we currently have the following problem:
We would like to configure our JAMF server so that all Apple updates go through the JAMF - as it should be. However, a colleague from Security does not want to release the corresponding ports (443, 2195, 2196, 5233) into the Apple network (220.127.116.11/8) under any circumstances. He is of the opinion that we could let the iMacs communicate with the JAMF in the network quite normally via LAN, since the JAMF is also in our network. The clients will communicate with Apple via the WLAN of the devices and a modified /etc/hosts.
Is that so feasible?
The whole thing is relatively urgent as we have a project for it.
Thank you very much for all your feedback and tips.
Following this document for an on-premise deployment https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro is a requirement for Apple MDMs to fully function. This is not a Jamf limitation, rather it is factually how Apple's MDM functions work. MDMs work symbiotically alongside Apple services, MDM is not a replacement to Apple services instead it compliments and/or controls them. I think your best plan of action would be to work with your Jamf reps and Apple reps to have them provide your security team with some confidence. IBM, Walmart, and many other behemoths have opened their networks to Apple - I don't know your threat model, but I'd assume it's easier going than theirs.
As Bran said... you have to follow the Apple rules or your apple program never going to be successful
This isn't really an option if the ports and ranges are not open then you can't manage the macOS or iOS. If the security team is the blocker I would recommend you document that they don't want to follow the Apple rules and then push it up to your manager.
PS I haven't looked in a while but in the past I think Apple dropped support of /etc/hosts ... only about 40% sure .. but I think with changes coming in Catalina I don't think you can edit any system files.
PSS Everyone thinks they know how to manage macOS but it's not 100% unix anymore and doing something that isn't default Apple support or Jamf support is going to cause issues in the long run..