Posted on 01-02-2023 03:11 AM
We are reviewing the permissions given to people that need to enroll their device (macOS only) by either DEP/ADE or user initiated permissions.
First question, do DEP/ADE and user-initiated require the same permissions?
Second question, what are the minimum required permissions?
The strange thing is that the permissions for :
Allow User to Enroll |
Assign Users to Computers |
Assign Users to Mobile Devices |
Enroll Computers and Mobile Devices |
are not assigned, but no one reports any issue.
When looking to the default role that allows people to enroll their device it seems to assign way to much.
Anyone that knows the ins and outs?
Solved! Go to Solution.
Posted on 01-02-2023 12:52 PM
@DennisMX If you're using AD authentication in your PreStage for ADE enabled Macs then you should not need to assign any enrollment permissions to your users for them to enroll a Mac.
Posted on 01-02-2023 07:16 AM
1st test shows that assigning only 'Enroll Computers and Mobile Devices' allows a user to use DEP/ADE.
Why would Jamf assign so many irrelevant permissions to users and exposing all computers to all users?
Posted on 01-02-2023 12:52 PM
@DennisMX If you're using AD authentication in your PreStage for ADE enabled Macs then you should not need to assign any enrollment permissions to your users for them to enroll a Mac.
Posted on 01-03-2023 10:25 PM
thanks @sdagley , So you mean we do not need to assign any permission in Jamf to end-users?
As you specificly mention ADE, my assumption is that for user-initiated enrollments there are some required permissions?
All our machines are ADE, but every now and then a machine skips ADE and then we have the user enroll it via <company>.jamfcloud.com/enrol
01-03-2023 11:10 PM - edited 01-04-2023 01:20 AM
No permissions at all will not get the user pass the Require Authentication step for ADE.
Maybe i made some typo's, seems to work without any permissions for ADE.
Will do some further testing
Posted on 01-04-2023 06:07 AM
@DennisMX I should have been clearer. You do not need to assign permissions in the "Settings->User accounts and groups" section of the Jamf Pro console (which is what I took your original post to be referencing), but you do need to have "Enable user-initiated enrollment for computers" enabled under "Settings->Global->User-initiated Enrollment"
Posted on 01-04-2023 06:47 AM
@sdagley
Thanks for the clarification, in the meantime we ran several tests and no permissions are required for ADE or User-initiated.
Still wondering why there is a specific role for enrollment...
Posted on 01-04-2023 06:54 AM
@DennisMX When ADE isn't possible (and my condolences for orgs in that situation) the enrollment permissions allow someone manually enrolling a Mac using https://JAMF_PRO_URL.com:8443/enroll (e.g. preparing Macs for deployment in a depot) to specify the user it's being enrolled for instead of enrolling the Mac for themselves.