Automated Site assignment during User-Initiated Enrollment

New Contributor

I have a question on user initiated enrollment of macOS devices. More specifically, how to organize computers into sites based on LDAP search of the a user's security group membership in AD, without having those users need to choose between multiple sites.

We have a satellite campus whose device management requirements are significantly different than our main campus. This satellite also has its own IT support team requesting a silo to manage their devices in our Jamf Pro instance. We're trying to automate enrollment as best as we can to avoid manually assigning enrolled computers to sites.

I understand that site assignment can be configured under "Settings > Global Management > User-Initiated Enrollment > Access". However, I'm having difficulty separating employees of this satellite from those of the main campus.

We are currently targeting an "All Employees" security group for enrollment access. We do have a group for employees of the satellite campus, but not for employees of the main campus (they simply fall under "All Employees"). However, because members of this satellite group are also members of "All Employees", we are finding that devices enrolled by those users are not falling into the appropriate site.

I'm sure the simple answer would be to either: 1) allow users to choose a site during enrollment, or 2) create a security group for the main campus employees. For the first, our leadership wants to avoid having users accidentally select the wrong site. As for the second, there is a separate identity management team that is responsible for these sort of user groups, and they're giving my team some pushback on this (Why? your guess is as good as mine).

I'm sorry for the essay, but I figured context was important for my question. So, given my particular circumstances, do you have any recommendations on how to separate site assignments between our main & satellite campuses during user initiated enrollment?

Thank you very much.