Jamf Discontinuing JDS

@sgorney interesting stuff:

Reselio Sync

I use Syncthing for all my 50 DP's around the globe. Its free and works fantastically well

Syncthing

So if anyone calls you Amanda, do we get bitten?

Gabe Shackney
Princeton Public Schools

@gshackney

Some people forget, which is fine as I still respond to it (nearly 38 years of habit), but most correct themselves.
A few people thought I'd somehow got IT in on a prank at first but, considering everything they had to change for me to change my name across our systems, there's no way they would have done it for a prank! It would have been a pretty good prank, though.

My parents still call me that, though, as they felt the whole thing was silly but, "you're an adult and can do what you want." :D

Were Wulff
Jamf Customer Experience

@were.wulff BTW love the Black Hole pic.
I had the read along record for that movie as a kid.

Gabe Shackney
Princeton Public Schools

There's a lot of talk about replication, but aren't there still important features that are only available when using a JDS?

Is there any way to allow techs to upload packages through the JSS, besides using a JDS? We rely on this very heavily, since Casper Admin is not safe for multiple people to use concurrently. What are our options, besides reinventing the wheel with API scripts? Do I now need to be middleman for every department's techs to upload packages? (It's too early to start drinking, isn't it?)

What about in-house apps and eBooks? Is that just going away?

I mean, I get it, the JDS had problems...but the proper response to outdated TLS support not "welp, better kill the whole thing".

I'm in a very similar situation to @mjhersh. I have other site admins that have the ability to upload packages via the JSS web interface. This setup works great as it limits the damage that can be done with Casper Admin (I don't give them access to it either).

We have been working with Jamf Support on this already and the response has left a pretty sour taste in our mouths. The only way to continue using that feature is to switch our Master DP to a Cloud Distribution Point, which costs more money. That topic received pushback from my leadership about covering extra costs when we already pay for Jamf Pro (a solution that did not previously require anything be hosted).

Basically, our options are either to use a CDP or to roll our own scripts to create the packages via API and then scp the files to the DP. Neither is desirable.

@mjhersh

Cloud distribution points (JCDS, AWS, Rackspace, or Akamai) can use the web interface to upload to the JSS.

File share distribution points, at the moment, still go through Casper Admin.

In-House apps and eBooks were around long before the JDS, and a JDS is not required to use these features. It never has been, the JDS was simply an additional method that customers could use to host In-House apps and eBooks.

Information on using In-House eBooks can be found in here, in the Casper Suite Administrator’s Guide.

Information on using In-House Apps can be found here, in the Casper Suite Administrator’s Guide.

It is also possible to host In-House eBooks and apps on a Tomcat instance; we have a KB on how to do that here.

If you have additional questions or need more detailed help on getting any of the above set up, please contact Support and they'll be able to assist you with specific how-to or setup questions for your environment.

Thanks!
Were Wulff
Jamf Customer Experience

Would love to use a cloud distribution point, but you guys don't support the up and coming small tech startups out there... like Google GCP.

Official support for Azure could help us here. Probably not a popular option for heavy Apple folks but we get Azure services provided to the district at a steep discount.

@blackholemac

It looks like you've already voted it up and commented but for others who haven't and are interested, we have a Feature Request to add Microsoft Azure distribution point support here.

Comments about the why/use case for your organization are super helpful for our Product Management teams on Feature Requests so, if you have the time, it's definitely worth both voting up and leaving a comment.

Thanks!
Were Wulff
Jamf Customer Experience

Does this now mean that INNODB will supported by Jamf in future update of Jamf Pro?

This is terrible news.

We are a NFP that relies on our JDSs to get our 600 Macs up to date across 60 remote sites. We have invested a lot of money in having Mac Minis at every site, which are almost exclusively used for JDSs. Being that some of our sites are in rural Australia, we don't have the infrastructure for our Macs to download from our data centre or the cloud. Our links just aren't good enough.

Yeah, great, they will still work for now. But what happens when Jamf Pro 10 comes out? How are we going to get (for example) Microsoft Office updates out to our 10 Macs on a shitty link in the middle of nowhere?

We have invested too much in JSS to switch to something else, but this has seriously got me considering our options.

JDS has been badly designed from the start but it offered HTTPS distribution and it replicated the packages automatically to other JDS servers.

Jamf has been promoting JDS 2.0 for a long time but it seems that it is has become vaporware.

Your JDCS is not available to customers that use on-premise installations. The JDCS is not capable of replicating packages to another distribution point. None of the option that you provide provide automated replication.

This requires us to invest in other (paid) solutions. There is not even a proper statement which alternative we could use. Therefor people are referring to “Resilio Sync” (paid software) but for me it’s hard to believe that Jamf had increased there licensing costs again in just a few year. This increase does not reflect the features we as customers get.

So explain to me, why are we paying more for Jamf?

I was reading @brysontyrrell's blog and he posted about a distribution server named Open Distribution Server (ODS):

The Open Distribution Server (ODS) is an open-source package distribution and syncing solution for IT administrators to serve as a potential alternative for the Jamf Distribution Server.

It looks promising and I'll definitely give it a try.

@a.holley if you already have hardware out in the field that has your packages on it, pivot away from JDS and simply create File Share Distribution points out of them. Yes, you will have to come up with a sync strategy, but that can be accomplished with a launch daemon and a script to run rsync or one of the many paid sync tools (Resilio Sync for example). Yes, there's the question of immediate (or near so) availability of packages on all of your distro points due to sync schedules, but it isn't the end of the world, and certainly not something that would cause me to want to walk away from the Jamf product.

And if you read @joe.bloom's post again, the very last line says that Jamf is there to help you identify and move to a new solution.

As @martin mentioned, @brysontyrrell has the ODS that he is working on, and presenting on at JNUC. This is an open-source project that we, the community can help mold and shape in a way that we need.

Yes, the discontinuation of the JDS is a big deal, especially for large enterprises with a large distribution of JDS servers, but it is an opportunity to look at new technologies and design something that will work better for our environments.

@a.holley @martin @stevewood

If you're able to come to the ODS session at JNUC please do. As Steve said, my intent is to have the community drive where the project needs to go, and there will be many ways to contribute to it that don't involve writing code.

I'll make another post here on JN containing the session details.

@brysontyrrell given I'm in Australia, and as previously mentioned, working for an NFP, attendance at JNUC isn't happening unfortunately.

@were.wulff @brysontyrrell Quick Question - you covered all the in house ebooks and apps and such.
What about scripts? Will they still remain in the database or will there be some function to pull them back out?
If we switch from JDS back to a SMB file share, will the scripts be properly deployed?
I assume this will be less of an issue as DEP really gains ground but for now, how will the Jamf Pro Server handle scripts?

Thanks! And I love the name change, Were!

Going back to memory... IIRC, the JDS really started to have issues in Sierra 10.12.4 when Server 5.3 was released and TLS 1.0 and 1.1 support went away. So, until @brysontyrrell can get a big launch on "JDS 2.0" AKA "ODS" is released, wouldn't it make sense to rebuild a JDS with OS X 10.12.4 and running Server 5.2 without upgrading to Server 5.3?

The next question would then be... Could we get away with upgrading to JAMF Pro 10.0 and still maintain the legacy JDS instances?

@jrippy looks like you didn’t get an answer but I’m case you still need one, since JAMF moved the scripts to the database, scripts have never used any DPs for distribution be they SMB, AFP, HTTP, etc. The scripts are downloaded from the JSS directly by the Jamf binary to the local machine and then run directly.

So it’s copied over from the same connection that is pulling down policies, doing recons, etc, so nothing should change.

@stevewood wrote:

that can be accomplished with a launch daemon and a script to run rsync or one of the many paid sync tools (Resilio Sync for example).

If you're on RHEL (or CentOS, etc.), a one line script is all you need, with a crontab, and RSA keys so no passwords are needed (but still secure).

The technology is native to the OS, so no Reselio marketing department to feed. :)

Maybe over the holidays I'll put together a how-to, with credits to the folks the bits and pieces were stolen from.

Below is the script we use for DP Syncing instead of Rsync. You need HomeBrew, LFTP, ssh-keygen, ssh-copy-id. Lingon-X (optional) or launch daemon if using Mac Servers. If using Ubuntu or CentOS, I believe LFTP is native.

Good for Large Packages, Split files for faster upload. Continue interrupted transfers.

#!/bin/sh
lftp -u casperrw,pass -e "set sftp:connect-program 'ssh -a -x -T'; mirror -R -v -c --loop --delete --use-cache --log=/var/log/dpsync.log --use-pget-n=10 -P 2  /Volumes/ServerHD/MasterShare/Packages /Volumes/ServerHD/RemoteShare/Packages ; quit" sftp://remote.host.ip:22

Credits

http://www.commandlinefu.com/commands/view/13759/fastest-segmented-parallel-sync-of-a-remote-directory-over-ssh

http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id

https://lftp.yar.ru/lftp-man.html

@Eigger awesome stuff...can you put the commands into code format by selecting the text and hitting ">_" in the post window, so we can see the command with proper wrapping?

@donmontalvo I look forward to seeing your how-to.

Over the holiday break I am cleaning up a bash script I built for uploading packages to the parent distro then creating the Jamf Pro entry with API. It uses RSA keys and SCP for the package transfer. and if I can gleam an easier way to move packages and then replicate.. I may owe you a beverage of choice lol