Limited Access

Tomcat gets disabled with a Limited Access JSS, so no, it will not allow the enroll page to work unfortunately.
That's both good and bad, since if that server was sitting in your DMZ, you would not want users hitting it from the outside and enrolling their Mac.
But in your case since it would actually be an internal server, it would be nice to have it working, but I don't think that there's a way to do that.

Thanks, Mike. That's what I expected. I'll look into setting up a new server inside the firewall, and updating our documentation to point users there to enroll, then eventually disable the JSS on our external JSS.

Well that's interesting news. I'm not sure if it's good or bad right now - we want easy access, but are very concerned about security. That's somewhat disturbing that the API stays enabled on a limited access JSS. I'm going to be doing testing with this setup soon so I'll be sure to report back.

I get the security concern over having the API available from outside. I guess the way I see it is, API privileges are completely optional and not at all required for just about any JSS account, LDAP or local. You can just make sure that all JSS accounts that have web UI access don't have API access. Bottom line is, although the API is "available" from outside doesn't mean you can actually use it without having both valid account credentials and the account must be able to use the API.
Plus, you can restrict API access to read only for either a single LDAP account, or a local one, so it can read all it wants, but not write anything back, which limits any possible damage. Given how granular the controls currently are on a per account basis, its not much of a concern to me. But I understand every environment is different and you working in health care certainly raises the bar on the security side of things.

The only account that might actually need API access would be the initial JSS admin account that gets created when the JSS was first set up, but I'm not even certain that account needs it. That might be something for JAMF to chime in on. I'm not going to disable it on our account to test that. :)

Don't know who you spoke to at Jamf, but I just setup two test servers, clustered them and set one 'computers only' limited access. The /enroll page is 'disabled'. I went through the web.xml file and couldn't figure how to re-enable it. I'd love to have the API and JSS disabled, and /enroll enabled. Maybe I'll start with limited access off, and try to disable the JSS... I'll post here if I discover anything.

Hey @thoule][/url, as I mentioned above, I got this directly from Mike Paul @ JAMF. Also, I tested and verified everything he was saying on our own Limited Access JSS. From the outside, I can hit the enroll page and also access the API now (when authenticating with a local JSS account)

Additionally, look at Mike Paul's instructions here to see how to disable the API but leave Enrollment available, assuming you get that working.

Just to add my experience here as well, our public facing JSS in the DMZ is set to limited access and you can enroll machines and access the API from the outside but the admin web interface says its disabled so this should work.

Just for some clarification on Limited Access as of 9.62: Computer Access Only disables JSS Admin portal and enrollment for mobile devices
Mobile Device Access Only disables JSS Admin portal, enrollment for computers and disables the API
Computer and Mobile Device Access disables JSS Admin portal.

What functionalities are disabled during Limited Access is defined by their respective filters in that web.xml.

If you are looking to do things beyond what is described in the FR that mm2270 linked to or have other questions, feel free to reach out to me for information. I can be reached by emailing Mike.Paul at JAMF Software

Thanks for the support. It does work as both you have (repeatedly) said. In my test environment, I had forgotten that I need to explicitly enable user initiated enrollment. I was thinking the 'disabled' message was a function of the limited access. I'm going to go ask the wizard for brains.

Changing the Limited Access setting to anything other than "Full Access" disables the JSS interface.

How can i undo that?
How can i enable the JSS interface on my Limited Access JSS back?
I had a look into the /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml , but it seems that this is not the right place to reenable the JSS interface back, right? Comparing this file with the file on my internal JSS showed me now differences..

@jensm contact support. That setting is almost assuredly stored in the database since you can set that setting for one server from a different one in a cluster.

They'll probably have to give you a SQL statement to run against the database.

Here is how to undo Limited Access. Provided by Jamf Support and worked for me.

Thank you for contacting JAMF Support.
We can disable limited access by going through below workflow.

1. Stop Tomcat

   sudo /etc/init.d/jamf.tomcat8 stop

2. Log in to MySQL

   mysql -u root -p

3. Choose database

   use jamfsoftware;

4. Let's check the limited access settings:

   select address, access_mode from limited_access_mode_settings;

5. Change flag from 1 to 0 to disable limited access: (serverIP will be address listed in point 4)

   update limited_access_mode_settings set access_mode = 0 where address ='serverIP';

6. Start Tomcat

   sudo /etc/init.d/jamf.tomcat8 start

   We should now be able to log in to our JSS.