Help

Enrollment Only users can do more than enroll

stevenjklein
Contributor II

Posted on ‎12-20-2017 09:30 AM

We have a group called "Jamf - User" that (until today) was set to Enrollment Only.

Then I discovered that users in that group could view (but not edit) computers. They can also view and edit users!

Specifically:
- For Computers, Create and Read are set
- For Users, Create, Read, and Update are set.

Is it not possible to allow users to self-enroll their Macs without also giving them access to view every computer and user in my JSS?

Labels:
0 Kudos
2 REPLIES 2

stevenjklein
Contributor II

Posted on ‎01-16-2018 05:30 AM

I've been working with Jamf support for a while, and I now have a definitive answer to my question.

No, it is not possible to allow users to self-enroll using mycompany.jamfcloud.com/enroll

Unfortunately, "enrollment only" is dangerously misnamed, in a way that suggests a very cavalier attitude toward security. Users with "enrollment only" privs should not be able to edit user information for all the users in my JSS!

Until it gets fixed, we'll have to use QuickAdd, and send it to new users via email.

thomH
New Contributor III

Posted on ‎03-23-2018 07:02 AM

Perhaps this explains why i see computers not fully installing the management framework when using the mycompany.jamfcloud.com/enroll?

Does a user have be in an enrollment group to use the url method?

0 Kudos