User-Only Enrollments
  • 24 Sep 2022
  • 2 Minutes to read
  • Dark
  • PDF

User-Only Enrollments

  • Dark
  • PDF

Article summary

There are occasional scenarios in which establishing device management on a device that needs access to organizational resources is not possible. This includes:

  • Contractor devices in which device management is bound to another device management instance.
  • BYO Mac / BYO PC scenarios where device management cannot be deployed due to privacy reasons.
Security Warning

If access to data resources are extended to unmanaged devices, you significantly decrease the efficacy of the Trusted Access security model for those data.

By no longer requiring a sanctioned or safe device to access that data resource, the resource is necessarily available to any device, making it far more vulnerable to user credential-based attacks.

If you do use this method, be mindful of the sensitivity of the data being exposed and define access to user-only enrolled devices as narrowly as possible.

With this enrollment method, a user installs Jamf Trust and activates it using their IdP credentials. Data resources are then available to the user and device based upon their assigned Access Policies.

Enable User-Only Data Access via Jamf Trust

Configuration of this deployment model involves configuring Identity-based Enrollments, enabling devices without management to activate the Jamf Trust using IdP credentials only.

  1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR, with the following modifications:
    1. Create a new Activation Profile titled Unmanaged Devices with the following configurations:
      1. Set the Device Group to a new group named Unmanaged User-Only Devices
      2. Select the identity provider users of this activation profile is to use.
      3. For Capabilities minimally select Zero Trust Network Access.
    2. Configure Identity-Based Provisioning for the just created Unmanaged Devices activation profile.
    3. Modify your Access Policies in RADAR as follows:
      1. For sensitive applications, make sure Everyone is NOT selected in the policy's Users and Groups configuration.
      2. For applications that should be accessible to User-Only devices, select the Limited option for Users and Groups and be sure to include the Unmanaged User-Only Devices group created above.
      3. It is STRONGLY recommended that access policies available to the Unmanaged User-Only Devices are configured with any subnet-wide traffic definitions (e.g. /24) in the Traffic Matching configuration.

Users can now download the Jamf Trust app from their platform's public App Store (or here for Windows) then sign on with their IdP credentials as prompted. The app will activate and networking access will be available to the applications configured in Access Policies for the device.

Access can be revoked from the user at any time by deleting their device entry in RADAR > Devices > Manage. Note the user will be able to re-enroll if their credentials are still valid and your identity provider integration configuration permits it.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.