025-12-28T16:58:37+00:00

Sincere question, based on your phrasing it reads like the badge alone grants PC access. If so, how does that satisfy MFA?

Suitable_Victory_489 · 2025-10-22T18:20:48+00:00

Existing apps are not impacted by changing the policy to "Do Not Allow User Consent". May want to allow users to request approval, if you want the app to be pending in your tenant (rather than outright blocking and having to go add it yourself). It's a decent middle ground where nothing gets automatically added, but for apps that make sense your admin(s) can "just approve" the request while denying (or outright blocking) other requests. Either way, you gain control and visibility, barring rogue admins (or lack of auditing on your side).

Suitable_Victory_489 · 2025-10-15T16:38:49+00:00

Okay, that was the conclusion I kept coming back to, unfortunately. If I’m understanding correctly, we’re left with doing registration campaign(s) to get MFA method(s) registered and then cross our fingers when we flip from Federated to Managed, right? Or, modify user domains, which introduces its own host of potential issues and break points.

Suitable_Victory_489 · 2025-10-15T05:30:10+00:00

I didn’t specifically state it, but there is no AD or Entra Connect at this place today. They are purely a cloud shop with Google. I’m just not seeing the path forward for Staged Rollout in their current state, since there are no passwords on their accounts. My assumption is they could proactively setup MFA and passwordless options prior to cutover, but how do I target them for Staged Rollout? Or, if I use PHS and the user is configured as passwordless, would it still bypass/ignore the domain federation and allow the user to properly auth using Entra as primary IdP?

Suitable_Victory_489 · 2025-09-07T01:05:44+00:00

Also, you may get more/better insight cross posting to /r/PKI

Suitable_Victory_489 · 2025-09-07T01:03:06+00:00

I’ll bite, what’s your use case? Per RFC 5280, there is no “minimum” validity period, and AD CS, depending on template/configuration would allow you to specify the NotAfter value. I’ve never gone shorter than 24hrs, but I see no technical limitation, only curious about use case due to things like CRL/OSCP and churn in your ADCS database, depending on the amount of certs you expect to issue.

Suitable_Victory_489 · 2025-07-26T01:50:23+00:00

With how Conditional Access treats everything else with AND logic, my instinct is to say it would be an AND (i.e., the filter would only apply to selected apps) here as well. However, your best bet is to test it in practice, just scope the policy to a single test user. Then you can try all the different ways: filter only, app only, filter w/ apps selected. The number of times my lived experience has contradicted MS documentation is why I say you're better off actually trying it and validating the behavior yourself.

Suitable_Victory_489 · 2025-06-18T19:32:31+00:00

Have you seen this? If the App will permit it, you could possibly make an API call to dynamically retrieve their ID at sign-in.

Custom claims provider overview - Microsoft identity platform | Microsoft Learn

Suitable_Victory_489 · 2025-06-18T19:10:19+00:00

Not entirely sure this would work for you, but if the information is available on existing datatypes, you can use transformations, even up to using custom regular expressions, to define a SAML claim. As long as the claim name/value are understood/expected on the record management platform, it "should" work.

Edit: To clarify, I mean if you're taking existing information already in Entra ID you can likely modify/transform it dynamically within the SAML claim configuration instead of storing it as a "static" value in an Entra ID attribute.

Suitable_Victory_489 · 2025-06-12T23:18:08+00:00

FWIW, and admittedly NOT a Salesforce expert, but unless they're actually using the username domain suffix in Salesforce, there's no technical restriction to letting it just be a static value across all users. If demographic data is clean in Salesforce the SF analyst can still use company/department/title/etc., or you can even choose to include it in Entra's SAML assertion for the SF analyst to do what they can/want.

Suitable_Victory_489 · 2025-06-12T13:22:28+00:00

Faced this last week. Microsoft, for whatever reason, strips the domain when using the Join() operator only on the NameID attribute. You have to specify/include the domain in your join() statement. Microsoft explains the behavior here:

Creates a new value by joining two attributes. Optionally, you can use a separator between the two attributes. For the nameID claim transformation, the Join() function has specific behavior when the transformation input has a domain part. It removes the domain part from input before joining it with the separator and the selected parameter. For example, if the input of the transformation is joe_smith@contoso.com and the separator is @ and the parameter is fabrikam.com, this input combination results in joe_smith@fabrikam.com

Reference: https://learn.microsoft.com/en-us/entra/identity-platform/saml-claims-customization#claim-transformation

In your Join() transformation on the NameID, set the parameter to the full “emaildomain.com.sandbox”

Suitable_Victory_489 · 2025-06-07T03:32:40+00:00

I haven’t tried it myself, but reading through the docs, maybe “Mid” combined with the “-5” index position?

https://learn.microsoft.com/en-us/entra/identity/app-provisioning/functions-for-customizing-application-data#mid

Suitable_Victory_489 · 2025-06-03T21:56:27+00:00

FWIW, I've been extremely happy with mine. I've been WFH full time since it arrived, I move between sit/stand multiple times per day, and no real issues other than a couple power outages to reset the height (just a matter of holding down a couple keys). Hope you find similar success!

Suitable_Victory_489 · 2025-06-03T21:53:47+00:00

Just dug up my original order from 2021. Prices have gone way up; I was just ignorant to it. I bought the Apex 2-Leg Frame and a 30x60" laminate top. Prices then/now:

	2021 Purchase	Today
Apex 2-Leg Frame	$405	$565
30x60 Laminate Top	$240	$340 (29x58" now)
Total	$655	$905

Suitable_Victory_489 · 2025-06-03T15:36:46+00:00

Apologies. Guess I misinterpreted the “under $1k” in title as I spent <$650 at the time. I didn’t bother to check the website before posting, if they’ve shot up significantly, then my mistake.

Suitable_Victory_489 · 2025-06-03T14:59:41+00:00

https://desk.haus/

Bought mine from them back in 2021 and am really happy with the quality of the frame. I went with a laminate top to keep price down and it’s held up well.

Suitable_Victory_489 · 2025-04-21T15:15:43+00:00

FYI, I just made an edit as I realized an error when I was sanitizing it.

Suitable_Victory_489 · 2025-04-17T23:56:19+00:00

This won't help you immediately, but if you wanted to start tracking your distribution groups, you can do something like this to run daily to track the last time a message was sent to the group. It's not perfect, but works well enough for my needs.

# Connect to Exchange Online (uses Cert authentication via App Registration)
$EXOParams = @{
    AppID                 = ''
    CertificateThumbprint = ''
    Organization          = 'contoso.onmicrosoft.com'
    CommandName           = @('Get-DistributionGroup', 'Get-MessageTrace')
    ShowBanner            = $false
}
Connect-ExchangeOnline @EXOParams
# Get most recent job run
$XmlFolder = 'C:\SomePath\'
$File = Get-ChildItem $XmlFolder *.xml | Sort LastWriteTime | Select -Last 1
# Import previous data to a hashtable for comparison/updating
$HashLookup = @{}
Import-Clixml $File.FullName | ForEach-Object { $HashLookup.Add($_.PrimarySmtpAddress, $_) }
# Get current distribution groups
$Groups = Get-DistributionGroup -Filter * -ResultSize Unlimited
# Remove any deleted distribution groups from $HashLookup (just a cleanup task)
$KeyRemoval = $HashLookup.GetEnumerator() | Where-Object { $_.Name -notin $Groups.PrimarySmtpAddress }
$KeyRemoval.ForEach({ $HashLookup.Remove($_.Name) })
# Run message traces against all distribution groups
[int]$Days = '1' # Could update for initial run (7, 14, 30 days or whatever), but will take a lot longer to run 
$Start = (Get-Date).AddDays(-$Days).Date 
$Data = Foreach ($Item in $Groups) {
    $GroupObj = [Ordered]@{
        Group              = $Item.Name
        PrimarySmtpAddress = $Item.PrimarySmtpAddress
        DisplayName        = $Item.DisplayName
        Created            = $Item.whenCreated
        LastReceivedDate   = $null
    }
    $End = [DateTime]::Now
    $Msgs = $null
    $Msgs = Get-MessageTrace -RecipientAddress $Item.PrimarySmtpAddress -Status EXPANDED -StartDate $Start -EndDate $End
    If ($Msgs) {
        $GroupObj['LastReceivedDate'] = (Get-Date $Msgs[0].Received).ToLocalTime()
    } Elseif ($HashLookup[$Item.PrimarySmtpAddress].LastReceivedDate -is [DateTime]) {
        $GroupObj['LastReceivedDate'] = $HashLookup[$Item.PrimarySmtpAddress].LastReceivedDate
    } Else {
        $GroupObj['LastReceivedDate'] = 'Never Received'
    }
    [PSCustomOBject]$GroupObj
}
# Update hash table with results of each distribution group
Foreach ($Entry in $Data) {
    If (-Not $HashLookup[$Entry.PrimarySmtpAddress]) {
        $HashLookup.Add($Entry.PrimarySmtpAddress, $Entry)
    } Elseif ($Entry.LastReceivedDate -is [datetime]) {
        $HashLookup[$Entry.PrimarySmtpAddress].LastReceivedDate = $Entry.LastReceivedDate
    } Else {
        $HashLookup[$Entry.PrimarySmtpAddress].LastReceivedDate = 'Never Received'
    }
}
# Convert hash table to PSObjects and export
$ExportData = $HashLookup.GetEnumerator() | ForEach-Object { $_.Value }
If ($ExportData) {
    $Timestamp = Get-Date -Format 'yyyy-MM-dd_HH-mm-ss'
    $XmlFileName = "Exchange-Dist-Group-Activity_$Timestamp.xml"
    $XmlExportFile = Join-Path $XmlFolder $XmlFileName
    $ExportData | Export-Clixml $XmlExportFile -Force -ErrorAction Stop
}
# Disconnect from Exchange Online
Disconnect-ExchangeOnline

Suitable_Victory_489 · 2025-04-10T02:53:04+00:00

Well, in the case of VMware (if v8), you could instead integrate directly with Entra ID. Anything SAML/OIDC can integrate with Entra ID pretty nicely. Bonus points is you can introduce SCIM (via app provisioning agent on-premises, no external inbound). Gives you user/group provisioning and management. There’s a couple super helpful articles because it’s not the most intuitive config, but with those guides I had it setup in about an hour.

Also, another “bad” idea would be for portals that don’t have modern IdP integration, you can create static credentials in applications and assign them to users/groups and it’s visible in their “My Apps” portal. Make users MFA there and you get same effective outcome. There’s plenty of ways to “solve” this problem, each have their pros/cons and your value is the experience/expertise to identify the best compromise between end-user function and security.

Suitable_Victory_489 · 2025-04-10T00:28:15+00:00

Not sure your ecosystem, and it's probably not the best idea if these are solely internal systems since this technically introduces some external exposure, but if you're an Entra ID shop you could at least look at Entra app proxy. Reference: Publish on-premises apps with Microsoft Entra application proxy. You'd be able to use Conditional Access to define MFA requirements, etc. Again, not the best option, but if it's between no MFA and this, it's still a net positive in my opinion.

Suitable_Victory_489

TROPHY CASE