Configuring Require Authentication for Enrollment

By Trevor Gerzen

Learn how to require authentication when enrolling devices

What is Require Authentication?

Require Authentication is an enrollment setting that allows administrators to force user authentication through an identity provider (IdP) before proceeding with device enrollment. Administrators can match the authenticated IdP user to a user in their IdP and assign the matched user to the device record automatically.

How Require Authentication Works

After configuring a Single Sign-On (SSO) connection in Kandji and assigning it to an Automated Device Enrollment Library Item or Blueprint on the Enrollment page, users will need to authenticate through an IdP in order to enroll their devices with Kandji. Kandji admins can opt to automatically assign users to device records based on email matches.

For Automated Device Enrollment configurations that require authentication, admins can prefill and lock account details during setup.

Prerequisites

Configuring Require Authentication with Automated Device Enrollment

  1. Navigate to Library in the left-hand navigation bar.
  2. Click Add New on the top-right, and choose Accessory & Storage Access.
  3. Click Add & Configure.
  4. Give the new Automated Device Enrollment Library Item a Name
  5. Assign to your desired Assignment Maps or Classic Blueprints.
  6. Check the box for Require Authentication.
  7. Select an SSO Connection.
  8. Optionally, Assign user to device record
    • Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the authenticated IdP user's email address matches the email address in your integrated directory, the user will be assigned to the device.
  9. To prepopulate your user's initial account information to match your IdP, select Prefill primary account details.
  10. To ensure that your user cannot change their initial account information, select Lock primary account details.
  11. Configure the rest of your Automated Device Enrollment Library Item as desired, and click Save.

Configuring Require Authentication with Manual Enrollment

  1. Select Enrollment in the navigation bar.
  2. Navigate to the Manual Enrollment tab.
  3. Scroll down to your desired Blueprint and check the box for Require Authentication.
  4. If desired, check the box to Assign user to device record.
    • Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the authenticated IdP user's email address matches the email address in your integrated directory, the user will be assigned to the device.

Considerations

  • If you are also deploying Passport, you must deselect the Prefill initial account creation details and Lock prefilled account creation details options. Using the prefill and lock settings while skipping account creation, as recommended with Passport, will cause account creation conflict and result in a Setup Assistant error that requires the Mac to be erased.
  • If requiring authentication and using Google Workspace as your identity provider, the Single Sign-On entry must be created using Custom SAML, as the built-in Google Workspace integration will result in a 403 error upon enrollment.
  • An SSO connection does not need to be Active in Settings > Access to Require Authentication within Automated Device Enrollment or Manual Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection.
  • The selected authentication connection is the SSO connection used to authenticate the user. Any user assigned to the "Application" within the Identity Provider can complete the enrollment.
  • You can use the same connection (generally referred to as an application within the identity provider) that you use for your Kandji Team Members to authenticate into your Kandji tenant or configure an entirely new connection/application within Kandji and your identity provider specifically for device enrollment. 
  • If you elect to use the same connection/application, please note that your end users may see the Kandji application within your identity provider's application catalog. Assigning users to the application will not grant them administrative rights in Kandji.