NPSD,
Are there any devices which do not belong to your organization in your JAMF? Are you doing BYOD in your environment?
We use JAMF to manage our Apple products. When BYOD became project to get working in our environment, we started using it for device identification. If a product exists in JAMF, it is one of our devices. We then use that information plus their AD group membership to assign a role. If an apple product is not in our JAMF then it gets less access through a BYOD related role.