JSS and 2FA

alexjdale
Valued Contributor III

Has anyone had to apply 2FA to their JSS authentication (presumably through a proxy because I do not believe the JSS supports it) to control access to the console? On a related note, is it possible to configure the JSS web console to run over a different port than client communication and has anyone done that?

We're potentially going to have to zone off our JSS to limit admin access to it, so I'm researching the impact of that. I'm also going to look into clustering and creating a read-only JSS if that's possible (so support staff can pull recovery keys without requiring them to 2FA into the zoned-off JSS, without letting anyone make policy changes from that JSS).

5 REPLIES 5

davidacland
Honored Contributor II

Hi, 2FA is a current feature request that in under review (https://jamfnation.jamfsoftware.com/featureRequest.html?id=346). The JSS really needs it!

I don't think you can have different ports for management and administration unfortunately, unless there is a clever networking way around it. You can have a limited access JSS though so clients check in to one tomcat server that doesn't offer the web console, but have another for admins to access that is secured away.

Personally, I'd like the option for different URLs for device management and It administration.

If you have a very specific bit of information you would like the support staff to access you could extract it using the API instead. That way they wouldn't need to log in to the web interface at all.

RobertHammen
Valued Contributor II

You could have the main JSS console available only on/to a specific subnet. Use a Limited Access JSS and have the clients communicate with it.

I've done something similar for a Fortune 50 company, where they wanted the JSS in a public-facing DMZ but did NOT want the management console exposed to the Internet, or even most of their internal network.

rderewianko
Valued Contributor II

I'll second @RobertHammen thats, what we do. Everyone & Admin tools check into the public JSS. Which runs limited access. The private JSS which holds the data, can talk to the public and vice versa. But admins can only access the GUI for the admin through a different DNS.

- RD

alexjdale
Valued Contributor III

Yeah, I am essentially looking at an internal DMZ configuration, treating the internal network as hostile. I was hoping I could route API and web console traffic to another port so I could segregate the traffic (limiting console/API access to a secure subnet with 2FA jump points, only allowing client communication traffic through the firewall). Adding a limited-access JSS and clustering them is certainly doable, but it's a unique situation where re-architecting, ordering new hardware, and testing/validation don't fit into the schedule.

amarks
New Contributor

I was wondering if there is an installation guide on how to set this up?