How do I disable http://my.jamfserver.com/enroll without breaking macOS PreStage enrollments?

gknacks
New Contributor III

Hey all, anyone know of a way to prevent any and everyone from enrolling a macOS device through https://our.jamfserver.com/enroll without disabling ABM/DEP enrollments? I want to make DEP the only option for anyone to enroll into our jamf and would prefer that the web address just be invalid. But turning off user initiated enrollment breaks macOS ABM/DEP enrollments.

 

Essentially I want to hide http://my.jamfserver.com/enroll completely or make it non-functional when accessed via a browser, while still allowing everyone in our domain to enroll a new macOS device via ABM/DEP.

Any tips?

 

EDIT 12.3.02021: This comment hopefully better explains what I'm looking for. Also updated post title.

2 ACCEPTED SOLUTIONS

emily
Valued Contributor III
Valued Contributor III

To start you can restrict who can enroll with user-initiated enrollment (mentioned above), and edit the text on the login screen that says THIS FEATURE IS DISABLED and change the field text to be like DO NOT USE or whatever. And include how to contact IT or whoever else if manual enrollment is required.

We did this at a previous organization and it got the point across to 99% of users. 

View solution in original post

gknacks
New Contributor III

It does not. Jamf Support replied to my open ticket with them on this issue that User-Initiated enrollment is indeed required and there's no way to disable that website and still have PreStage enrollments work via DEP.

My solution is now a policy that bricks any device upon the enrollmentComplete trigger scoped to systems that come in outside of PreStage enrollment method (removes admin rights from all users, deletes self service, and forces a reboot). So the user only has the option of accessing the web browser or rebooting to recovery and erasing the device to enroll the proper way.

This is a complex solution for something that should be just as easy as checking a box. I'd rather the users not have the opportunity to enroll via the web URL at all and skip a few steps. Time to file a feature request 🙂

View solution in original post

19 REPLIES 19

PatrickD
Contributor II

You can prevent that url from being functional by turning off UIE for macOS and iOS devices by unchecking the below box for each. We did this a few weeks ago when we were planning to make our Jamf server publicly accessible.

PatrickD_0-1638503723582.png

 

gknacks
New Contributor III

@PatrickD Once we disabled that, our enrollment was throwing a 500 error at the last text pane of the prestige before the profiles applied. I found in the Jamf pro guide that this setting is required for DEP to function so maybe I’m just out of luck. I thought it was an access rights issue from the ldap authentication page so I removed that. Also removed the authentication requirement from the prestige, still unable to enroll via ABM/DEP with that setting off. 😞

 

 

 

devs11836
New Contributor

you can prevent to everyone from enrolling the devices through enabling restrict re-enrollment to authorised user only. you can authorised IT folks to enrol the device.

gknacks
New Contributor III

But I want everyone to be able to enroll. Just not by the website URL. And it seems disabling the URL breaks DEP. 

the users get new in box shrink wrapped Macs and set them up on their own. Some people have skipped connecting to a network during setup and are able to bypass DEP enrollment and setup their account as a local admin, install whatever, and then enroll by the web. This is becoming more common with our developers overseas and I’ve got to cut it off. 

We need to eliminate that bypass. Everyone needs rights to enroll so DEP can function from my understanding. But the webpage must not allow enrollment for ANYONE including IT staff to meet my requirement of making DEP the only de-facto enroll my way or the highway you’re going to enroll. and if you don’t you’re going to erase it and do it like I told you to via DEP because there’s no other option and no exceptions to it. 

devs11836
New Contributor

Yo have DEP and non DEP computers or only DEP?

gknacks
New Contributor III

Only DEP systems

devs11836
New Contributor

check this out for zero touch deployment with pre-stage enrolment method which doesn't require URL based enrollment.

https://www.jamf.com/resources/videos/enrollment-customizations-zero-touch-deployment-and-the-end-us...

 

gknacks
New Contributor III

@devs11836 that's how we're setup.

So now I want to disable the enrollment via webpage.

However doing that, breaks this process you linked, that's the issue.

gknacks
New Contributor III

From this section of the Jamf 10.34.0 Admin guide, user-initiated enrollment is required for PreStag...

________________

Configuring a Computer PreStage Enrollment
Requirements

Before you can use a PreStage enrollment, you must do the following:

________________

Which is fine, because the users are technically the ones enrolling the devices since they're going through ABM/DEP>Pre-Stage Enrollment. So having that setting enabled as a requirement seems logical to me.

But the webpage GUI for https://our.jamfserver.com/enroll shouldn't be required and there should be a way to disable it from being accessed in a browser universally while still allowing Pre-Stage enrollments to function.

So I'm asking, how do I break that site's GUI or prevent it from being accessed by anyone without breaking DEP and Pre-Stage for zero-touch user initiated enrollment, leaving DEP and Pre-Stage the ONLY way for ANYONE to enroll a device?

emily
Valued Contributor III
Valued Contributor III

To start you can restrict who can enroll with user-initiated enrollment (mentioned above), and edit the text on the login screen that says THIS FEATURE IS DISABLED and change the field text to be like DO NOT USE or whatever. And include how to contact IT or whoever else if manual enrollment is required.

We did this at a previous organization and it got the point across to 99% of users. 

gknacks
New Contributor III

So there's not a way to do what I'm asking then it sounds like. And your solution was to make a policy that somehow bricks any device that a user enrolls via the web URL?

 

If I restrict the user-initated enrollment, that doesn't solve my issue as user-initiated enrollment is required for Pre-Stage to function, which I did attempt but recieved this same experiance where Pre-Stage broke.

 

I need User-Initiated enrollment open to 100% of users, as it's required by Pre-Stage enrollments but also need the web GUI for the enrollment page to be disabled for 100% of users, Including myself and everyone in IT.

gknacks
New Contributor III

Ohh ok you modified the text on that login page. I had to think about your reply a bit more. I was worried that if I went that route that it would just be removed by a future Jamf update and didn't want to rely on that as my solution. Changing access won't work, because if I want zero-touch then I don't want to limit enrollment just to a subset of users. I just want to ensure that the users enroll the correct way.

However you did give me the idea to make a policy to brick them because that's what I thought you meant originally. So thanks! 🙂

devs11836
New Contributor

Uncheck the below option and check if that works in your case. 
Screenshot 2021-12-03 at 11.27.59 PM.png

gknacks
New Contributor III

It does not. Jamf Support replied to my open ticket with them on this issue that User-Initiated enrollment is indeed required and there's no way to disable that website and still have PreStage enrollments work via DEP.

My solution is now a policy that bricks any device upon the enrollmentComplete trigger scoped to systems that come in outside of PreStage enrollment method (removes admin rights from all users, deletes self service, and forces a reboot). So the user only has the option of accessing the web browser or rebooting to recovery and erasing the device to enroll the proper way.

This is a complex solution for something that should be just as easy as checking a box. I'd rather the users not have the opportunity to enroll via the web URL at all and skip a few steps. Time to file a feature request 🙂

walt
Contributor III

Did you ever submit the Feature Request? Or any changes made to this at all?

This should be a few check boxes within Jamf settings to:

• allow enrollments via prestage/DEP

• allow enrollments via invitations

• allow user-initiated enrollments via URL

and be able to select which ones you want or need. I'd like to restrict it to DEP and Invite only due to the exposure of the enrollment URL and employees who may have their own Mac getting crafty and enrolling into our Jamf for no good reason. We also have BYO Mac for some contractors who we don't supply Macs to and would like to limit that to invite only as well.

guidotti
Contributor II

We need to do this very thing. Any updates on this behavior?

PatrickD
Contributor II

@guidotti I had a look for a FR but couldn't find one so I raised on myself, see - https://ideas.jamf.com/ideas/JN-I-26993 

I reported this to Jamf support the other day. I did come up with a solution. By editing the login.jsp, I can effectively remove the GUI entries for username and password. I also am trapping enrollments into a smart group and automatically unenrolling devices that come in that way.

MLBZ521
Contributor III

Unless I'm missing something I've been able to disable UIE via the following settings:

  • Settings > Global > User-Initiated Enrollment > 
    • macOS >
      • [Enabled] Enable user-initiated enrollment
        • This haw to be enabled for ADE to work....why?  Because:  Jamf
    • iOS
      • Profile-Driven Enrollment via URL
        • [Disabled] Enable for institutionally owned devices
        • [Disabled] Enable for personally owned devices
      • Account-Driven User Enrollment
        • [Disabled] Enable for personally owned devices
          • Optional; if you allow BYOD, then you'll have to handle this in some manner
    • Access
      • Set the default group to:
        • Profile-Driven Enrollment Via URL
          • [Disabled] Allow group to enroll institutionally owned devices
          • [Disabled] Allow group to enroll personally owned devices
        • Account-Driven User Enrollment
          • [Disabled] Allow group to enroll personally owned devices via Account-Driven User Enrollment
            • Again, if you're using BYOD, see previous note
  • Settings > System > User accounts and groups
    • We're even preventing our Site Admins from using UIE, really all non-ADE enrollment methods...
    • Edit the required user(s) and/or group(s):
      • Jamf Pro Server Objects
        • [Disabled] Computer Enrollment Invitations
          • It's important to note that existing invitations can still be used, so they will need to be deleted
        • [Disabled] Mobile Device Enrollment Invitations
          • (See previous note above)
      • Jamf Pro Server Actions
        • [Disabled] Enroll Computers and Mobile Devices

 

These settings prevent users and Site Admins from being able to successfully authenticating to the UIE /enroll URL for our instance.  Optionally, you can edit the verbiage say it's "Disabled" as indicated in this thread here:  Settings > Global > User-Initiated Enrollment > Messaging.

 

Am I missing something that isn't addressed by these settings?