Smart Group within a Smart Group 智能组中的智能组 有大用

I agree on this being a bad idea.我同意这是一个坏主意。

Does anyone know if there is a tool to determine if a smart group is assigned to another smart group? There are tools to determine where groups and being used such as policies and profiles. Just curious if there is an easy way to determine the "nested" smart group piece. I figure I would go through some JSS cleanup this winter.有谁知道是否有一个工具可以确定一个智能组是否分配给另一个智能组？有一些工具可以确定组的位置和使用情况，例如策略和配置文件。只是好奇是否有一种简单的方法来确定“嵌套”智能组块。我想今年冬天我会进行一些 JSS 清理。

+1 on bad idea. 坏主意+1。 

While it logically makes sense to have this layered mechanism, I got nipped in the bud hard once when I updated the membership of a smart group (this was early on with my time with Jamf) and somehow it miscalculated the new group to include ALL of our machines, rather than just desktops ...虽然从逻辑上讲，拥有这种分层机制是有意义的，但有一次当我更新智能组的成员资格时（这是我在 Jamf 工作的早期），并且不知怎的，它错误地计算了新组以包括所有我们的机器，而不仅仅是台式机......

As a result, all my desktop-specific profiles and policies got triggered on our laptops and a whole bunch of laptops had their wifi network device forcibly disabled as a result ...结果，我所有的桌面特定配置文件和策略都在我们的笔记本电脑上触发，并且一大堆笔记本电脑的 wifi 网络设备因此被强制禁用......

... Needless to say, it was not a great time. No more nested smart groups for us.……不用说，那不是一个美好的时光。我们不再需要嵌套的智能组。

The only situation where I have nested smart groups is for our DEP machines. I have individual smart groups for machines configured with a particular DEP PreStage Enrollment (PreStage Enrollment IS yadayada) and then another smart group which references this membership for config profiles. This to me seems like a low-risk situation since the only way a PreStage Enrollment membership will change is a machine gets moved to a new PreStage and then goes through the DEP enrollment process again.我嵌套智能组的唯一情况是我们的 DEP 机器。我为配置了特定 DEP PreStage 注册（PreStage Enrollment IS yadayada）的计算机设置了单独的智能组，然后另一个智能组引用了配置文件的此成员身份。对我来说，这似乎是一种低风险情况，因为 PreStage 注册成员资格发生变化的唯一方法是将计算机移动到新的 PreStage，然后再次执行 DEP 注册流程。

We nested groups with iPads, but not recursive like OP described. For example:我们用 iPad 嵌套组，但不像 OP 描述的那样递归。例如：

iPad is a member of a static group (by room).iPad 是静态组（按房间）的成员。
Grade1 smart group is all members of rooms 1-4Grade1智能组是1-4号房间的所有成员
All_students smart group is all members of grade1, grade2, etc... so this is a smart group based on membership in other smart groups.All_students 智能组是 1 年级、2 年级等的所有成员...因此这是一个基于其他智能组中的成员资格的智能组。

The "Why?" is because it's less work than adding a device to multiple static groups for profiles and apps.“为什么？”是因为它比将设备添加到配置文件和应用程序的多个静态组中的工作量更少。

Our on-prem seems to be able to handle it, but I suppose it could be faster. Managing 1000 iMacs and 3500 mobile devices我们的本地似乎能够处理它，但我认为它可以更快。管理 1000 台 iMac 和 3500 台移动设备

I like the answer to why so here is a follow up: What is the highest number of nested groups that you are successfully able to work with?我喜欢这个问题的答案，所以这里是一个后续问题：您能够成功使用的嵌套组的最大数量是多少？

@tomhastings We have 68 Smart Groups for mobile devices currently, no idea what the limit might be. Not all of these use "Member of" as criteria.

In response to mconners, 为了回应 mconners， 

I wrote a tool a while back to generate a scoping report for all groups with information on configuration profiles, policies, and other groups. Doesn't break things down by smart groups, but might help a bit.我不久前编写了一个工具，用于为所有组生成范围界定报告，其中包含有关配置文件、策略和其他组的信息。不会被聪明的团体分解，但可能会有所帮助。

https://github.com/chuckthegoat/JAMFReport

It also downloads all your configuration profiles and writes them as plists, but you can just comment out that line since you probably don't need it.它还会下载所有配置文件并将它们写入 plist，但您可以注释掉该行，因为您可能不需要它。

@chuckthegoat Took me a bit of updating Python components but I got your script to work. It'll be a big help. I noticed that there isn't information for when a group is used as an exclusion in scope. Do you plan on updating the script?

来自  https://community.jamf.com/t5/jamf-pro/smart-group-within-a-smart-group/m-p/153015