I'm seeing very inconsistent behavior with my user initiated enrollment. I have mine configured so certain LDAP groups can assign devices to some sites but not others. I created 2 test accounts and they are in the same groups and with one I get the user assignment prompt, and can select any site (which it should not have access to), and with the other user I get neither and immediately go the the CA cert prompt and that enrolls in the site that LDAP account has permission to assign to.
The behavior seems very odd at the moment to me. I opened a ticket with Jamf about this the other day and I can update when I get more info.
While working with Jamf we found out that if a user/group has any permissions for viewing a site in the "Jamf Pro User Accounts & Groups" setting section, they would be able to assign to a site, even if that group/user wasn't assigned explicit permission to assign to that site in the "User-Initiated Enrollment" setting section.
Essentially I had LDAP group "techs" set up to have "uploading" privileges to full Jamf, so they can upload their own packages/scripts/etc, but not view or edit on most things in full Jamf. However everyone in the "techs" LDAP group could enroll in any site, even though they were not given any (or different) site enroll permissions in the user enrollment section.
After figuring that out and adjusting permissions appropriately, I was able to get the assign to user behavior I wanted.
So site enrollment takes its permissions from multiple parts of Jamf, not just the user enroll section, and that messes up what you want is the long short.
Does that make sense?