Help

UIE - enrollment Restrictions - macOS Computers

aburrow007
New Contributor II

Tuesday

I'm trying to restrict access to the UIE page "/enroll" to an EntraID Group.

From what I'm reading and have been told this is not possible.

Has anyone else encountered this issue, and if so how did you resolve?

Turning off UIE isn't an option as we still wish to use Pre-Stage 

0 Kudos
Reply
3 REPLIES 3

AJPinto
Esteemed Contributor

Tuesday

User initiated enrollment uses Jamf Users and Groups, not IDP (ie Entra) users and groups and there is no option to enable SSO functionality for this particular thing. If you have Jamf connected to LDAP you can use AD groups. Its beyond me why you cannot SSO this thing, but you cant.

 

Ironically you cant even limit this function to Entra groups in Intune, so its not a gap in Jamf.

0 Kudos
Reply

aburrow007
New Contributor II
In response to AJPinto

Tuesday

You can for Devices just not Computers which I find confusing as well.  Will keep looking, need to lock it down somehow has having users enrol their personal devices into Jamf isn't an unacceptable security risk.

0 Kudos
Reply

AJPinto
Esteemed Contributor
In response to aburrow007

Wednesday

It maybe an idea to disallow user initiated enrollment.

 

I work in finance which is highly regulated by nature, and my employer is a tad bit on the retentive side with security. We only allow automated device enrollment, and an enrollment customization on the prestage to enable SSO with our IDP. The IDP will check user access on enrollment, perform MFA and either allow or deny the authentication pasted on groups and roles.

 

For user initiated enrollment, we simply dont allow that under any situation. There is a local account in Jamf with a obnoxiously long password that is vaulted and rotated periodically that can be used if needed for some reason, but it requires clear business justification to check out the password.

0 Kudos
Reply