Choose your onboarding adventure: Automated device enrollment paths

Automated device enrollment: why should I care?

The onboarding process sets the standard for how your company’s devices and user accounts are secured. Automated device enrollment (ADE) builds the foundation for zero-touch deployment, providing a secure starting point for employees. The addition of various identity management procedures further enhances security. Using Jamf to onboard devices allows you to build workflows for the automatic setup of kiosk machines or other devices.

Onboarding options

There are multiple onboarding methods to meet the needs of your organization. Brown and Rabbitt mention ADE “layers,” with each layer increasing the level of security. They explain each layer and provide a screen recording of the user experience. These layers are:

• ADE
• ADE with auto-advancing
• ADE with Lightweight Directory Access Protocol (LDAP) authentication
• ADE with Enrollment Customization (EC) and Security Assertion Markup Language (SAML) authentication
• ADE with Jamf Connect

ADE (“Kiosk Mode”)

Using ADE alone allows for a convenient, hands-off onboarding that is great for labs, break rooms or shared devices. Using this walks the user through the process without account creation, and can be set up for automatic login after it has been logged into once. Though convenient, ADE alone is not typically the best solution when enrolling devices with one user.

ADE + LDAP

By using the Jamf Infrastructure Manager (JIM) or LDAPs in Jamf Pro, you can create custom messages during the authentication stage of the onboarding process. The username is prefilled from the directory, and the user authenticates using their directory username and password. This provides a simple way for users to log in, but does not use MFA.

ADE + SAML Single Sign-On (SSO)

Jamf Pro uses SAML to support SSO. Using SAML instead of LDAP eliminates the need for an on-premises LDAP server or JIM. Alternatively, SAML can talk directly with a cloud identity provider (IdP), which forces the use of MFA. This removes the custom authentication method that can be used with LDAP. SAML cannot throughput a password to create a local user account; this requires authentication via SSO.

ADE + Jamf Connect

Similar to using SAML SSO, Jamf Connect uses a cloud IdP that enforces MFA and does not use the JIM or an LDAP server. The onboarding workflow forces an installation of Jamf Connect onto the user’s device and creates a user account based on their IdP credentials. Jamf Connect provides password synchronization with the IdP and centralized management of user permissions, allowing the computer to automatically give the appropriate permission upon login. Jamf Connect uses the IdP credentials to create a local user account. Together, ADE and Jamf Connect provide a simple automated onboarding experience while providing the security of user accounts that rely on a cloud IdP and MFA.

Brown and Rabbitt elaborate on how accounts are created with these various workflows and how Jamf Notify further enhances the onboarding experience.

Additional onboarding tools

Brown and Rabbitt mention a few more onboarding tools:

• NoMAD login: for organizations without access to a cloud IdP and who are using an on-premises active directory
• DEPNotify: available on Jamf Marketplace, this package allows you to run policies that allow for further customization
• Onboarding scripts: open-source scripts are available on GitHub
• The experience of your fellow admins: Jamf Nation and MacAdmins slack