We have a group called "Jamf - User" that (until today) was set to Enrollment Only.
Then I discovered that users in that group could view (but not edit) computers. They can also view and edit users!
- For Computers, Create and Read are set
- For Users, Create, Read, and Update are set.
Is it not possible to allow users to self-enroll their Macs without also giving them access to view every computer and user in my JSS?
I've been working with Jamf support for a while, and I now have a definitive answer to my question.
No, it is not possible to allow users to self-enroll using mycompany.jamfcloud.com/enroll
Unfortunately, "enrollment only" is dangerously misnamed, in a way that suggests a very cavalier attitude toward security. Users with "enrollment only" privs should not be able to edit user information for all the users in my JSS!
Until it gets fixed, we'll have to use QuickAdd, and send it to new users via email.