Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Require Authentication with Automated Device Enrollment

            By Trevor Gerzen

            Learn how to leverage the Require Authentication option within the Automated Device Enrollment Library item


            The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) before allowing the device to proceed with enrollment. You can also match the authenticated IdP user to a user in your integrated directory and automatically assign the matched user to the device record.

            1. Require Authentication
              1. Enabling this option will require all eligible device types to authenticate through your configured IdP during Automated Device Enrollment. 1
            2. Connection
              1. Select an SSO connection. If you haven't already configured one, you can learn more about supported SSO connection types and how to set them up.
              2. An SSO connection does not need to be Active in Settings > Access to Require Authentication within Automated Device Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection. 
            3. Assign user to device record
              1. Enabling this option will attempt to match the user authenticated by the identity provider to a user that exists in your user directory integration(s). If the email address of the authenticated IdP user matches the email address in your integrated directory, the user will be assigned to the device.
            4. Pre-fill primary account details 2
              1. Enabling this option will automatically pre-fill the primary computer account details for the initial computer account created during Setup Assistant. If no users were matched and assigned to the device record, no details would be pre-filled.
              2. Compatible with Mac computers running macOS 10.15 or later.
            5. Lock primary account details
              1. Enabling this option will lock the prefilled primary account details for the initial computer account created during Setup Assistant.
              2. Compatible with Mac computers running macOS 10.15 or later.




            If requiring authentication and using Google Workspace as your identity provider (Step 2 above), then the Single Sign-On entry must be created using Custom SAML, as the built-in Google Workspace integration will result in a 403 error upon enrollment.
            If you are also deploying Passport, it is advised to deselect the Pre-fill initial account creation details and Lock pre-filled account creation details options, shown as figures 4 and 5 above. Using the pre-fill and lock settings while skipping account creation, as recommended with Passport, will cause account creation conflict and result in a Setup Assistant error, necessitating wipe of the computer.

            Authentication Connection

            The selected authentication connection for the Automated Device Enrollment profile is the SSO connection used to authenticate the user. Any user assigned to the "Application" within the Identity Provider will be allowed to complete the enrollment.

            You can use the same connection (generally referred to as an application within the identity provider) that you use for your Kandji Team Members to authenticate into your Kandji instance or configure an entirely new connection/application within Kandji and your identity provider specifically for device enrollment. If you elect to use the same connection/application, please note that your end users may see the Kandji application within your identity provider's application catalog. Assigning users to the application will not grant them administrative rights in Kandji.

            An SSO connection does not need to be Active in Settings > Access to Require Authentication within Automated Device Enrollment. A connection should only be Active in settings if you want to authenticate Kandji administrators to the web app with that connection.

            Assign user to device record

            The Assign user to device record option works by matching the user who authenticates during Automate Device Enrollment to a user in your integrated user directory. If a matching user is found, this user will be assigned to the device record.

            If matching is enabled, and a user was pre-assigned to the device while awaiting enrollment, but a different user authenticates the enrollment, the authenticating user would be matched and assigned, replacing the pre-assigned user. 

            Enrollment Experience 

            Remote Management Screen during Automated Device Enrollment:

             

            Authentication via Enrollment Customization WebView:

             

            After successful authentication, enrollment continues, and the device setup proceeds:

            Preview
            0 of 0