If I just want to do iOS Management outside of our network an external DNS entry and IP address with port 8443 open should be all that is needed? Correct?
Page 1 / 1
What you'd like to do is called "limited access jss" heres the KB regarding this: https://jamfnation.jamfsoftware.com/article.html?id=174
We have a few options here. If you would like to just make you current JSS externally facing you are correct, you can just open up port 8443 both incoming and outgoing. You do need to have a FQDN for you JSS URL as well. But you did indicate that this was the case. This will allow devices to communicate with you JSS when outside of your network.
You can also set up a JSS in the DMZ, as mentioned above. This is more secure then just opening up a port both ways. However it does require a little more set up.
Hope this Helps
by just opening up 8443, what am I gaining / risking vs going through a L.A.JSS?
@jwojda If you just open up port 8443, then your admin login page is accessible to the outside world. If you put another web app only server in the DMZ and turn on limited access, clients can talk to it at 8443 but you can turn off the admin login page.
hmm. seems fairly negligible. with the limited access setup, I need to do the firewall changes and forwarding (smtp, ldap, and sql), but none of that would be required, short of 8443?
hmm. seems fairly negligible
Realize, if the JSS web interface is publicly facing, and a bad person gained access via an admin account- horrible, terrible things could occur to your whole fleet of Macs.
Might be low probability, but not something I'd gamble with.
Agreed with @dpertschi. Do what you want @jwojda, but consider that every JSS, yours likely also, has at least one local JSS only account on it that's left in place as an emergency "back door" way in in case your LDAP connection breaks for some unforeseen reason. The JSS to my knowledge does not limit the amount of login attempts that can be made to it. Any LDAP imported accounts would likely be disabled on the backend after too many bad attempts, but that local account would not.
Brute force password hacks are extremely common now and the algorithms used to do it have advanced to the point that, unless you're using a really long complex password, it could probably be hacked in a matter of hours or days. Once someone is in, as mentioned, they could do some serious damage to your whole fleet of Macs.
Is this scenario really likely? Probably not honestly, but as our security guy here often says, 'you don't want to be "that guy"' If you go through the process of securing it as a Limited Access JSS, it would be much less concern, since someone would need to be already inside the company network to even try logging in to your JSS to begin with.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.