---
title: "Contractor Devices"
slug: "user-only-enrollments"
updated: 2026-01-16T16:08:03Z
published: 2026-01-16T16:08:03Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://trusted.jamf.com/llms.txt
> Use this file to discover all available pages before exploring further.

# User-Only Enrollments

There are occasional scenarios in which establishing device management on a device that needs access to organizational resources is not possible. This includes:

- Contractor devices in which device management is bound to another device management instance.
- BYO Mac / BYO PC scenarios where device management cannot be deployed due to privacy reasons.

Security Warning

If access to data resources are extended to unmanaged devices, **you significantly decrease the efficacy of the Trusted Access security model for those data**.

By no longer requiring a sanctioned or safe device to access that data resource, the resource is necessarily available to any device, making it far more vulnerable to [user credential-based attacks](https://www.darkreading.com/cyberattacks-data-breaches/hacker-pwns-uber-via-compromised-slack-account).

If you do use this method, be mindful of the sensitivity of the data being exposed and define access to user-only enrolled devices as narrowly as possible.

With this enrollment method, a user installs Jamf Trust and activates it using their IdP credentials. Data resources are then available to the user and device based upon their assigned Access Policies.

## Enable User-Only Data Access via Jamf Trust

Configuration of this deployment model involves configuring Identity-based Enrollments, enabling devices without management to activate the Jamf Trust using IdP credentials only.

1. Follow the steps in [Enabling Access for Trusted Devices](/v1/docs/enabling-access-for-trusted-devices) to configure Private Access in RADAR, with the following modifications:
  1. Create a new **Activation Profile** titled `Unmanaged Devices` with the following configurations:
    1. Set the **Device Group** to a new group named `Unmanaged User-Only Devices`
    2. Select the identity provider users of this activation profile is to use.
    3. For **Capabilities**  minimally select **Zero Trust Network Access**.
  2. Configure [Identity-Based Provisioning](https://docs.jamf.com/jamf-security/radar/documentation/Configuring_Identity-Based_Provisioning.html) for the just created `Unmanaged Devices` activation profile.
  3. Modify your Access Policies in RADAR as follows:
    1. For sensitive applications, make sure `Everyone` is NOT selected in the policy's **Users and Groups** configuration.
    2. For applications that should be accessible to User-Only devices, select the **Limited** option for **Users and Groups** and be sure to include the `Unmanaged User-Only Devices` group created above.
    3. It is **STRONGLY** recommended that access policies available to the `Unmanaged User-Only Devices` are configured with any subnet-wide traffic definitions (e.g. `/24`) in the **Traffic Matching** configuration.

Users can now download the Jamf Trust app from their platform's public App Store (or [here](https://docs.jamf.com/jamf-security/radar/documentation/Release_Notes_Wandera_App_Windows.html#concept-5731) for Windows) then sign on with their IdP credentials as prompted. The app will activate and networking access will be available to the applications configured in Access Policies for the device.

Access can be revoked from the user at any time by deleting their device entry in **RADAR > Devices > Manage**. Note the user will be able to re-enroll if their credentials are still valid and your identity provider integration configuration permits it.