Jamf Nation Community

dpenny · ‎07-09-2015

Has anyone been able to successfully connect to the JSS web interface using Mac OS X 10.11? We are unable to connect to the JSS via the web or when using Apple Configurator 2. Based on the error messages we are receiving it looks like the JSS does not adhere to what Apple has deemed as "best practices" for web security. I'm sure JAMF is working on this, but it makes it very difficult to test the upcoming releases. From Apple's technote on App Transport Security:

App Transport Security is a feature that requires secure connections between an app and web services. The default connection requirements conform to the best practices for secure connections. Apps can override the default behavior and turn off App Transport Security. App Transport Security is available on iOS 9.0 or later, and on OS X 10.11 and later.

and a little further down they outline what they consider best practices:

• TLS requires at least version 1.2. • Connection ciphers are limited to those that provide forward secrecy (see below for the list of ciphers.) • The service requires a certificate using at least a SHA256 fingerprint with either a 2048 bit or greater RSA key, or a 256bit or greater Elliptic-Curve (ECC) key. • Invalid certificates result in a hard failure and no connection.

Unfortunately, I have not been able to find a way to globally disable ATS in Mac OS X 10.11. Does anyone has any suggestions or ideas?

dpenny · ‎07-09-2015

After updating our server.xml file according to the cipher list here: https://jamfnation.jamfsoftware.com/discussion.html?id=15032, we can now connect correctly using Mac OS X 10.11. Thanks for the help and suggestions.

View solution in original post

chris_kemp · ‎07-09-2015

Apparently, the new configuration in 10.11 disables access to many directories in /usr, including /usr/sbin where the jamf binary is located. I imagine this is a cause of a good bit of problems. I've read that you can disable the restriction from Recovery Mode, although I haven't tried this yet:

http://apple.stackexchange.com/questions/193368/what-is-the-rootless-feature-in-el-capitan-really

dpenny · ‎07-09-2015

Yes, that would cause problems when trying to manage a machine running 10.11, but I am just trying to access the web portal for our JSS (for example: https://jss.yourcompany.com:8443). ATS is preventing us from connecting via a bowser or through Apple Configurator 2 for enrolling devices.

pwskura · ‎07-09-2015

Hi Doug,
I cannot answer the fix, but I have 10.11 15A204h connecting to our production JSS 9.72 environment from Safari. This might be related to what is described here: https://jamfnation.jamfsoftware.com/discussion.html?id=15032

dpenny · ‎07-09-2015

@pwskura: We just upgrade to beta 3 (15A216g), but can not connect to our production JSS 9.72 through Safari. I wonder is it has to do with the SSL certificate we are using? Could you give me the "specs" of your SSL certificate being used on your JSS? Would you be willing to send me the URL for your JSS so I can see if the login screen will load? This would at lest help me verify that the problem is unique to our server configuration.

dpenny · ‎07-09-2015

After updating our server.xml file according to the cipher list here: https://jamfnation.jamfsoftware.com/discussion.html?id=15032, we can now connect correctly using Mac OS X 10.11. Thanks for the help and suggestions.

chris_kemp · ‎07-09-2015

Glad you got it working! :) Sorry I missed the part about it being the web interface...

That's a good find, I was wondering about that as well.

Jamf Nation Community

JSS and App Transport Security in OS X 10.11