How can we limit LDAP groups to do "User-Initiated Enrollment Process" on Computers?

Kumarasinghe
Valued Contributor

Does anyone have a solution to limit "User-Initiated Enrollment Process" to specific LDAP groups?

10 REPLIES 10

ctangora
Contributor II

I had to do something like this when we had two LDAP servers (one AD, one LDAP) and the JSS would not auto-populate since the users came up on two ldap's. I specified a ldap server in my recon and problem solved. You should be able to do the same for your situation.

I don't have the jamf binary installed on this machine so I can't tell you the exact modifiers you need to use. But the basic idea is that you setup a LDAP connection to look at only the group you want, then run recon and tell it use that ldap server.

#!/bin/sh
/path/to/jamf recon -verbose -user ME -assettag 1234 -ldapserver 3

Your lookups will now use the ldap search you specified (in this case the third ldap). Note: I had to look at jamfsoftware SQL DB to get the ldap number for this server, I could not find it referenced anywhere in the JSS.

If you still are having issues let me know and I will get the details.

Kumarasinghe
Valued Contributor

@ctangora][/url
Our enrollment is working fine with AD LDAP.
What I wanted to do is to limit the "User-Initiated Enrollment Process" to specific LDAP group/s. So only the authorized people can enroll machines.
Thanks.

ctangora
Contributor II

My bad....

Kumarasinghe
Valued Contributor

Not a problem. You were trying to help. Thanks.

mm2270
Legendary Contributor II

I would be interested in this as well. Right now, with LDAP authentication for the enrollment page enabled, any user with valid AD credentials can go through the enrollment process. We have a somewhat large base of BYO Mac users who are not supposed to get their Mac enrolled into our JSS, because ti allows access to application installs via Self Service that they shouldn't have access to.
It would be great if we could only allow some accounts or a specific group to get past the authentication page.

Kumarasinghe
Valued Contributor

@mm2270][/url][/url
Right on the target. I have the same issue as yours. Up until now I thought "Enroll OS X Computers" (v8.x) or "User-Initiated Enrollment for Computers" (v9.x) privilege controls this but it does not.

Can anyone from JAMF confirm whether we can do it or not with current version?

This is a must for thin-imaging style enrollments.

milesleacy
Valued Contributor

To limit enrollments to selected individuals, one could...

  1. Ensure "Allow user-initiated enrollment without invitation" is deselected in Mobile Device Management > User Initiated Enrollment
  2. Send enrollment invitations to the desired users. (Casper Suite Administrator’s Guide Version 9.31, Page 366)

I hope this helps.

Kumarasinghe
Valued Contributor

@milesleacy][/url
Thanks but Not the solution we are after. Still you can login with any LDAP account if you have the link or otherwise you have to send email to each individual every time they need an enrollment. This is not a viable solution for a large enterprise.

What we are looking for is to limit the enrollment to a LDAP group using JSS "Accounts and Groups" privileges. Simple as that.

were_wulff
Valued Contributor II

Hey @Kumarasinghe][/url][/url ,

Have we tried setting up a new JSS User Group, choosing "Add LDAP Group", and giving it the Enrollment Only privilege set?

We can do that through System Settings >> JSS User Accounts & Groups >> New

If yes, and it doesn’t work, please get in touch with your Technical Account Manager so we can get a case going and dig into why that might be happening.

Caveat:

If there are users within the group(s) created that need/are supposed to have more JSS privileges beyond enrollment, it could become an issue as the JSS will take the most restrictive set of privileges that apply to a user and use those. The same applies if the user(s) in question are part of multiple LDAP groups. The most restrictive set of privileges will take effect in those cases.

However, due to a currently open defect (D-006815) the JSS doesn’t respect that at the moment and will give them the most permissive set of permissions which may not be desired behavior in some cases.

Edit to add: In addition to that, we can try turning on "Restrict re-enrollment to authorized users only" on under Computer Management >> User Initiated Enrollment.
The wording there is slightly unclear, however, and it will allow re-enrollment if the user has the "Computers" privilege OR if their username matches the Username field in User and Location Information. The or in there is important, only one of the criteria has to match for the JSS to allow that user to re-enroll.

It may not be a completely perfect solution, based on what it looks like you want, and might end up being something that needs to be a Feature Request.

Thanks!

Amanda Wulff
JAMF Software Support

Kumarasinghe
Valued Contributor

@amanda.wulff][/url][/url][/url][/url][/url][/url
The problem is anyone on LDAP can enroll machines. I can log in to /enroll page with a user never be part of JSS users or group but still able to get machines enrolled. Please see @mm2270][/url][/url][/url][/url][/url][/url's post as well.

We have an open case: [ ref:_00D80cOw4._500C0ZrciK:ref ] last update I have received is on 6 May 2014. Can you please have a look and give us an update.

Please test it on your environment with LDAP users and see.

I have created a Feature Request;
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2267

I hope this will be addressed very soon as it is a simple but very important (security wise) task which allow us to control the computer enrollment process.