Skip to main content
Question

DEP enrolments with Jamf in DMZ

  • January 15, 2020
  • 6 replies
  • 47 views
J
Forum|alt.badge.img+14

Hello,

We're in the process of placing Jamf in our DMZ for external client access. We already remove devices from our DEP instance when they are retired/e-wasted. However, this isn't a perfect process and I'm sure we'll have a few machines missed along the way.

This isn't an issue currently as the JSS is not exposed to the internet and therefore don't enrol, but it will be once we complete the project. I'm wondering how other organizations mitigate this. I thought about enabling the PreStage "Require authentication" checkbox which would then allow the tech to authenticate and then enrol the machine. We'd probably use a local user account with enrolment privileges as our AD/LDAP are not exposed (and can't be).

Has anyone done this, or are there better ways to get around this issue? For those that have the checkbox enabled, does it prompt before DEP enrolment triggers?

Thanks,
Justin.

    6 replies

    wmehilos
    Forum|alt.badge.img+11
    • wmehilos
    • Valued Contributor
    • January 15, 2020

    The auth prompt does appear before enrollment happens, and it won't proceed unless the auth is successful.

    J
    Forum|alt.badge.img+14
    • jtrant
    • Author
    • Honored Contributor
    • January 15, 2020

    Thanks, it sounds like this might be the best way forward. Do you guys use a local JSS account for enrolments such as this?

    A
    Forum|alt.badge.img+18
    • alexjdale
    • Contributor
    • January 15, 2020

    I think it has to be LDAP, or SSO for Catalina. Sadly it works for any LDAP user in your directory, and I don't know of any way to restrict it. SSO is the way to go for security, especially off-network for a DMZ server.

    wmehilos
    Forum|alt.badge.img+11
    • wmehilos
    • Valued Contributor
    • January 16, 2020

    The LDAP auth at the enrollment pane is actually talking only to your Jamf server, which I'd imagine has the ability to contact your LDAP server on the inside, right? Our LDAP/AD servers aren't visible to the outside world either but I've had to ship Macbooks to remote employees and they've managed to set everything up fine (only our on-site lab PreStages don't require auth at enrollment), even if they were 1000mi away. You aren't actually authing against your domain, you're sending those credentials to your Jamf server, which then checks with LDAP to see if they're valid or not. It's only meant to be a simple "has this user had their account deactivated" check.

    E
    Forum|alt.badge.img+8
    • evaldes
    • New Contributor
    • January 16, 2020

    if you can't expose your LDAP... do you have any cloud identity providers... like Azure , ping, etc? I believe you can use those to authenticate to your JSS.

    A
    Forum|alt.badge.img+18
    • alexjdale
    • Contributor
    • January 16, 2020

    I missed that part of the discussion. I can confirm that your JSS uses its own LDAP connection during the DEP enrollment process, the device isn't performing the LDAP query directly (that could be spoofed pretty easily, I imagine). It's just talking to the JSS, which then talks to your configured LDAP server.

    Terms & ConditionsCookie settingsAccessibility statement