1st test shows that assigning only 'Enroll Computers and Mobile Devices' allows a user to use DEP/ADE.

Why would Jamf assign so many irrelevant permissions to users and exposing all computers to all users?

@DennisMX If you're using AD authentication in your PreStage for ADE enabled Macs then you should not need to assign any enrollment permissions to your users for them to enroll a Mac.

thanks @sdagley , So you mean we do not need to assign any permission in Jamf to end-users?

As you specificly mention ADE, my assumption is that for user-initiated enrollments there are some required permissions?

All our machines are ADE, but every now and then a machine skips ADE and then we have the user enroll it via <company>.jamfcloud.com/enrol

No permissions at all will not get the user pass the Require Authentication step for ADE.

Maybe i made some typo's, seems to work without any permissions for ADE.
Will do some further testing

@DennisMX I should have been clearer. You do not need to assign permissions in the "Settings->User accounts and groups" section of the Jamf Pro console (which is what I took your original post to be referencing), but you do need to have "Enable user-initiated enrollment for computers" enabled under "Settings->Global->User-initiated Enrollment"

@sdagley 
Thanks for the clarification, in the meantime we ran several tests and no permissions are required for ADE or User-initiated.

Still wondering why there is a specific role for enrollment...

@DennisMX When ADE isn't possible (and my condolences for orgs in that situation) the enrollment permissions allow someone manually enrolling a Mac using https://JAMF_PRO_URL.com:8443/enroll  (e.g. preparing Macs for deployment in a depot) to specify the user it's being enrolled for instead of enrolling the Mac for themselves.