JSS and 2FA

Hi, 2FA is a current feature request that in under review (https://jamfnation.jamfsoftware.com/featureRequest.html?id=346). The JSS really needs it!

I don't think you can have different ports for management and administration unfortunately, unless there is a clever networking way around it. You can have a limited access JSS though so clients check in to one tomcat server that doesn't offer the web console, but have another for admins to access that is secured away.

Personally, I'd like the option for different URLs for device management and It administration.

If you have a very specific bit of information you would like the support staff to access you could extract it using the API instead. That way they wouldn't need to log in to the web interface at all.

You could have the main JSS console available only on/to a specific subnet. Use a Limited Access JSS and have the clients communicate with it.

I've done something similar for a Fortune 50 company, where they wanted the JSS in a public-facing DMZ but did NOT want the management console exposed to the Internet, or even most of their internal network.

I'll second @RobertHammen thats, what we do. Everyone & Admin tools check into the public JSS. Which runs limited access. The private JSS which holds the data, can talk to the public and vice versa. But admins can only access the GUI for the admin through a different DNS.

- RD

Yeah, I am essentially looking at an internal DMZ configuration, treating the internal network as hostile. I was hoping I could route API and web console traffic to another port so I could segregate the traffic (limiting console/API access to a secure subnet with 2FA jump points, only allowing client communication traffic through the firewall). Adding a limited-access JSS and clustering them is certainly doable, but it's a unique situation where re-architecting, ordering new hardware, and testing/validation don't fit into the schedule.

I was wondering if there is an installation guide on how to set this up?