Connect to APPLE via /etc/hosts possible ?

ErgodirektMac
New Contributor III

Hello, everybody,
we currently have the following problem:
We would like to configure our JAMF server so that all Apple updates go through the JAMF - as it should be. However, a colleague from Security does not want to release the corresponding ports (443, 2195, 2196, 5233) into the Apple network (17.0.0.0/8) under any circumstances. He is of the opinion that we could let the iMacs communicate with the JAMF in the network quite normally via LAN, since the JAMF is also in our network. The clients will communicate with Apple via the WLAN of the devices and a modified /etc/hosts.
Is that so feasible?
The whole thing is relatively urgent as we have a project for it.
Thank you very much for all your feedback and tips.

Best regards,
Frank

4 REPLIES 4

bran
New Contributor III
New Contributor III

Following this document for an on-premise deployment https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro is a requirement for Apple MDMs to fully function. This is not a Jamf limitation, rather it is factually how Apple's MDM functions work. MDMs work symbiotically alongside Apple services, MDM is not a replacement to Apple services instead it compliments and/or controls them. I think your best plan of action would be to work with your Jamf reps and Apple reps to have them provide your security team with some confidence. IBM, Walmart, and many other behemoths have opened their networks to Apple - I don't know your threat model, but I'd assume it's easier going than theirs.

ErgodirektMac
New Contributor III

thank you very much for the answer and the link.
I have already passed on all the documentation with the corresponding ports to my colleagues. Unfortunately, he's pretty consulting resistant in that respect.

DanielMa
New Contributor III
New Contributor III

strongly recommend having a watch of this presentation as well:
https://www.youtube.com/watch?v=Z-Lg9uBbmfk

some things to note:
2195 and 2196 are from the Jamf server not the clients
clients will be on 5223 first and will fall back to attempt on 443 if 5223 is blocked and they are on wifi

gachowski
Valued Contributor II

As Bran said... you have to follow the Apple rules or your apple program never going to be successful

https://support.apple.com/en-us/HT203609
https://support.apple.com/en-us/HT202944

This isn't really an option if the ports and ranges are not open then you can't manage the macOS or iOS. If the security team is the blocker I would recommend you document that they don't want to follow the Apple rules and then push it up to your manager.

C

PS I haven't looked in a while but in the past I think Apple dropped support of /etc/hosts ... only about 40% sure .. but I think with changes coming in Catalina I don't think you can edit any system files.

PSS Everyone thinks they know how to manage macOS but it's not 100% unix anymore and doing something that isn't default Apple support or Jamf support is going to cause issues in the long run..