+12I'm curious how people are managing security for the REST API. With only basic auth it's a huge security risk. I've added a feature request to implement OAuth on the API if anyone is interested in voting it up:
In the meantime we're going to have to disable the API because the security team is concerned that it will be compromised. How are other people solving this issue?
+26I’m handling it by using an admin only node that does accept outside connections on my cluster. I have deleted it from the other tomcat nodes.
+7@tangerinehuge I've added my vote ;-)
Do you know if it's possible to disable the API on a Jamf hosted JSS instance?
With GDPR coming into force in a matter of weeks, our Cyber Sec team are getting increasingly twitchy about anything that can serve up user related details (not to mention things like SMTP and Network information) and will have kittens over an unsecured API!
+26Very simple...setup a limited access dmg as the document described...ensure all internal and external communication is working for you as needed. That’s the important step and that all functions of the JSS work as you require in both places.
Once that difficult first step is done, to disable the API externally, you would delete the api folder from your root context on the dmz instance and modify your web.xml on your dmz instance to disallow the restletservlet
I gave a beginners presentation on clustering last year at JNUC. I would start there: https://m.youtube.com/watch?v=WSGiEXfd6hY
If you are intrigued by the concepts presented, consider signing up for the Certified Server Admin course as it goes into the fine-grain nuts and bolts of scaling for most any situation along with securing it. As a result of that course, the api for our server is only available internally.
+26I’ll ask in advance that you forgive my less than stellar presentation skills... content was solid though and based on what you learned from that presentation I’m more than willing to answer any questions that I can for you.
+12Thanks for the detailed explanation. I have my system setup similarly. I was hoping there was another way to access the API from an external source in a secure manner but I'm guessing that won't be possible until JAMF implements better security. Disabling the API externally makes it difficult to integrate other cloud based services with JAMF Pro.
@jsherwood I'm not sure about disabling things in a hosted environment. I'd open a support ticket to see if they can turn it off for you.
+26If I need to use the api at home or off campus, I establish a vpn connection on my MacBook and hit the admin url/instance. Perhaps you could set up some vpn to allow your connections between your internal admin console (with api enabled) and whichever service you are using.
+12Yeah that's probably what we'll end up doing. Do you know of a way to disable the Universal API? That's also a potential target.
+26Honestly no...I would likely escalate that to your jamf buddy. Someone should be able to clarify for sure. I know you disable the rest api in your web.xml file by disabling a Tomcat servlet
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.