At my school we have a wireless network solely of the purposes for new students to use when enrolling their iPads into Jamf. Once enrolled they would get a config profile with settings for another secure SSID their iPads then join.
We had some firewall rules on the enrollment SSID, locking it down so the only destinations accessible was the on-site Jamf server and the apple 188.8.131.52 subnet
This had previously proven effective, users would enroll their iPads successfully without using this network to access the wider internet. However as of late enrollment is failing, and will only work if I remove the firewall rules and allow traffic to anywhere.
Does anyone else out there use a similar method to allow users to enrol?
How about using your webfilter to limit web access for that IP block instead of the firewall?
The basic idea would be to filter the open network so heavily that no user would be able to or want to use if for anything other than device registration. Sort of like, it is open, you can get on it but you can't surf anywhere nice.