minimum permissions required to allow DEP/ADE and user-initiated

DennisMX
Contributor II

We are reviewing the permissions given to people that need to enroll their device (macOS only) by either DEP/ADE or user initiated permissions.

First question, do DEP/ADE and user-initiated require the same permissions?

Second question, what are the minimum required permissions?
The strange thing is that the permissions for :

Allow User to Enroll
Assign Users to Computers
Assign Users to Mobile Devices
Enroll Computers and Mobile Devices

are not assigned, but no one reports any issue.

When looking to the default role that allows people to enroll their device it seems to assign way to much.

Anyone that knows the ins and outs?

1 ACCEPTED SOLUTION

sdagley
Esteemed Contributor II

@DennisMX If you're using AD authentication in your PreStage for ADE enabled Macs then you should not need to assign any enrollment permissions to your users for them to enroll a Mac.

View solution in original post

7 REPLIES 7

DennisMX
Contributor II

1st test shows that assigning only 'Enroll Computers and Mobile Devices' allows a user to use DEP/ADE.

Why would Jamf assign so many irrelevant permissions to users and exposing all computers to all users?

sdagley
Esteemed Contributor II

@DennisMX If you're using AD authentication in your PreStage for ADE enabled Macs then you should not need to assign any enrollment permissions to your users for them to enroll a Mac.

thanks @sdagley , So you mean we do not need to assign any permission in Jamf to end-users?

As you specificly mention ADE, my assumption is that for user-initiated enrollments there are some required permissions?

All our machines are ADE, but every now and then a machine skips ADE and then we have the user enroll it via <company>.jamfcloud.com/enrol

DennisMX
Contributor II

No permissions at all will not get the user pass the Require Authentication step for ADE.

Maybe i made some typo's, seems to work without any permissions for ADE.
Will do some further testing

sdagley
Esteemed Contributor II

@DennisMX I should have been clearer. You do not need to assign permissions in the "Settings->User accounts and groups" section of the Jamf Pro console (which is what I took your original post to be referencing), but you do need to have "Enable user-initiated enrollment for computers" enabled under "Settings->Global->User-initiated Enrollment"

@sdagley 
Thanks for the clarification, in the meantime we ran several tests and no permissions are required for ADE or User-initiated.

Still wondering why there is a specific role for enrollment...

sdagley
Esteemed Contributor II

@DennisMX When ADE isn't possible (and my condolences for orgs in that situation) the enrollment permissions allow someone manually enrolling a Mac using https://JAMF_PRO_URL.com:8443/enroll  (e.g. preparing Macs for deployment in a depot) to specify the user it's being enrolled for instead of enrolling the Mac for themselves.