Locked down Enrollment SSID

New Contributor

Hi there

At my school we have a wireless network solely of the purposes for new students to use when enrolling their iPads into Jamf. Once enrolled they would get a config profile with settings for another secure SSID their iPads then join.

We had some firewall rules on the enrollment SSID, locking it down so the only destinations accessible was the on-site Jamf server and the apple subnet

This had previously proven effective, users would enroll their iPads successfully without using this network to access the wider internet. However as of late enrollment is failing, and will only work if I remove the firewall rules and allow traffic to anywhere.

Does anyone else out there use a similar method to allow users to enrol?



Valued Contributor

@OJCJAMF Do you have any logging in the firewall to determine what is being dropped?

New Contributor

Yeah that is our next step to check, its just a bit of a pain as we (the IT provider) only visit the school once a month and the firewall is managed by a 3rd party!

The ACL's I mentioned are configured on the wireless controller which we have access to.

Valued Contributor II

There are some non-Apple domains you need to be able to access as well. I'd recommend just using the following list and not doing


New Contributor III

How about using your webfilter to limit web access for that IP block instead of the firewall?

The basic idea would be to filter the open network so heavily that no user would be able to or want to use if for anything other than device registration. Sort of like, it is open, you can get on it but you can't surf anywhere nice.