JSS URL Changing

mkachtan
New Contributor

Little bit of backstory...

We setup an external JSS for our laptop users only. I have a policy called "External JSS" to change the JSS URL scoped to my "Laptops" smart group.

Here is the command that is being executed in the policy.

jamf createconf -url https://external.jssinstance.com:8443/ -server external.jssinstance.com -target /

The issue is that when these machines are on our network and a policy is triggered, the URL is being changed back to our Internal JSS instance. Here's some lines from /var/log/jamf.log showing the change. First line is my "External JSS" policy doing it's thing, second is me pushing a package via Casper Remote and the URL being changed back.

Wed Sep 24 15:18:01 NYC-C02H3AS9DJWT jamf[1740]: The SSL Certificate for https://external.jssinstance.com:8443/ must be trusted for the jamf binary to connect to it.
Wed Sep 24 15:28:23 NYC-C02H3AS9DJWT jamf[2112]: The SSL certificate for https://internal.jssinstance.com:8443/ does not need to be trusted.
Wed Sep 24 15:28:24 NYC-C02H3AS9DJWT jamf[2119]: Checking for policy ID 1149...
Wed Sep 24 15:28:25 NYC-C02H3AS9DJWT jamf[2119]: Executing Policy 2014-09-24 at 3:28 PM | jssadmin | 1 Computer...

As a workaround I have modified my "External JSS" policy as ongoing, cached, and triggered on network state change.

Anyone have any ideas why the URL isn't sticking?

3 REPLIES 3

alexjdale
Valued Contributor III

The JSS URL is going to be reset to what you have configured in your JSS. When you say you have a different JSS for laptops, do you mean a completely separate JSS or just a different app server pointing back to the same JSS database?

mkachtan
New Contributor

@alexjdale It's a limited instance JSS installed in our DMZ.

alexjdale
Valued Contributor III

Ok, if I am understanding your situation correctly, you don't want to change the URL on the client itself. It will always be reset back to what you have configured in the JSS (Global Management->JSS URL). If you want to direct external clients to your DMZ JSS, I think you'd want to do that in your externally published DNS records (CNAME or whatnot).