Getting access to our JSS from a rom with no web access...

Hello Eric,

I can see a couple of options (none ideal).

1) Target disk imaging which would mean image each machine one-by-one via Thunderbolt Cable. You could do this on your machine and just connect each OS X client that needs imaged.

2) Export the JSS, and replicate the ENTIRE environment in your LAN. This would mean you need to copy one of the SQL exports that are currently being saved into /Library/JSS/..... folder and import that database to your isolated LAN server. Also, be sure to replicate DNS and DHCP functionality on your LAN so the clients point to the correct servers hosting the JSS and distribution points. You don't want to hand modify the sql database or add additional distribution points as the clients need to talk to the correct environment.

EVEN with that! At the end of imaging the clients haven't REALLY enrolled themselves to your JSS, thus you may need to re-run the QuickAdd package once they are off your isolated LAN.

Both of these are completely ugly and overcomplicated for a couple of ports. But that is just IMHO.

- Justin

Thanks, what about setting up some sort of proxy server on the distribution point?

I had a similar setup in a prior job. What we did was put a dedicated NIC in the JSS and put it on a separate, isolated vlan along with a switch that was in our deployment area. The vlan had access to IT's central DHCP services and that's about it. As the JSS was also the Software Update server, it would let us deploy and fully patch a machine before it got onto the general use LAN.

What IP DNS name did you give the second NIC. Was the machine able to respond to DNS or do you Casper imaging via IP? Thanks!

Oh, you know what? We allowed DNS as well. It's such a basic thing that stuff breaks if you block it. (e.g. newly imaged clients trying to check in with the JSS for the first time)

I'm not 100% certain I'm hearing your question properly, but from what I understand you're saying that:

1) you have a dedicated deployment room with a server that is currently running Deploy Studio.
2) The Deploy Studio server is going to become a Casper Replica.
3) The network from the deployment room is not connected to the main LAN, and that is not desired by your boss.

Unfortunately point 3 really isn't negotiable - unless I'm really missing something in my understanding of Casper, you simply CAN NOT use Casper to deploy computers without the clients being able to talk directly to the JSS. So you absolutely MUST have some kind of connection to the JSS, either via the Casper replica NATing a connection from the LAN to the deployment computers, or a direct connection to the JSS via a second NIC (which might be fun with DNS and dual NICs).

I would suggest something similar to what we do here - we have mobile imaging laptops running OS X Server that move from school to school. Because we want to keep imaging and deployment traffic off of the school LANs, we've configured the servers as NAT routers with a private subnet for imaging.

Basically, a tech brings in the portable server, makes sure it has a WiFi connection. The server is configured to provide DHCP, DNS, NAT Routing, Netboot and AFP for the Casper replica to a private network off it's ethernet port. This keeps MOST of the traffic off the LAN, but does allow the passthrough to the JSS that is required for Casper enrolment and policies.

Because you have a Server between the LAN and the private deployment subnet, if you REALLY need to ensure that all traffic EXCEPT to the JSS is kept off the LAN, you could even configure the Firewall on the Replica server to prevent anything from the private Subnet except traffic to the JSS.

The challenge of late has been that newer versions of OS X Server seem to be making NAT and DHCP more and more difficult to configure and less reliable, so I'm currently working on a promising pilot project to utilize JAMF's NetSUS appliance on a build of Ubuntu Server that we then configure DHCP, DNS and NAT routing onto.

Basically the topology would look something like:

JSS and main LAN |
Casper Replica (Configured with NAT, DNS, DHCP, Netboot and AFP) |
(Private subnet - ie: 192.168.x.x or 10.x.x.x)

You would then take client workstations into the deploy room, plug them into a switch connected to your Casper Replica server and netboot. The computer would boot off the private subnet direct from the Replica server, talk to the DNS on the Replica server to get the JSS address, communicate through the Replica via NAT to the JSS to get it's needed info. When you went to image or run policies, the workstation would talk to the JSS through the Replica NAT, find it's Network info and determine that the best replica point is the Replica right there, and pull all it's packages / images / scripts via the local private network. You can even configure the Replica to be an Apple Software Update server so you can run updates as well and keep most of that off the main LAN.

Unlike Deploy Studio though, you absolutely MUST have that connection to the JSS or the machines won't even let your run Casper Imaging, or enroll, or run profiles. That part is not negotiable, even if your boss doesn't want to allow the connection. He simply has to for it to work.

Hope that at least gives you some food for thought.

Jeff