- Jamf Nation Community
- Products
- Jamf Pro
- Re: Can't enrol Macs using short JSS URL
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2013 05:26 PM
Hi all,
I'm wondering if anyone has come across or found a solution to this problem...
When accessing the Mac enrolment portal using the servers short name (e.g. https://casper:8443/enroll) as opposed to the FQDN (e.g. https://casper.example.com:8443/enroll), the package download and redirection to the user instructions fails.
After logging into https://casper:8443/enroll, Safari is redirected to https://casper.example.com:8443/flatpackagedownload, however the page is blank and the file does not load. In the production environment I am getting a 403 error, however in my test VM it's just a blank (white) page.
In either case using the FQDN in the first instance resolves the problem. Additionally, if I log in to the FQDN and am successfully redirected, the short name will then work OK presumably due to some sort of browser caching.
In trying to solve this I have reviewed a whole bunch of Tomcat hacks, and was thinking ideally it would be great if I could redirect http://casper:80 to https://casper.example.com:8443/enroll, however none of the config I have applied to my server.xml file seems to be doing the trick.
Has anyone tackled this before, or can even replicate this behaviour? I'd be happy to know if it's just a misconfiguration in the JSS, but I'm getting the same result on two servers and am thinking it's probably down to Tomcat configuration.
Production is 8.62 and test is 8.64.
Cheers,
Joe
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2013 12:16 PM
FQDN is required for certifications (SSL and Apple Push certificate). Just accept and move forward.
Yes you should be able to redirect with a .htaccess that checks the URL has server.domain.tld, and if not add the domain. See: http://stackoverflow.com/questions/3028166/how-do-i-redirect-a-user-using-apache-rewrite-to-the-fully-qualified-domain-nam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2016 08:36 AM
In our environment, we implemented URLRewriteFilter. (http://tuckey.org/urlrewrite/)
With this, we have Tomcat running on port 80 as well, but when tomcat / URLRewrite detects http traffic, it reroutes to http://jss.company.com:8443/enroll. So I just had to tell the user to go to jss.company.com and it will reroute them to the enrollment page using https://
The management part is all going through port 8443, so it didn't cause any issues on our Mac OS X and iOS devices checking into JSS.
URLrewrite.xml should read something like this.
<urlrewrite>
<rule>
<name>Enroll Redirect</name>
<condition type="scheme" operator="equal">^http$</condition>
<from>^/(.*)</from>
<to type="permanent-redirect" last="true">https://jss.company.com:8443/enroll</to>
</rule>
</urlrewrite>
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2013 06:22 PM
One environment we supported requested an easier way to get to the Casper server. A simple CNAME was set up so if a user simply types the word casper in a browser, they would be re-routed to https://server.domain.com:8443. Is that what you're trying to do?
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2013 06:40 PM
Hi Don,
Thanks for the reply. 'casper' is indeed a CNAME for the server, that part works fine. It's just that for some reason if the user does not enter the FQDN in their browser, the package download fails after login. I think it's because the DNS resolution occurs independently and by the time the request hits the JSS IP Tomcat is only interested in what the browser itself is looking for. More than happy to be corrected here if that's not accurate.
If I can't get Tomcat to do what I want, the other option will be to set up Apache on another server with a short name such as 'enrol' or 'setup' to respond on port 80 and redirect to https://casper.example.com:8443/enroll. I would just like to solve it in Tomcat if possible!
Cheers
Joe
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2013 08:09 PM
Got wildcard certs? :)
--
https://donmontalvo.com
https://donmontalvo.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-10-2013 08:23 PM
Just self signed by the built-in CA
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2013 12:51 PM
Joe, I just posted on this exact same issue. Any headway?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2013 11:16 AM
I'm in the same predicament under 8.71. CNAME works great, but not with the enrollment. Other aspects of the tomcat webapp function properly under the CNAMEd url. I noticed that after authenticating in the enrollment panel with the CNAMEd URL, the URL changes in the browser to the FQDN of the server and the download fails. I'm looking into a way to redirect the browser to the FQDN before the authentication pane pops up. Perhaps an Apache instance that redirects to the FQDN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2013 12:16 PM
FQDN is required for certifications (SSL and Apple Push certificate). Just accept and move forward.
Yes you should be able to redirect with a .htaccess that checks the URL has server.domain.tld, and if not add the domain. See: http://stackoverflow.com/questions/3028166/how-do-i-redirect-a-user-using-apache-rewrite-to-the-fully-qualified-domain-nam
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2016 08:36 AM
In our environment, we implemented URLRewriteFilter. (http://tuckey.org/urlrewrite/)
With this, we have Tomcat running on port 80 as well, but when tomcat / URLRewrite detects http traffic, it reroutes to http://jss.company.com:8443/enroll. So I just had to tell the user to go to jss.company.com and it will reroute them to the enrollment page using https://
The management part is all going through port 8443, so it didn't cause any issues on our Mac OS X and iOS devices checking into JSS.
URLrewrite.xml should read something like this.
<urlrewrite>
<rule>
<name>Enroll Redirect</name>
<condition type="scheme" operator="equal">^http$</condition>
<from>^/(.*)</from>
<to type="permanent-redirect" last="true">https://jss.company.com:8443/enroll</to>
</rule>
</urlrewrite>
