Casper Focus app issues

RobertHammen
Valued Contributor II

Tried to set up Casper Focus for a client yesterday - ran into an issue with the Casper Focus app.

Seems like it will only accept https://servername.domain.tld:8443 - does not accept https://servername:8443 (the domain.tld search domain is provided by DHCP), nor will it accept https://172.16.32.1:8443 (i.e. the IP address of the server).

Why not just use the fully-qualified domain name? Well, the self-signed cert is for https://servername:8443, and when use use the FQDN, Casper Focus bitches that the cert is invalid, and DOESN'T GIVE YOU THE OPTION to proceed.

So, until/unless I change the JSS URL and the cert, they can't use Focus. I'm not sure if JAMF is dealing with an Apple restriction here, because everything else in the JSS/MDM is fine with the https://servername:8443 URL. I know that's not a best practice and not the way I'd configure a server, but it's a pretty common practice among many Windows sysadmins...

3 REPLIES 3

justinrummel
Contributor III

You need the FQDN because of certificates. Certificates are based off of host.domain.tld and this is checked against the URL you are trying to access when communicating to the JSS.

Same is true for standard website URLs.

- Justin

nick
Contributor
Contributor

Hey Robert,

Justin is correct that the FQDN of the JSS is required to use Casper Focus because of certificates. We have made some security decisions and automated a few things intentionally to ensure that the configuration experience of Casper Focus is easy and secure.

Generally, enrolling an iOS device into the Casper Suite requires a valid server certificate whose certificate authority is trusted. This certificate can either be issued by the JSS built-in CA, or another external CA, but it cannot be self-signed.

Upon setting a JSS URL, Casper Focus attempts to establish trust. If the iOS device is already enrolled in the JSS, it will already have the CA cert and will already be trusted. If it's not enrolled, the CA cert will be downloaded and installed in the Casper Focus keychain in an attempt to establish trust. If the URL provided does not match the common name of the CA cert, trust will not be established, and Casper Focus will display the message you describe.

We have created this workflow to minimize security vulnerabilities and to ensure a good experience for users of Casper Focus that may not know what to do when prompted for a decision regarding certificates.

If you are concerned with users needing to manually enter a FQDN JSS URL, it may be worthwhile to take a look the various ways this can be automated in the KB article we have posted at: https://jamfnation.jamfsoftware.com/article.html?id=323

If you have any further questions, give us a call.

Thanks!

Nick

RobertHammen
Valued Contributor II

The devices are enrolled and I'm just using the CA created during the Casper installation process - for https://servername

I have some other architectural concerns with this client's network, so changing the JSS URL and re-doing the certificate isn't necessarily out of the question. Their carts are not yet supervised and enrolled into Casper, but all of the teacher iPads currently are (and will need re-enrollment if/when the URL/certificate change)...

--Robert