Network Segments and Reported IP Address versus IP Address

in

In a Jamf Pro computer inventory record, there are two fields relating to IP: IP Address, and Reported IP Address.

The Reported IP Address field is the actual IP Address of the computer. This is the value we’d see if we ran ifconfig in Terminal. The IP Address field is wherever the communication to the server came from…typically the gateway IP.

Which one of these fields gets used to calculate the Network Segment membership?

The answer is…it depends on what version of Jamf Pro you’re running. As of July 2019 (roughly Jamf Pro 10.14), the functionality changed to be much more useful and straightforward. Let’s go over the current functionality first, and then review the previous functionality.

Current Functionality - Jamf Pro 10.14 and later

How Those Fields are Updated:

  • Both IP Address and Reported IP Address are updated any time the Jamf Binary communicates with the Jamf Pro Server.

    • For example, both fields are updated during an inventory update, as well as a recurring check-in - or any other time there is binary communication between the Mac and the server!

Which Field Gets Used For Network Segment Membership:

  • Reported IP Address. Always. 100% of the time.

Previous Functionality - Jamf Pro 10.13 and earlier

How Those Fields Are Updated:

  • IP Address is updated when a computer checks in to the Jamf Pro Server

  • Reported IP Address is updated when a computer submits Inventory to the Jamf Pro Server

Which Field Gets Used For Network Segment Membership:

  • Whichever one got updated last!

    • Example: If the Mac submitted Inventory an hour ago, but just checked in 10 minutes ago, it will use the IP Address since that was updated at check-in.

How Network Segments Interact with This

  • Network Segment membership is calculated anytime the binary on the Mac communicates with the Jamf Pro Server.

    • Example: A Policy triggers, so before the actual content of the Policy runs, Network Segment is calculated.

      • This calculation can actually be seen in a JAMFSoftwareServer.log in Debug mode:

image.png

  • When a particular address could fall into multiple Network Segments, membership is assigned on a most-restrictive basis.

    • Example: The IP we are checking against falls into Segment A which has a range of 100 IPs, but it also falls into Segment B which has a range of 20 IPs. The Mac will belong to Segment B as it is more restrictive.

    • If a particular address could fall into multiple Network Segments that both contain the same number of IP addresses, then the Network Segment with the lowest starting IP address wins.

      • Example: The IP we are checking against falls into Segment A which contains 20 IP addresses and begins at 10.0.0.1. The IP also falls into Segment B, which also contains 20 IP addresses and begins at 10.0.0.10. The Mac will belong to Segment A as it has a lower starting IP address.