Help

AD Join needed for Jamf Pro (Windows) server in DMZ

wdeguara
New Contributor

Posted on ‎02-08-2019 01:49 AM

Hi. I'm brand new to the world of Jamf and am currently looking through the setup requirements in order to get Jamf Pro running on-premise at our workplace (hosted on a Windows Server). I believe that under a basic architecture you would have the Jamf Pro server sitting in your DMZ (in order to be reachable from Apple Macbooks within the office, and outside of the office).

In that scenario would there be a need for that server to be Joined to Active Directory ?

0 Kudos
Reply
3 REPLIES 3

jared_f
Valued Contributor

Posted on ‎02-08-2019 06:34 AM

@wdeguara How many devices will be enrolled? Would it be possible to open port 8443 for Jamf Pro? Then you could avoid the DMZ. If you do need the DMZ, my guess is the internal Jamf Pro server (not in the DMZ) would talk with AD and that would be replicated to your DMZ Jamf Prokjust a guess not positive.

0 Kudos
Reply

DBrowning
Valued Contributor II

Posted on ‎02-08-2019 06:51 AM

you do not need to join your DMZ JSS to the domain assuming you use a local account with Admin rights to the box.

0 Kudos
Reply

ShaunRMiller83
Contributor III

Posted on ‎02-08-2019 06:54 AM

If your goal is to run a JSS for both internal and external Mac clients. I don't believe having them domain bound is strictly required on the systems as long as you have a local admin

I would add architecturally It's typically best practice to run your "Main JSS" internally, and have a "limited access JSS" working as a proxy in your DMZ. It does mean it requires two servers. Which may not be ideal for some but from a ITSec perspective the right way to go.

0 Kudos
Reply