User-Initiated Enrollment for Computers

You can allow users to enroll their own computers by having them log in to an enrollment portal where they follow the onscreen instructions to complete the enrollment process.

User-initiated enrollment is one of the methods that results in a User Approved MDM state for eligible computers. This state is required for certain performance and security enhancements, like managing kernel extensions. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro article.

Users will be prompted to download and install a CA certificate and MDM profile during the user-initiated enrollment process. Users must manually return to the enrollment portal webpage after CA certificate installation to install the MDM profile and complete the enrollment process. The jamf binary is installed automatically after MDM enrollment is complete.

Note:

If user-initiated enrollment settings are configured to skip certificate installation during enrollment, users will only be prompted to download the MDM profile.

General Requirements

To allow computers to be enrolled with user-initiated enrollment, you need:

Providing an Enrollment URL to Users

You can provide the enrollment URL to users in the way that best fits your environment.

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the device.

Requirements

Users must use Safari to access the enrollment URL.

To direct users to the enrollment portal, provide an enrollment URL. The enrollment URL is the full URL for the Jamf Pro server followed by /enroll.

Example:
  • Cloud-Hosted

    https://JAMF_PRO_URL.jamfcloud.com/enroll

  • On-Premisehttps://JAMF_PRO_URL.com:8443/enroll

Sending a Computer Enrollment Invitation

You can send an email invitation that contains the enrollment URL from Jamf Pro to one or more users. Users click the enrollment URL in the email message to access the enrollment portal. Enrollment invitations give you more control over user access to the enrollment portal by allowing you to do the following:

  • Set an expiration date for the invitation

  • Require users to log in to the portal

  • Allow multiple uses of the invitation

  • Add the computer to a site during enrollment

  • View the status of the invitation

Requirements

To send a computer enrollment invitation, you need an SMTP server set up in Jamf Pro (For more information, see SMTP Server Integration.)

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Enrollment Invitations in the sidebar.
  3. Click New .
  4. Follow the onscreen instructions to send the enrollment invitation.

An enrollment invitation is immediately sent to the email addresses you specified.

You can view the status of the enrollment invitation in the list of invitations.

Viewing Computer Enrollment Invitation Usage

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Enrollment Invitations in the sidebar.
  3. Click the enrollment invitation you want to view usage for.
  4. Click View Enrolled Computers .

A list of computers enrolled with the invitation is displayed.