Require Authentication with Automated Device Enrollment

Learn how to leverage the Require Authentication option within the Automated Device Enrollment Library item.

Require Authentication 

The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) before allowing the device to proceed with enrollment. You can also match the authenticated IdP user to a user in your integrated directory and automatically assign the matched user to the device record.

Here are the controls:

  1. Require Authentication.
    1. Enabling this option will require all eligible device types to authenticate through your configured IdP during Automated Device Enrollment. 
  2. Connection.
    1. Select the SSO connection that you have previously configured in Settings. Learn more about creating an SSO connection.
    2. An SSO connection does not need to be Active in Settings > Access to Require Authentication within Automated Device Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection. 
  3. Assign user to device record.
    1. Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the email address of the authenticated IdP user matches the email address in your integrated directory, the user will be assigned to the device.
  4. Prefill primary account details.
    1. Enabling this option will automatically pre-fill the primary computer account details for the initial computer account created during Setup Assistant. If no user were matched and assigned to the device record, no details would be pre-filled.
    2. Compatible with Mac computers running macOS 10.15 or later.
  5. Lock primary account details.
    1. Enabling this option will lock the prefilled primary account details for the initial computer account created during Setup Assistant.  
    2. Compatible with Mac computers running macOS 10.15 or later.

    CleanShot 2021-08-24 at 23.08.47@2x

    Eligible Operating Systems  

    Devices running the following operating systems support Enrollment Customization, which is the underlying Apple technology that allows Kandji to require authentication during Automated Device Enrollment:

    • iOS 13+
    • iPadOS 13+
    • macOS 10.15+

    Note:

    To prevent unauthorized enrollments, Kandji will refuse to enroll any iOS, iPadOS, or macOS device that does not meet Apple's requirements for Enrollment Customization; the device will display a 403 error.

    Because Apple TV does not support Enrollment Customization, Kandji will always allow Apple TV to enroll, even if a Blueprint has the Require Authentication option enabled.

    Authentication Connection

    The selected authentication connection for the Automated Device Enrollment profile is the SSO connection used to authenticate the user. Any user assigned to the "Application" within the Identity Provider will be allowed to complete the enrollment.

    You can use the same connection (generally referred to as an application within the identity provider) that you use for your Kandji Team Members to authenticate into your Kandji instance or configure an entirely new connection/application within Kandji and your identity provider specifically for device enrollment. If you elect to use the same connection/application, please note that your end users may see the Kandji application within your identity providers application catalog. Assigning users to the application will not grant them administrative rights in Kandji.

    An SSO connection does not need to be Active in Settings > Access to Require Authentication within Automated Device Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection. 

    Assign user to device record

    The Assign user to device record option works by matching the user who authenticates during Automate Device Enrollment to a user in your integrated user directory. If a matching user is found, this user will be assigned to the device record.

    If matching is enabled, and a user was pre-assigned to the device while awaiting enrollment, but a different user authenticates the enrollment, the authenticating user would be matched and assigned, replacing the pre-assigned user. 

    Enrollment Experience 

    Remote Management Screen during Automated Device Enrollment:

    EC1

    Authentication via Enrollment Customization WebView:

    EC2-A

    After successful authentication, enrollment continues, and the device setup proceeds:

    EC3