Changing JSS URL without migrating

Poseiden
New Contributor III

Hello,

I've been asked to change our JSS URL without migrating our server. Is this possible?

Current: jss.crop.domain.com

Outcome needed jss.domain.com

What I was thinking:

  1. Add a DNS entry = jss.domain.com
  2. Create a policy changing the URL on the clients: defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url https://new.jss.url:8443 3.Change the URL in the JSS settings and change Tomcat certificate.

If anyone has done this before, would this work? In my mind, it seems like it would.

Thank you.

3 ACCEPTED SOLUTIONS

jonnydford
Contributor II

I had to do this before we added in the DMZd JSS and the steps I followed were exactly as you stated.

In hindsight, I probably would have preferred to create a new JSS and migrate over to it so I could make sure everything was okay and got to clean out the cruft from my 'old' JSS.

View solution in original post

m_entholzner
Contributor III
Contributor III
1. Add a DNS entry = jss.domain.com 2. Create a policy changing the URL on the clients: defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url https://new.jss.url:8443 3. Change the URL in the JSS settings and change Tomcat certificate.

1) correct.
2) you don't have to do this, skip this step and proceed with 3)

As long as your JSS is reachable with the old DNS name, this will work.

View solution in original post

Aziz
Valued Contributor
14 REPLIES 14

bmarks
Contributor II

I believe you'll have to re-enroll all of your Macs and iOS devices in this scenario.

jonnydford
Contributor II

I had to do this before we added in the DMZd JSS and the steps I followed were exactly as you stated.

In hindsight, I probably would have preferred to create a new JSS and migrate over to it so I could make sure everything was okay and got to clean out the cruft from my 'old' JSS.

m_entholzner
Contributor III
Contributor III
1. Add a DNS entry = jss.domain.com 2. Create a policy changing the URL on the clients: defaults write /Library/Preferences/com.jamfsoftware.jamf.plist jss_url https://new.jss.url:8443 3. Change the URL in the JSS settings and change Tomcat certificate.

1) correct.
2) you don't have to do this, skip this step and proceed with 3)

As long as your JSS is reachable with the old DNS name, this will work.

Aziz
Valued Contributor

That would work

Poseiden
New Contributor III

@jonnydford I would also like to migrate, but this will work. Thanks!

@m.entholzner Thanks, the old DNS will still be active.

mike_paul
Contributor III
Contributor III

If you leverage MDM on your computers, the URL is hard-coded into that profile so if you change this in the JSS you will break MDM communication. Its also hard-coded in your SSL cert as well so that would need to be replaced as well if you want enrollment to work correctly. If the tomcat ssl cert doesnt match the url, trying to get the new mdm profile will fail.

The only way to change the value in the profiles is to remove the old MDM profile (sudo jamf removeMdmProfile) which would in turn remove all all MDM pushed profiles, e.g. Wifi. And then re-do mdm (sudo jamf mdm).

The issue being is you typically wont have internet to run the last command since the WIFI profile was removed so you have to get network in place prior. I have seen some people push out another wifi profile prior to removing the MDM, but do it manually via pkg with postinstall script so its not tied to MDM, JSS still gathers the UUID of the profiles so you can send out a removal command for that profile once the updated MDM gets pushed and the subsequent WIFI profile is sent.

If you manage iOS you are out of luck for a smooth change of url. Re-enroll is the answer.

JDS's would also have to be re-enroled if used as well.

TLDR: Create new DNS entry, keep old dns entry so clients can still hit jss, push wifi via non-mdm method, change url in JSS, fix ssl cert so CN=new url, sudo jamf removeMdmProfile to remove old mdm profile with old url, sudo jamf mdm to download updated mdm profile with new url.

Poseiden
New Contributor III

Thanks @mike.paul

My new plan:

  1. Add a DNS entry = jss.domain.com
  2. Change the URL in the JSS settings and change Tomcat certificate.
  3. Create a policy that would remove the MDM and re-enroll it
  4. Keep the old DNS active

ammonsc
Contributor II

@Poseiden Raising an old post from the grave I know but.... did the final plan work for you?

SFRANCIS004
New Contributor III

We discovered that we can't enroll iPads because the URL is not using the FQDN.

Thinking if we added an entry in the host file for the FQDN, then run jamf createconf the machines could still contact the JSS.

We're running JAMF 10.11, so any help is appreciated.

vfsupport_mac
New Contributor

Hi All,

I know this is old post.. But I am having issue in changing the Jamf url. I have followed the below steps.

1) DNS entry created for New URL. Both old and new url are getting resolved.
2) Changed the url in Jamf Pro settings - Jamf Pro URL and changed the tomcat certificate then restarted tomcat.
3) I am using Jamf inbuilt certificates for both old and new url.

Now when devices trying to connect to Jamf I am getting "The jamf binary could not connect to the JSS because the web certificate is not trusted."

Any clues on how to resolve these situation will be helpful.

vfsupport_mac
New Contributor

Issue Resolved and were able to migrate all clients to New url without re-enrolment..

Adding to above steps. Created Public certificate with Both New and old urls and clients started communicating with Jamf Server. 



How Did you get the cert down to the computers?

karthikeyan_mac
Valued Contributor

@vfsupport_mac did you check the MDM profile renewal after migration ? 

vfsupport_mac
New Contributor

@karthikeyan_mac MDM profile is going to expire in few devices in this month and I am seeing MDM renewal issue on few devices.