Created new APNS Cert for Internal JSS, how about DMZ JSS APNS Cert?

johnklimeck
Contributor II

Just Created new APNS Cert for Internal JSS, how about DMZ JSS?

DMZ JSS is appliance (JSS tomcat) instance only connecting to internal JSS with main database.

I believe it has to be the same exact JAMFSignedCSR.plist from internal JSS and MDM_ JAMF Software, LLC_Certificate.pem for DMZ JSS.

I tried to use just a newly downloaded JAMFSignedCSR.plist and new MDM_ JAMF Software, LLC_Certificate.pem, and I got a message about a new "topic" having to re-enroll, Cancelled that right away.

I suppose just I need just the MDM_ JAMF Software, LLC_Certificate.pem

thx in advance

5 REPLIES 5

bradtchapman
Valued Contributor II

If you have an internal and a DMZ instance, they must be configured as a cluster. They also need to have the same host name record internally as well as externally. Finally, you will need an SSL certificate from a publicly verifiable authority like Symantec, Entrust, VeriSign, etc. This is the only way that your managed clients will be able to verify and trust the JSS both inside and outside the network.

bradtchapman
Valued Contributor II

Oh... I just realized that I told you about web SSL certs, but you asked about APNS. If your environment is in a cluster, the APNS certificate is valid for all nodes.

daz_wallace
Contributor III
Contributor III

@bradtchapman has it right.

If you're running two (or more) JSS instances that are linked to the same database, then you only need the one APNs certificate for the whole lot.

Hope that helps!

Darren

guidotti
Contributor II

Sorry to revive an old thread - do I need to configure my DMZ JSS to be able to reach APNS over 2195 and 2196 also?
The internal one is already setup that way.

Thanks!
-Bruce

bradtchapman
Valued Contributor II

It would be a good idea to ensure that all nodes can reach APNS. Configuration Profiles and device management commands are sent by the JSS that triggered them, not by the designated Master JSS.

You may have a case where a newly enrolled or reënrolled device's first encounter with the JSS is on the outside, and the DMZ will be the one generating the MDM payloads for that device.