Can't enrol Macs using short JSS URL

joeselway
New Contributor II

Hi all,

I'm wondering if anyone has come across or found a solution to this problem...

When accessing the Mac enrolment portal using the servers short name (e.g. https://casper:8443/enroll) as opposed to the FQDN (e.g. https://casper.example.com:8443/enroll), the package download and redirection to the user instructions fails.

After logging into https://casper:8443/enroll, Safari is redirected to https://casper.example.com:8443/flatpackagedownload, however the page is blank and the file does not load. In the production environment I am getting a 403 error, however in my test VM it's just a blank (white) page.

In either case using the FQDN in the first instance resolves the problem. Additionally, if I log in to the FQDN and am successfully redirected, the short name will then work OK presumably due to some sort of browser caching.

In trying to solve this I have reviewed a whole bunch of Tomcat hacks, and was thinking ideally it would be great if I could redirect http://casper:80 to https://casper.example.com:8443/enroll, however none of the config I have applied to my server.xml file seems to be doing the trick.

Has anyone tackled this before, or can even replicate this behaviour? I'd be happy to know if it's just a misconfiguration in the JSS, but I'm getting the same result on two servers and am thinking it's probably down to Tomcat configuration.

Production is 8.62 and test is 8.64.

Cheers,
Joe

2 ACCEPTED SOLUTIONS

justinrummel
Contributor III

FQDN is required for certifications (SSL and Apple Push certificate). Just accept and move forward.

Yes you should be able to redirect with a .htaccess that checks the URL has server.domain.tld, and if not add the domain. See: http://stackoverflow.com/questions/3028166/how-do-i-redirect-a-user-using-apache-rewrite-to-the-fully-qualified-domain-nam

View solution in original post

tak10
Contributor II

In our environment, we implemented URLRewriteFilter. (http://tuckey.org/urlrewrite/)

With this, we have Tomcat running on port 80 as well, but when tomcat / URLRewrite detects http traffic, it reroutes to http://jss.company.com:8443/enroll. So I just had to tell the user to go to jss.company.com and it will reroute them to the enrollment page using https://

The management part is all going through port 8443, so it didn't cause any issues on our Mac OS X and iOS devices checking into JSS.

URLrewrite.xml should read something like this.
<urlrewrite> <rule> <name>Enroll Redirect</name> <condition type="scheme" operator="equal">^http$</condition> <from>^/(.*)</from> <to type="permanent-redirect" last="true">https://jss.company.com:8443/enroll</to> </rule>
</urlrewrite>

View solution in original post

8 REPLIES 8

donmontalvo
Esteemed Contributor III

One environment we supported requested an easier way to get to the Casper server. A simple CNAME was set up so if a user simply types the word casper in a browser, they would be re-routed to https://server.domain.com:8443. Is that what you're trying to do?

--
https://donmontalvo.com

joeselway
New Contributor II

Hi Don,

Thanks for the reply. 'casper' is indeed a CNAME for the server, that part works fine. It's just that for some reason if the user does not enter the FQDN in their browser, the package download fails after login. I think it's because the DNS resolution occurs independently and by the time the request hits the JSS IP Tomcat is only interested in what the browser itself is looking for. More than happy to be corrected here if that's not accurate.

If I can't get Tomcat to do what I want, the other option will be to set up Apache on another server with a short name such as 'enrol' or 'setup' to respond on port 80 and redirect to https://casper.example.com:8443/enroll. I would just like to solve it in Tomcat if possible!

Cheers
Joe

donmontalvo
Esteemed Contributor III

Got wildcard certs? :)

--
https://donmontalvo.com

joeselway
New Contributor II

Just self signed by the built-in CA

powellbc
Contributor II

Joe, I just posted on this exact same issue. Any headway?

sbrosnihan
New Contributor III

I'm in the same predicament under 8.71. CNAME works great, but not with the enrollment. Other aspects of the tomcat webapp function properly under the CNAMEd url. I noticed that after authenticating in the enrollment panel with the CNAMEd URL, the URL changes in the browser to the FQDN of the server and the download fails. I'm looking into a way to redirect the browser to the FQDN before the authentication pane pops up. Perhaps an Apache instance that redirects to the FQDN.

justinrummel
Contributor III

FQDN is required for certifications (SSL and Apple Push certificate). Just accept and move forward.

Yes you should be able to redirect with a .htaccess that checks the URL has server.domain.tld, and if not add the domain. See: http://stackoverflow.com/questions/3028166/how-do-i-redirect-a-user-using-apache-rewrite-to-the-fully-qualified-domain-nam

tak10
Contributor II

In our environment, we implemented URLRewriteFilter. (http://tuckey.org/urlrewrite/)

With this, we have Tomcat running on port 80 as well, but when tomcat / URLRewrite detects http traffic, it reroutes to http://jss.company.com:8443/enroll. So I just had to tell the user to go to jss.company.com and it will reroute them to the enrollment page using https://

The management part is all going through port 8443, so it didn't cause any issues on our Mac OS X and iOS devices checking into JSS.

URLrewrite.xml should read something like this.
<urlrewrite> <rule> <name>Enroll Redirect</name> <condition type="scheme" operator="equal">^http$</condition> <from>^/(.*)</from> <to type="permanent-redirect" last="true">https://jss.company.com:8443/enroll</to> </rule>
</urlrewrite>