Limit jss enrollment to a specific LDAP group

Where I work, we realized we wanted allow open enrollment, but only to Administration staff. While you could do this with a custom quickadd we wanted to keep the enrollment page in jss open as another option.

1. 1. Login to your Jamf Pro Server
   2. Click the Gear on the Left hand side by your name
      
   3. Select User Initiated Enrollment under the Global Management Tab
      
   4. Click Edit on the bottom right corner
   5. Uncheck
      1. Restrict re-enrollment to authorized users only
   6. Click Access
   7. Edit All LDAP Users
   8. Uncheck
      1. Restrict re-enrollment to authorized users only
      2. Allow group to enroll personally owned devices
   9. Click Add
   10. Search for the LDAP group you want to allow enrollment
   11. Check both boxes
       
       1. Restrict re-enrollment to authorized users only
       2. Allow group to enroll personally owned devices
   12. Click Done
   13. At the next page click Save
   14. Test, an unsuccessful login will just redirect back to the login page, while a successful will allow you to download a quickadd