I created the group, and added a test user, and then gave that group access to profile manager. It let me login, and displays everything properly, but when a random active directory user logs into the mydevices section, they are authenticated in from the AD server, but it gives them the option to download the "Default Profile". I need to shut that off or block their access from even being able to login, or it logs in and says that they do not have access to this page.
i think your only option maybe not to use settings for everyone
by it's very nature it's for everyone
or only enable setting in settings for everyone that aren't a risk to your network
I think if your restricting access to profile manager via server admin access
unauthorized users won't be able to enroll devices but will be able to download
whatever you've enabled in settings for everyone
if you want users to have a self service portal you could change or create
a new profile that's downloadable instead of pushed
I have this so far, to where the AD users can authenticate in and they get this screen, but enrolling devices is disabled. I believe the default profile is tied to the Everyone group. Since it has no settings the user can download it, and its a blank profile. I wonder if there is a way to not even display that default profile..?