Enrollment Only users can do more than enroll

Contributor II

We have a group called "Jamf - User" that (until today) was set to Enrollment Only.

Then I discovered that users in that group could view (but not edit) computers. They can also view and edit users!

- For Computers, Create and Read are set
- For Users, Create, Read, and Update are set.

Is it not possible to allow users to self-enroll their Macs without also giving them access to view every computer and user in my JSS?


Contributor II

I've been working with Jamf support for a while, and I now have a definitive answer to my question.

No, it is not possible to allow users to self-enroll using mycompany.jamfcloud.com/enroll

Unfortunately, "enrollment only" is dangerously misnamed, in a way that suggests a very cavalier attitude toward security. Users with "enrollment only" privs should not be able to edit user information for all the users in my JSS!

Until it gets fixed, we'll have to use QuickAdd, and send it to new users via email.

New Contributor III

Perhaps this explains why i see computers not fully installing the management framework when using the mycompany.jamfcloud.com/enroll?

Does a user have be in an enrollment group to use the url method?