Help

Created new APNS Cert for Internal JSS, how about DMZ JSS APNS Cert?

johnklimeck
Contributor II

Posted on ‎06-08-2017 07:54 AM

Just Created new APNS Cert for Internal JSS, how about DMZ JSS?

DMZ JSS is appliance (JSS tomcat) instance only connecting to internal JSS with main database.

I believe it has to be the same exact JAMFSignedCSR.plist from internal JSS and MDM_ JAMF Software, LLC_Certificate.pem for DMZ JSS.

I tried to use just a newly downloaded JAMFSignedCSR.plist and new MDM_ JAMF Software, LLC_Certificate.pem, and I got a message about a new "topic" having to re-enroll, Cancelled that right away.

I suppose just I need just the MDM_ JAMF Software, LLC_Certificate.pem

thx in advance

Labels:
0 Kudos
Reply
5 REPLIES 5

bradtchapman
Valued Contributor II

Posted on ‎06-08-2017 11:19 AM

If you have an internal and a DMZ instance, they must be configured as a cluster. They also need to have the same host name record internally as well as externally. Finally, you will need an SSL certificate from a publicly verifiable authority like Symantec, Entrust, VeriSign, etc. This is the only way that your managed clients will be able to verify and trust the JSS both inside and outside the network.

0 Kudos
Reply

bradtchapman
Valued Contributor II

Posted on ‎06-08-2017 11:28 AM

Oh... I just realized that I told you about web SSL certs, but you asked about APNS. If your environment is in a cluster, the APNS certificate is valid for all nodes.

0 Kudos
Reply

daz_wallace
Contributor III

Posted on ‎06-08-2017 03:42 PM

@bradtchapman has it right.

If you're running two (or more) JSS instances that are linked to the same database, then you only need the one APNs certificate for the whole lot.

Hope that helps!

Darren

0 Kudos
Reply

guidotti
Contributor II

Posted on ‎08-29-2017 05:03 PM

Sorry to revive an old thread - do I need to configure my DMZ JSS to be able to reach APNS over 2195 and 2196 also?
The internal one is already setup that way.

Thanks!
-Bruce

0 Kudos
Reply

bradtchapman
Valued Contributor II

Posted on ‎08-29-2017 06:43 PM

It would be a good idea to ensure that all nodes can reach APNS. Configuration Profiles and device management commands are sent by the JSS that triggered them, not by the designated Master JSS.

You may have a case where a newly enrolled or reënrolled device's first encounter with the JSS is on the outside, and the DMZ will be the one generating the MDM payloads for that device.

0 Kudos
Reply