Email Enrollment Invitation Users Recieving Okta/SSO Permission Error

ctocci
New Contributor II

For sending email enrollment invitations, isn't that supposed to bypass the need for giving users permission to enroll? I did not check the box to requirement ldap auth. I did a handful of tests (with users who don't have any permissions to Jamf) before going live with my email enrollment invitations, and no one had any issues. I go live, and now we are getting a lot of emails from users saying they don't have the permissions assigned to them in Okta/SSO to enroll the device. Anyone else experience something similar?

4 REPLIES 4

Phantom5
Contributor

We also started noticing this behavior beginning with version 10.25.x of Jamf Pro.

ctocci
New Contributor II

@Phantom5 Are you still experiencing this? Fortunately for us, we only used email enrollment for our initial rollout, and we are already through the 'letting the user' enroll portion of the rollout. You ever submit a ticket about it?

poormatt
New Contributor III

Kicking this thread if anyone runs across it, have PI-009388 under investigation for this issue:

Have SSO enabled for console login but invitations sent to end-users do not require authentication. User gets prompted for CA Cert, then after installation directed to SSO instead of the screen to install the MDM profile. Prior to issue, SSO never got installed for this flow.

el2493
Contributor II

Nice to see I'm not the only one experiencing this. I hadn't worked with Enrollment Invitations previously, but we're moving from on-prem to Cloud and need to start using them. I'm having the exact same issues:

  1. User clicks link in Enrollment Invite email
  2. Prompted to install CA Cert
  3. They click the link for CA Cert, it downloads the CA Cert but also redirects to SSO login
  4. After SSO login another prompt to install CA Cert
  5. They click the link, it downloads another CA Cert and then prompts to install MDM Profile

I also noticed that if I specify when creating the Enrollment Invitation that it's to enroll into a specific Site, that's ignored (and it just gets enrolled into None).