Updating MobileDeviceApplication instances removes JSS user (group) assignments

[yanniks]

We have noticed that updating a MobileDeviceApplication object removes explicit user groups and users that are assigned to the app. The problem is that the jss_users and jss_user_groups attributes are missing when the updated mobile device application object is sent to the Jamf Pro instance.

We have implemented a quick-and-dirty solution for this problem over here: https://github.com/yanniks/ruby-jss/commit/ab3bca6d13d247bcac72076187a1670e476dc1d7 As my Ruby skills are mostly non-existing, I did not consider the code quality acceptable for a PR :blush:.

[glenfarclas17]

Thanks so much Yannik!

I'll take a look and get something changed in the official release ASAP. I know that the API has ... weirdness around users, user groups, ldap users, and ldap user groups in scopes. Hopefully we can make it better together :-)

[glenfarclas17]

Hi Yannik!

You've discovered something interesting, which I'll have to do some more research to see how many kinds of scope are affected.

At the top of the scope.rb file the comments decribe a bug in how the classic API returns scope data regarding users & usergroups in targets, limitations, and exclusions. Much of the data is just missing from the API response. This bug remains in the scope of Policies - I just checked.

However, the scope of MobileDeviceApplications seems to handle the data in the way that your fix addresses.

I'll have to go through all the Scopable-objects to see which ones have the bug and which ones don't and then figure the best way to apply your fix to the ones that can handle it, and leave the current behavior for the still broken ones.

I'll also bring this up with Jamf - not that I expect them to fix the broken scope data - this bug has been there for years, along with others that I've been reporting since at least 2009.

Beware: When working with other scopeable objects, they all use the same JSS:::Scopable::Scope class, so your fix might cause problems when making changes to objects where the API doesn't understand those user/usergroup keys.

I'll let you know what I find as I dig into this.

Thanks again, -Chris

[glenfarclas17]

Hi again Yannick,

I looked at all the scopable objects in ruby-jss, and apparently the bug only exists in the scopes of Policies and Patch Policies - a GET from the API doesn't include the jss_users and jss_user_groups data in the targets or exclusions, and when you send back the whole policy to update it with a PUT, and you don't include those data (which you can't because you didn't get it to begin with) then any existing jss_users and jss_user_groups in the targets or exclusions will be deleted, which can cause all kinds of problems as I'm sure you know.

I submitted another support ticket to Jamf about it, and was basically told this doesn't affect enough people for them to fix it.

That said, for all other scopable objects, jss_users and jss_user_groups are handled properly. I will take your changes and apply them to scope.rb in a way that that will work for everything except Policies and Patch Policies.

However - it's important to note that when using the Classic API in any way, ruby-jss or not, if you PUT a policy or patch policy that has jss_users or jss_user_groups in the scope, those will be deleted.

I'll make sure there's a warning somewhere about that in ruby-jss, probably in the top-level README.

Thanks for bringing this up and I'll let you know when I have the changes available in ruby-jss.

Cheers, -Chris

[glenfarclas17]

Version 3.2.0b3 is available on rubygems.org - gem install ruby-jss --pre to get it. It should address your scoping issue in MobileDeviceApplication instances, as well as working around other bugs discovered. See the comments/YARD docs for Jamf::Scopable::Scope in the scope.rb file for a full discussion.