I'm curious how people are managing security for the REST API. With only basic auth it's a huge security risk. I've added a feature request to implement OAuth on the API if anyone is interested in voting it up:
In the meantime we're going to have to disable the API because the security team is concerned that it will be compromised. How are other people solving this issue?
@tangerinehuge I've added my vote ;-)
Do you know if it's possible to disable the API on a Jamf hosted JSS instance?
With GDPR coming into force in a matter of weeks, our Cyber Sec team are getting increasingly twitchy about anything that can serve up user related details (not to mention things like SMTP and Network information) and will have kittens over an unsecured API!
Very simple...setup a limited access dmg as the document described...ensure all internal and external communication is working for you as needed. That’s the important step and that all functions of the JSS work as you require in both places.
Once that difficult first step is done, to disable the API externally, you would delete the api folder from your root context on the dmz instance and modify your web.xml on your dmz instance to disallow the restletservlet
I gave a beginners presentation on clustering last year at JNUC. I would start there: https://m.youtube.com/watch?v=WSGiEXfd6hY
If you are intrigued by the concepts presented, consider signing up for the Certified Server Admin course as it goes into the fine-grain nuts and bolts of scaling for most any situation along with securing it. As a result of that course, the api for our server is only available internally.
Thanks for the detailed explanation. I have my system setup similarly. I was hoping there was another way to access the API from an external source in a secure manner but I'm guessing that won't be possible until JAMF implements better security. Disabling the API externally makes it difficult to integrate other cloud based services with JAMF Pro.
@jsherwood I'm not sure about disabling things in a hosted environment. I'd open a support ticket to see if they can turn it off for you.