Anyone concerned about lack of security for the API?

tangerinehuge
New Contributor III

I'm curious how people are managing security for the REST API. With only basic auth it's a huge security risk. I've added a feature request to implement OAuth on the API if anyone is interested in voting it up:

https://www.jamf.com/jamf-nation/feature-requests/7374/token-or-oauth-based-authentication-for-the-rest-api

In the meantime we're going to have to disable the API because the security team is concerned that it will be compromised. How are other people solving this issue?

9 REPLIES 9

blackholemac
Valued Contributor III

I’m handling it by using an admin only node that does accept outside connections on my cluster. I have deleted it from the other tomcat nodes.

tangerinehuge
New Contributor III

Can you explain how your setup works in a bit more detail?

Thanks!

jsherwood
Contributor

@tangerinehuge I've added my vote ;-)

Do you know if it's possible to disable the API on a Jamf hosted JSS instance?

With GDPR coming into force in a matter of weeks, our Cyber Sec team are getting increasingly twitchy about anything that can serve up user related details (not to mention things like SMTP and Network information) and will have kittens over an unsecured API!

blackholemac
Valued Contributor III

Very simple...setup a limited access dmg as the document described...ensure all internal and external communication is working for you as needed. That’s the important step and that all functions of the JSS work as you require in both places.

Once that difficult first step is done, to disable the API externally, you would delete the api folder from your root context on the dmz instance and modify your web.xml on your dmz instance to disallow the restletservlet

I gave a beginners presentation on clustering last year at JNUC. I would start there: https://m.youtube.com/watch?v=WSGiEXfd6hY

If you are intrigued by the concepts presented, consider signing up for the Certified Server Admin course as it goes into the fine-grain nuts and bolts of scaling for most any situation along with securing it. As a result of that course, the api for our server is only available internally.

blackholemac
Valued Contributor III

I’ll ask in advance that you forgive my less than stellar presentation skills... content was solid though and based on what you learned from that presentation I’m more than willing to answer any questions that I can for you.

tangerinehuge
New Contributor III

Thanks for the detailed explanation. I have my system setup similarly. I was hoping there was another way to access the API from an external source in a secure manner but I'm guessing that won't be possible until JAMF implements better security. Disabling the API externally makes it difficult to integrate other cloud based services with JAMF Pro.

@jsherwood I'm not sure about disabling things in a hosted environment. I'd open a support ticket to see if they can turn it off for you.

blackholemac
Valued Contributor III

If I need to use the api at home or off campus, I establish a vpn connection on my MacBook and hit the admin url/instance. Perhaps you could set up some vpn to allow your connections between your internal admin console (with api enabled) and whichever service you are using.

tangerinehuge
New Contributor III

Yeah that's probably what we'll end up doing. Do you know of a way to disable the Universal API? That's also a potential target.

blackholemac
Valued Contributor III

Honestly no...I would likely escalate that to your jamf buddy. Someone should be able to clarify for sure. I know you disable the rest api in your web.xml file by disabling a Tomcat servlet