Posted on 01-15-2020 10:47 AM
Hello,
We're in the process of placing Jamf in our DMZ for external client access. We already remove devices from our DEP instance when they are retired/e-wasted. However, this isn't a perfect process and I'm sure we'll have a few machines missed along the way.
This isn't an issue currently as the JSS is not exposed to the internet and therefore don't enrol, but it will be once we complete the project. I'm wondering how other organizations mitigate this. I thought about enabling the PreStage "Require authentication" checkbox which would then allow the tech to authenticate and then enrol the machine. We'd probably use a local user account with enrolment privileges as our AD/LDAP are not exposed (and can't be).
Has anyone done this, or are there better ways to get around this issue? For those that have the checkbox enabled, does it prompt before DEP enrolment triggers?
Thanks,
Justin.
Posted on 01-15-2020 11:19 AM
The auth prompt does appear before enrollment happens, and it won't proceed unless the auth is successful.
Posted on 01-15-2020 11:33 AM
Thanks, it sounds like this might be the best way forward. Do you guys use a local JSS account for enrolments such as this?
Posted on 01-15-2020 12:28 PM
I think it has to be LDAP, or SSO for Catalina. Sadly it works for any LDAP user in your directory, and I don't know of any way to restrict it. SSO is the way to go for security, especially off-network for a DMZ server.
Posted on 01-15-2020 07:41 PM
The LDAP auth at the enrollment pane is actually talking only to your Jamf server, which I'd imagine has the ability to contact your LDAP server on the inside, right? Our LDAP/AD servers aren't visible to the outside world either but I've had to ship Macbooks to remote employees and they've managed to set everything up fine (only our on-site lab PreStages don't require auth at enrollment), even if they were 1000mi away. You aren't actually authing against your domain, you're sending those credentials to your Jamf server, which then checks with LDAP to see if they're valid or not. It's only meant to be a simple "has this user had their account deactivated" check.
Posted on 01-15-2020 07:46 PM
if you can't expose your LDAP... do you have any cloud identity providers... like Azure , ping, etc? I believe you can use those to authenticate to your JSS.
Posted on 01-15-2020 08:36 PM
I missed that part of the discussion. I can confirm that your JSS uses its own LDAP connection during the DEP enrollment process, the device isn't performing the LDAP query directly (that could be spoofed pretty easily, I imagine). It's just talking to the JSS, which then talks to your configured LDAP server.