"Enrollment Only" Accounts - Clarification needed

sdb
New Contributor II

I have a question regarding the "Enrollment Only" Privilege Set in Jamf Pro User Accounts & Groups, and I'll try as be as clear as possible. 

Can anyone clarify if all users who are invited to enroll in Jamf (i.e. by email invitation or via the enrollment web console) need to first be added in Jamf with Enrollment Only privileges?

I know this isn't needed for Macs setup via Prestage enrollment, but in order for us to be able to assign a (LDAP) user to a device during User Initiated Enrollment, we first have to add them to the user group in Jamf Pro with the Enrollment Only privilege set. Otherwise we don't get the 'Assign to User' option when they go through the User Initiated Enrollment Process.

I know we can edit the user information post-enrollment (via the Jamf Pro interface), so I'm not sure if it is necessary to even use this 'Assign to User' step? 

Can anyone explain why either way is better? Thanks!

1 ACCEPTED SOLUTION

sdb
New Contributor II

For anyone interested in this, Jamf Support were able to explain to me that An 'Enrollment Only' account should only be used if there isn't an LDAP server configured in Jamf Pro. The use case would be that the credentials of this account could be sent to end users to enroll their devices. IF you have a LDAP server configured it's best not to create an 'Enrollment Only' account. 

 

View solution in original post

1 REPLY 1

sdb
New Contributor II

For anyone interested in this, Jamf Support were able to explain to me that An 'Enrollment Only' account should only be used if there isn't an LDAP server configured in Jamf Pro. The use case would be that the credentials of this account could be sent to end users to enroll their devices. IF you have a LDAP server configured it's best not to create an 'Enrollment Only' account.