Prevent a user for enrolling a device in JSS

aamitrano
New Contributor

Is there a way for me to prevent a user from enrolling a device into JSS? I have a particularly wily student who wants his techno-fingers into everything and he keeps enrolling his personal mac into the system. I keep kicking him out, but the next day he's back in. What can I do?

1 ACCEPTED SOLUTION

mm2270
Legendary Contributor III

Yeah, just turn off the enrollment for Macs. Problem solved. You didn't initially mention you were only managing iOS devices, so that's a far easier solution. He'll get a OS X enrollment access denied error when he tries to get to the enrollment page afterwards.

View solution in original post

13 REPLIES 13

Johnny_Kim
Contributor II

How is the student enrolling? User-Initiated Enrollment?

aamitrano
New Contributor

I'm assuming so... The user is a student in my district and he can go through the self enrollment using his Active Directory credentials.

stevewood
Honored Contributor II
Honored Contributor II

The malicious side of me says, create a configuration profile that locks down his personal machine so that he cannot do anything. Enable Parental controls, perhaps put it in Simple Finder mode, something that makes him think twice about re-enrolling again. Of course, doing so is probably against your school's policies, and could land you in hot water like the district in Pennsylvania that thought it was okay to snap pics of students at home.

About the only thing I can think is to handle this through written policies and a good ole talking to by the principal. Get his parents involved and explain to them that he is violating the school's AUP.

I don't believe there is a way to limit self enrollment logins.

blackholemac
Valued Contributor III

On Casper Suite 9.5 at least...under Global Management---> User initiated enrollment, you have an access tab. By default, the access tab allows All LDAP users...You can change that and only allow an LDAP group...now, you'd have to formulate a group of who you do want to have access (I don't see an Exclusion option, but you can restrict user-initiated enrollment to an LDAP group.)

Hope that helps,
blackholemac

hzimmerman
New Contributor III

I agree that this is more of a discipline related issue, but you could simply create a policy for the student's computer that runs an Execute Command (under Files and Processes) that does a "jamf removeFramework". The trigger could be Enrollment and Check-In.

The student can enroll his machine all he wants, but as soon as he does the framework is removed, giving him none of the benefits of enrolling.

You would need to keep his machine in inventory to scope the policy, but that is probably cheaper and easier than continuing to watch for him to enroll the machine.

mm2270
Legendary Contributor III

When we image our Macs, we drop a hidden identifier onto the Mac in the form of a file or folder tucked away that lets us pick it up later via an Extension Attribute. This can tell us if the Mac was officially imaged using our process, or if it was BYO or manually set up and later enrolled.
You might want to consider dropping hidden identifiers on all your imaged Macs. Later you can use this to build special Smart Groups and exclusions.

While I may not go as far as what stevewood mentioned (although tempting!) I would maybe consider leaving his Mac account in the JSS, and setting up a policy that runs an Advanced command upon enrollment, scoped only to his Mac. Have the command do something like:

rm -Rfd /Applications/Self Service.app; jamf removeFramework

Have the frequency of the policy set to Ongoing.
That way as soon as he enrolls his Mac, shortly after the policy will run and remove the framework. That way its automated and you don't need to do anything. Short of moving onto a new Mac with a different hardware identifier, there won't be anything he can do to keep the Mac enrolled, since the JSS will see his Mac as the system scoped to the policy even if he renames it or upgrades the OS or whatever.
However, this process would require leaving his Mac in the JSS to maintain the scope. As soon as you remove it, the policy won't have a Mac to run it against.

Hope that helps.

Update: @hzimmerman beat me to it. But we were thinking along the same lines, and so I agree with him :)

aamitrano
New Contributor

Thanks, everyone for your responses. I totally agree that this is a discipline issue and I am proposing a technological solution. This is a student that we have had ongoing issues with and multiple conversations with parents, to no avail. Why he even has access to technology, period, is beyond me, and beyond the scope of this discussion.

At any rate, I appreciate the responses. We are not managing mac os x devices at all, just iOS. If I go into Global Management - User-Initiatied Enrollment - and uncheck "Enable user-initiated enrollment for computers" that will prevent him from enrolling, yes? We will not be managing macs in the foreseeable future, so this is not really something we need to allow right now anyway. Would doing this have any unintended consequences on my iOS devices?

Thanks again for the suggestions!

mm2270
Legendary Contributor III

Yeah, just turn off the enrollment for Macs. Problem solved. You didn't initially mention you were only managing iOS devices, so that's a far easier solution. He'll get a OS X enrollment access denied error when he tries to get to the enrollment page afterwards.

aamitrano
New Contributor

Beautiful. Thanks so much.

Kumarasinghe
Valued Contributor

You can limit LDAP groups to do "User-Initiated Enrollment Process" in JSS 9.4+
This was requested and implemented:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2267

Kaltsas
Contributor III

I gotta say the "throw the kid under the bus" responses here are surprising. Lock down his personal machine....... If this was my kid and you had user initiated enrollment on and came calling me rather than reconfiguring your SMS, I'd probably laugh and hang up. Seems like the kid did you a favor by finding an unintended hole in your configuration. Maybe instead of suggesting he have no access to technology at all you should engage him, encourage him, nurture him. You might find you have an asset rather than an enemy.

Just my 2 cents.

blackholemac
Valued Contributor III

I'll be honest...I agree even though I pointed out in an earlier post how to limit who can enroll using the User Initiated enrollment. Trying to solve a classroom management problem in technology usually ends badly. Either the kid can't do work that he needs to or it becomes a "headache special situation" that you have to deal with. And once you do it for one...wait for the floodgates of special situations. My thought there is, have the teacher work with the kid some more. You could also "empower the teacher" by showing him/her how to set local restrictions on the iPad taking you out of the mix. But again, I dunno if I'd solve a classroom management problem with a restriction in this case.

aamitrano
New Contributor

Hi Folks,

Again, I completely understand what I asked for and completely understand that this is a discipline problem and nothing more than that. The solution I employed, prohibiting user initiated enrollment for mac os x devices, worked, and will work for us for the foreseeable future. His device was the only mac that kept enrolling in JSS, and it was just becoming annoying; it is not a problem other than me logging into JSS and seeing that he has enrolled his device, yet again.

For the comments regarding engaging and nurturing the student, empowering our teachers, reaching out to his parents, etc. We have done this with this student ad nauseum for the past four years. Could we do something differently? Probably. Could his parents be doing something differently? Absolutely. Sometimes, in my experience, the schools and the parents agree to disagree. That is certainly the case in this situation.

Bottom line, I have a solution and it works. I appreciate the assistance.