Personal vs institutional user initiated enrollment

Question

I'm having some issues with user initiated enrollment. I've enabled "User-initiated enrollment for personally owned iOS devices" under "Platforms" on the "User-Initiated Enrollment" settings page. Created a "Personal Device Profile". I want users to authenticate via LDAP when enrolling so I can pull in some information from LDAP to help better track what device belongs to whom.

User account and password are known to be working, but when I try to enroll via the enrollment link, I get an "Access denied". If I enable user-initiated enrollment for both personal and institutional devices, I can log in without issue, but I'm not give the option to select personal or institutional as indicated in the "User-initiated enrollment experience" guide.

It makes me think there's a permissions issue somewhere, but for the life of me I can't figure it out, and I'm not seeing any good documentation surrounding permissions and user-initiated enrollment.

Any ideas?

DanielMethod · Answer

Editing my original post. I spoke too soon originally.

So I was trying to add in the Domain Users and Domain Admins groups to User-Initiated Enrollment to allow Domain Users to only enroll personal devices and Domain Admins to enroll both personal and institutional. There is a problem (at least with my instance) that is keeping me from using Domain Users group at all. When you go into LDAP settings and test User Group Membership Mapping against the Domain Users group, it says no one is a part of that group. So what I've done is set All LDAP Users to allow only personal device enrollment, and Domain Admins to allow both. I can confirm after signing in with both a domain admin account and a domain user account, the correct options show up for each account.

Here's a screenshot of the settings I have. Hope this helps.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded