File Share Distribution point

New Contributor III

Hey folks.

We've just set up our Jamf server. Running on-prem, an Ubuntu 16.0.4 LTS server VM. MySQL and Apache Tomcat running on the same box. We have approximately 300 Mac clients.

Now onto the topic:

We're internally discussing the file share distribution options. Is there any best practise regarding the distribution point? Is there any advantage of keeping the share on the same Jamf Pro server? Or should you aim for to keep Jamf Pro and distribution points separate from each other? I know mileage vary, but I'am curious to see how the environment looks for my fellow admins


Valued Contributor III

For what it's worth we have 1500 clients and 4 DP servers but that is mainly to deal with redundancy and geographic location requirements (1 major site and two satellite sites). It seems to get the job done with no issues.
You really want at least two though as there is a built in fail over function for packages and a second server would allow this to function correctly, with only one server I think any network/server interruption would result in failed packages, but a second server with fail over may well allow it to succeed.

Valued Contributor

Agree with previous response - ideally you'll want at least two file distribution points, primarily for redundancy, but then you can plan them for geographic needs, or others - I actually run some on SMB and some on AFP, just because we occasionally run into network configuration issues at field sites or VPN where a network admin may have blocked a port - having multiple options both on servers and on protocols available = failover.

Valued Contributor II

Best practice would to keep them apart. In a perfect world you'd have one of two models

JSS - Somewhere in a DC, or cloud
FSDP - In office(s) or schools
HTTPSFS - Failover for the fsdp
Bonus points when you have these setup to auto replicate from your master. Drop your package in casper admin once, or through finder, and then add through casper admin on the web and profit.

JSS - Somewhere in a DC, or cloud
HTTPSFS - Cloud somewhere where everyone hits (this model depends on more beefier bandwidth connections)

While I agree with @Taylor.Armstrong It's important to note that 10.13 AFP is deprecated in preference for SMB.

While SMB is "secure" it's not something you should be doing over the web.

Valued Contributor

^^ Agreed... we're still on 10.12 so I forget. Our AFP will transition to HTTPS when we do.

Valued Contributor III

Definitely separate the JSS and the DP at a minimum that way you don’t strain your JSS itself.

From that piece of advice, the sky’s the limit. You could have an internal and external DP if needed or if your network topology has weaker links, you could put a DP closer to your clients.

In our case, we have one strong internal DP that adequately serves our Macs and an external DP hosted in Azure to service policies I want run while off network.

Valued Contributor

We have redundant FSDP in each of our major geographic locations. And in Jamf Pro we have it configured so users in those locations use the local primary, fails over to the local secondary, then fails over to either another close geographic FSDP's primary or to our master FSDP (which has a secondary to fail over to). In a worse case scenarios the user would never know that they've bounced through a few servers before finding one that works - well, except for the speed of downloading packages from half-way around the planet.