Network Segments and Reported IP Address versus IP Address

Scenario: We are using Network Segments to assign Buildings and Distribution Points. In a Mac's Inventory Record, there are two IP fields: IP Address and Reported IP Address.

Which one of these fields gets used to calculate the Network Segment membership?

How Those Fields Are Updated:

  • IP Address is updated when a computer checks in to the Jamf Pro Server
  • Reported IP Address is updated when a computer submits Inventory to the Jamf Pro Server

Which Field Gets Used:

  • Whichever one got updated last!
    • Example: If the Mac submitted Inventory an hour ago, but just checked in 10 minutes ago, it will use the IP Address since that was updated at check-in.

When The Calculation Happens:

  • Anytime the binary on the Mac communicates with the Jamf Pro Server.
    • Example: A Policy triggers, so before the actual content of the Policy runs, Network Segment is calculated.
      • This calculation can actually be seen in a JAMFSoftwareServer.log in Debug mode:
image.png

How Conflicting Segment Membership is Resolved:

  • Network Segments are assigned based on most-restrictive.

    • Example: The IP we end up checking against falls into Segment A which has a range of 100 IPs, but it also falls into Segment B which has a range of 20 IPs. The Mac will belong to Segment B as it is more restrictive.

Putting it All Together:

Our Test Mac submitted Inventory late last night, and just checked in 25 minutes ago. A user logs in which kicks off a check for Policies triggered by Login. Network Segments are calculated, and since the most recent event was a checkin, we will evaluate the IP Address field against the Network Segments. During this evaluation, the Test Mac could fall into either Segment A (with a range of 100 IPs) or Segment B (with a range of 20 IPs).

The final result is that the Test Mac will fall into Segment B, based on the IP Address field.