When setting up the above, Which port is used to communicate between the jamf IM and the JSS when running 'sudo jamf-im enrol'. ??
I am receiving 'connection refused' when trying to run...
BTW, Jamf support seems to be getting worse as the days go by...
Here is the last reply from them to the above request.....
Every port can be configured to be used if it is equal to or greater than 1024.
The recommended one is 8389.
Have a nice day!
jamf-im enroll to me would mean more connection refused connecting to your JSS.
Jamf has a guide of ports used by their suite. Scroll down to the Infrastructure Manager part and take a read. You may need to open a few more ports
During installation, the Jamf Infrastructure Manager (JIM) installer will attempt to connect to your Jamf Cloud instance on port 443 to enroll itself. It's effectively enrolling itself similar to how a Mac would enroll itself.
Once communication is established, your Jamf Cloud instance will reach out to JIM on port 8389 by default. That port is modifiable from within the LDAP server's settings in Jamf Cloud and any port from 1024 and higher can be used.
Are you receiving "connection refused" when trying to install JIM or is Jamf Cloud receiving that message attempting to connect to JIM?
@kerouak, the JIM will rely on the SSL cert of the Jamf Cloud server for encrypted communications during enrollment. A client certificate is generated during enrollment for verifying the client's authenticity while handing LDAP requests.
If you re-enroll your JIM with Jamf Cloud, a new client certificate gets generated each time.
I'm not familiar enough with JIM's workings to be able to say whether communication is originated by Jamf Cloud to JIM or if JIM is keeping a persistent connection open with Jamf Cloud (similar to push notification or Mac/iOS APNs push connection).
Based on my observations, the Jamf Infrastructure Manager (JIM) checks in every 30 seconds with its associated Jamf Pro server so that the JPS knows that the JIM is active and at what address and port the JIM is able to receive LDAP traffic. The Jamf Pro server then communicates LDAP queries as needed to the JIM via the encrypted channel set up between the two.
I have a couple of posts on the JIM available via the links below:
From an infrastructure perspective the JIM must be available on the internet as it isnt supported to work behind a firewall (assuming your JSS is in the cloud). If your JSS isnt in the cloud then JIM isnt necessary. However, if you need it to work behind a DMZ or firewall, this worked for us:
Create external DNS name with the same name as your JIM server in the DMZ and have it resolve to the external IP of the JIM server.
Open inbound ports 80, 443, 8389 (or whatever you configure) from external IP to the JIM server in the DMZ (no port translation across DMZ).
Open outbound ports (all) from JIM server to external IP in your DMZ firewall config.
Open LDAP ports from JIM server in DMZ to appropriate Domain Controller in your internal network (multiple domains need one JIM server per domain).
Configure your JIM and it should register into the JSS.
Configure JSS LDAP options for your JIM server and the mappings.
Should work (as it did for us) , good luck.