12-02-2021 05:40 PM - edited 12-03-2021 07:25 AM
Hey all, anyone know of a way to prevent any and everyone from enrolling a macOS device through https://our.jamfserver.com/enroll without disabling ABM/DEP enrollments? I want to make DEP the only option for anyone to enroll into our jamf and would prefer that the web address just be invalid. But turning off user initiated enrollment breaks macOS ABM/DEP enrollments.
Essentially I want to hide http://my.jamfserver.com/enroll completely or make it non-functional when accessed via a browser, while still allowing everyone in our domain to enroll a new macOS device via ABM/DEP.
Any tips?
EDIT 12.3.02021: This comment hopefully better explains what I'm looking for. Also updated post title.
Solved! Go to Solution.
Posted on 12-03-2021 07:27 AM
To start you can restrict who can enroll with user-initiated enrollment (mentioned above), and edit the text on the login screen that says THIS FEATURE IS DISABLED and change the field text to be like DO NOT USE or whatever. And include how to contact IT or whoever else if manual enrollment is required.
We did this at a previous organization and it got the point across to 99% of users.
12-03-2021 10:09 AM - edited 12-03-2021 10:11 AM
It does not. Jamf Support replied to my open ticket with them on this issue that User-Initiated enrollment is indeed required and there's no way to disable that website and still have PreStage enrollments work via DEP.
My solution is now a policy that bricks any device upon the enrollmentComplete trigger scoped to systems that come in outside of PreStage enrollment method (removes admin rights from all users, deletes self service, and forces a reboot). So the user only has the option of accessing the web browser or rebooting to recovery and erasing the device to enroll the proper way.
This is a complex solution for something that should be just as easy as checking a box. I'd rather the users not have the opportunity to enroll via the web URL at all and skip a few steps. Time to file a feature request 🙂
Posted on 12-02-2021 07:56 PM
You can prevent that url from being functional by turning off UIE for macOS and iOS devices by unchecking the below box for each. We did this a few weeks ago when we were planning to make our Jamf server publicly accessible.
12-02-2021 08:02 PM - edited 12-03-2021 06:47 AM
@PatrickD Once we disabled that, our enrollment was throwing a 500 error at the last text pane of the prestige before the profiles applied. I found in the Jamf pro guide that this setting is required for DEP to function so maybe I’m just out of luck. I thought it was an access rights issue from the ldap authentication page so I removed that. Also removed the authentication requirement from the prestige, still unable to enroll via ABM/DEP with that setting off. 😞
Posted on 12-02-2021 09:53 PM
you can prevent to everyone from enrolling the devices through enabling restrict re-enrollment to authorised user only. you can authorised IT folks to enrol the device.
12-02-2021 10:10 PM - edited 12-02-2021 10:13 PM
But I want everyone to be able to enroll. Just not by the website URL. And it seems disabling the URL breaks DEP.
the users get new in box shrink wrapped Macs and set them up on their own. Some people have skipped connecting to a network during setup and are able to bypass DEP enrollment and setup their account as a local admin, install whatever, and then enroll by the web. This is becoming more common with our developers overseas and I’ve got to cut it off.
We need to eliminate that bypass. Everyone needs rights to enroll so DEP can function from my understanding. But the webpage must not allow enrollment for ANYONE including IT staff to meet my requirement of making DEP the only de-facto enroll my way or the highway you’re going to enroll. and if you don’t you’re going to erase it and do it like I told you to via DEP because there’s no other option and no exceptions to it.
Posted on 12-02-2021 10:59 PM
Yo have DEP and non DEP computers or only DEP?
Posted on 12-02-2021 11:17 PM
Only DEP systems
Posted on 12-02-2021 11:46 PM
check this out for zero touch deployment with pre-stage enrolment method which doesn't require URL based enrollment.
Posted on 12-03-2021 06:39 AM
@devs11836 that's how we're setup.
So now I want to disable the enrollment via webpage.
However doing that, breaks this process you linked, that's the issue.
12-03-2021 07:17 AM - edited 12-03-2021 07:19 AM
________________
Configuring a Computer PreStage Enrollment
RequirementsBefore you can use a PreStage enrollment, you must do the following:
Integrate Jamf Pro with Automated Device Enrollment (formerly DEP). This creates an Automated Device Enrollment instance in Jamf Pro.For more information, see Integrating with Automated Device Enrollment.
Enable user-initiated enrollment for macOS in Jamf ProFor more information, see User-Initiated Enrollment Settings.
________________
Which is fine, because the users are technically the ones enrolling the devices since they're going through ABM/DEP>Pre-Stage Enrollment. So having that setting enabled as a requirement seems logical to me.
But the webpage GUI for https://our.jamfserver.com/enroll shouldn't be required and there should be a way to disable it from being accessed in a browser universally while still allowing Pre-Stage enrollments to function.
So I'm asking, how do I break that site's GUI or prevent it from being accessed by anyone without breaking DEP and Pre-Stage for zero-touch user initiated enrollment, leaving DEP and Pre-Stage the ONLY way for ANYONE to enroll a device?
Posted on 12-03-2021 07:27 AM
To start you can restrict who can enroll with user-initiated enrollment (mentioned above), and edit the text on the login screen that says THIS FEATURE IS DISABLED and change the field text to be like DO NOT USE or whatever. And include how to contact IT or whoever else if manual enrollment is required.
We did this at a previous organization and it got the point across to 99% of users.
12-03-2021 07:32 AM - edited 12-03-2021 07:37 AM
So there's not a way to do what I'm asking then it sounds like. And your solution was to make a policy that somehow bricks any device that a user enrolls via the web URL?
If I restrict the user-initated enrollment, that doesn't solve my issue as user-initiated enrollment is required for Pre-Stage to function, which I did attempt but recieved this same experiance where Pre-Stage broke.
I need User-Initiated enrollment open to 100% of users, as it's required by Pre-Stage enrollments but also need the web GUI for the enrollment page to be disabled for 100% of users, Including myself and everyone in IT.
12-03-2021 10:14 AM - edited 12-03-2021 10:15 AM
Ohh ok you modified the text on that login page. I had to think about your reply a bit more. I was worried that if I went that route that it would just be removed by a future Jamf update and didn't want to rely on that as my solution. Changing access won't work, because if I want zero-touch then I don't want to limit enrollment just to a subset of users. I just want to ensure that the users enroll the correct way.
However you did give me the idea to make a policy to brick them because that's what I thought you meant originally. So thanks! 🙂
Posted on 12-03-2021 10:00 AM
Uncheck the below option and check if that works in your case.
12-03-2021 10:09 AM - edited 12-03-2021 10:11 AM
It does not. Jamf Support replied to my open ticket with them on this issue that User-Initiated enrollment is indeed required and there's no way to disable that website and still have PreStage enrollments work via DEP.
My solution is now a policy that bricks any device upon the enrollmentComplete trigger scoped to systems that come in outside of PreStage enrollment method (removes admin rights from all users, deletes self service, and forces a reboot). So the user only has the option of accessing the web browser or rebooting to recovery and erasing the device to enroll the proper way.
This is a complex solution for something that should be just as easy as checking a box. I'd rather the users not have the opportunity to enroll via the web URL at all and skip a few steps. Time to file a feature request 🙂
Posted on 03-18-2022 12:16 AM
Did you ever submit the Feature Request? Or any changes made to this at all?
This should be a few check boxes within Jamf settings to:
• allow enrollments via prestage/DEP
• allow enrollments via invitations
• allow user-initiated enrollments via URL
and be able to select which ones you want or need. I'd like to restrict it to DEP and Invite only due to the exposure of the enrollment URL and employees who may have their own Mac getting crafty and enrolling into our Jamf for no good reason. We also have BYO Mac for some contractors who we don't supply Macs to and would like to limit that to invite only as well.
Posted on 03-08-2023 05:52 PM
We need to do this very thing. Any updates on this behavior?
Posted on 03-16-2023 06:02 PM
@guidotti I had a look for a FR but couldn't find one so I raised on myself, see - https://ideas.jamf.com/ideas/JN-I-26993
Posted on 03-16-2023 06:24 PM
I reported this to Jamf support the other day. I did come up with a solution. By editing the login.jsp, I can effectively remove the GUI entries for username and password. I also am trapping enrollments into a smart group and automatically unenrolling devices that come in that way.
06-19-2023 04:07 PM - edited 06-19-2023 04:08 PM
Unless I'm missing something I've been able to disable UIE via the following settings:
These settings prevent users and Site Admins from being able to successfully authenticating to the UIE /enroll URL for our instance. Optionally, you can edit the verbiage say it's "Disabled" as indicated in this thread here: Settings > Global > User-Initiated Enrollment > Messaging.
Am I missing something that isn't addressed by these settings?