Require Authentication with Automated Device Enrollment

Learn how to leverage the Require Authentication option within the Automated Device Enrollment Library item.

Require Authentication 

The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) prior to allowing the device to proceed with enrollment. Additionally, you can optionally match the authenticated IdP user to a user in your integrated directory, and automatically assign the matched user to the device record.

Here are the controls:

  1. Require Authentication: Enabling this option will require all eligible device types to authenticate through your configured IdP during Automated Device Enrollment. 
  2. Select an authentication connection: In this menu, you will select the SSO connection that you have previously configured in Settings. Learn more about creating an SSO connection.
  3. Automatically match authenticated user to device: Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integrated with Kandji. If the email address of the authenticated IdP user matches the email address of a user in your integrated directory, Kandji assigns the user to the device.

Kandji-Support-KB-enrollment-custimization@2x

Eligible Operating Systems  

Devices running the following operating systems support Enrollment Customization, which is the underlying Apple technology that allows Kandji to require authentication during Automated Device Enrollment:

  • iOS 13+
  • iPadOS 13+
  • macOS 10.15+

Note:

To prevent unauthorized enrollments, Kandji will refuse to enroll any iOS, iPadOS, or macOS device that does not meet Apple's requirements for Enrollment Customization; the device will display a 403 error.

Because Apple TV does not support Enrollment Customization, Kandji will always allow Apple TV to enroll, even if a Blueprint has the Require Authentication option enabled.

Authentication Connection

The selected authentication connection for the Automated Device Enrollment profile is the SSO connection that will be used to authenticate the user. Any user that is assigned to the "Application" within the Identity Provider will be allowed to complete the enrollment.

You can use the same connection (generally referred to as an application within the identity provider) that you use for your Kandji Team Members to authenticate into your Kandji instance, or you can configure an entirely new connection/application within Kandji and your identity provider specifically for device enrollment. If you elect to use the same connection/application, please note that your end users may see the Kandji application within your identity providers application catalog. Assigning users to the application will not grant them administrative rights in Kandji.

An SSO connection does not need to be Active in Settings > Access in order to be used for Require Authentication within Automated Device Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection. 

Automatically match authenticated user to device

The Automatically match authenticated user to device option works by matching the user who authenticates during Automate Device Enrollment to a user in your integrated user directory. If a matching user is found, this user will be assigned to the device record.

In the event that matching is enabled, and a user was pre-assigned to the device while awaiting enrollment, but a different user authenticates the enrollment, the authenticating user would be matched and assigned, replacing the pre-assigned user. 

Enrollment Experience 

Remote Management Screen during Automated Device Enrollment:

EC1

Authentication via Enrollment Customization WebView:

EC2-A

After successful authentication, enrollment continues, and the device setup proceeds:

EC3

Feature Availability

This feature is available to all customers that have SSO enabled.