AD Join needed for Jamf Pro (Windows) server in DMZ

New Contributor

Hi. I'm brand new to the world of Jamf and am currently looking through the setup requirements in order to get Jamf Pro running on-premise at our workplace (hosted on a Windows Server). I believe that under a basic architecture you would have the Jamf Pro server sitting in your DMZ (in order to be reachable from Apple Macbooks within the office, and outside of the office).

In that scenario would there be a need for that server to be Joined to Active Directory ?


Valued Contributor

@wdeguara How many devices will be enrolled? Would it be possible to open port 8443 for Jamf Pro? Then you could avoid the DMZ. If you do need the DMZ, my guess is the internal Jamf Pro server (not in the DMZ) would talk with AD and that would be replicated to your DMZ Jamf Prokjust a guess not positive.

Valued Contributor II

you do not need to join your DMZ JSS to the domain assuming you use a local account with Admin rights to the box.

Contributor III

If your goal is to run a JSS for both internal and external Mac clients. I don't believe having them domain bound is strictly required on the systems as long as you have a local admin

I would add architecturally It's typically best practice to run your "Main JSS" internally, and have a "limited access JSS" working as a proxy in your DMZ. It does mean it requires two servers. Which may not be ideal for some but from a ITSec perspective the right way to go.