Best Solution for Distribution Point for MacOS

tak10
Contributor II

Hi everyone, hopefully everyone is staying safe.

Since the entire MacOS fleet I manage now are working from home due to this pandemic, we are looking to place another distribution point in the DMZ.

Here is what our environment look like. 7b4a3fda67d44b6a925989f46a1c7580

  • Majority of our MacOS users were in the office so I never bother placing DP in the DMZ for external facing devices.
  • Now, I would like to place distribution point in the DMZ but the security team is questioning AFP or SMB through the firewall.
  • I was just trying to add Distribution point in the DMZ that allows HTTPS download only but JAMF Pro requires you to fill in AFP or SMB information under the File Sharing tab.

Right now, I'm telling all macOS users to connect VPN first before using Self Service items.

11 REPLIES 11

sdagley
Honored Contributor II

@tak10 The only kind of distribution you'd want to do from a DMZ hosted DP is via HTTPS. Depending on how you sync the DMZ DP you might need SMB ports opened between it and your internal network, but the only thing you'd want externally exposed is 443.

boberito
Valued Contributor

You have to put an SMB/AFP share for Jamf Admin. You can change the default distribution server for on site vs off site. I cant remember how exactly but Jamf support can help you.

ricardo_huante
New Contributor

You should be able to use your existing (public facing) 8443 port - and have your LTM (f5) take care of the traffic with an iRule. The iRule can direct specific traffic to a pool of httpd hosts on port 443.
i.e. Set the irule to redirect any request for "/bar/*" to specific pool https://externalurl.foo.com:8443/bar/package.name

athompson
New Contributor

I would recommend you look into an AWS S3/Cloudfront style pkg distribution for the WFH crowd. It will be faster for the Users and JAMF can natively interact with it. You can switch your file distribution over to being the master and sync your internal Package Distribution from it. This would give you the benefit of DEP install pkgs.

tfahmy
New Contributor

@tak10 I have the same question you posed, with the same concerns. Did you come up with a solution? I'm wondering if we have to choose SMB under File Sharing but then only allow HTTPS through the firewalls...

sdagley
Honored Contributor II

@tfahmy That's not an uncommon configuration for DPs in a DMZ if you're still using Jamf Admin to synchronize it, and the ports for SMB are open to the internal network interface but not the public. If you're using some sort of file sync tool, such as rsync to synchronize the DMZ DP with your Primary DP, you can just leave those ports closed.

tlarkin
Honored Contributor

Please, never ever put a Tomcat webapp in the DMZ. Use another endpoint like a load balancer, proxy, VIP, or some other type of appliance. The security risk is too high to put web apps in the DMZ. If you are allowed to use Cloud storage like S3 I would highly recommend that over on prem, if you have to use on prem Apache servers aren't too bad and scalable.

KyleGDG
New Contributor

I was told by Jamf that cloud distribution points are only available to hosted customers, is that true?

sdagley
Honored Contributor II

@KyleGDG Not unless you're asking for a Jamf Cloud hosted Cloud DP. If you're on-prem, or self-hosting in AWS, you can use Rackspace, Akamai, or AWS S3/CloudFront for a Cloud DP.

KyleGDG
New Contributor

Thanks @sdagley ! Looks like I got some misinformation or I misinterpreted. Going to give AWS S3 (man I wish I could use Wasabi) a try. Been having so many problems with my home-made https DP not allowing installation of pkg's.

sdagley
Honored Contributor II

@KyleGDG I use Wasabi's S3 clone for personal backups, but the standard pricing is based on you not downloading significantly more data than you have stored. If you could use it for a DP the pricing structure would be different.

What issues are you having with .pkg installs via https? That does require flat packages, but Jamf Admin automatically creates a .zip for any non-flat .pkg when it's uploaded to your Primary DP.