Jamf Nation Community

thoule · ‎12-17-2014

If I set a server to 'Limited Access' - 'Computer Access Only', does the /enroll URL still work? I'm assuming not, but it sure would be helpful. I'm trying to increase security by setting up a full access server in a restricted network, and changing our primary server to computers only, but all our documentation tells users to visit /enroll.... Todd

mm2270 · ‎12-17-2014

Hey @thoule
I was just informed earlier by our good friends at JAMF that I'm apparently completely wrong on this. The enroll page is available from a Limited Access JSS. For some reason at some point when we set up our Limited Access JSS back on version 8.x, the enroll page wasn't available from the outside. It supposedly should have been working, so I don't know what was happening there. Anyway, under version 9, its available. As well, the API is available on a Limited Access JSS too, which was definite news to me.
The only caveat is that in a true Limited Access JSS sitting in the DMZ, unless you also allow access to your internal LDAP servers, its likely users wouldn't be able to go through enrollment anyway if they are using their LDAP creds for authentication. In your case though, it should work since you were talking about having it be an internal server.

Also, take a look at this thread for more info, and optionally, reach out to Mike Paul @ JAMF, as he seems to be the one doing the most testing with optional setups and Limited access JSS.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2853

So anyway, ignore everything I said earlier. I was wrong, and frankly, I'm glad I was. The API bit was good news to my ears as I was never previously able to access it from outside.

View solution in original post

mm2270 · ‎12-17-2014

Tomcat gets disabled with a Limited Access JSS, so no, it will not allow the enroll page to work unfortunately.
That's both good and bad, since if that server was sitting in your DMZ, you would not want users hitting it from the outside and enrolling their Mac.
But in your case since it would actually be an internal server, it would be nice to have it working, but I don't think that there's a way to do that.

thoule · ‎12-17-2014

Thanks, Mike. That's what I expected. I'll look into setting up a new server inside the firewall, and updating our documentation to point users there to enroll, then eventually disable the JSS on our external JSS.

mm2270 · ‎12-17-2014

Hey @thoule
I was just informed earlier by our good friends at JAMF that I'm apparently completely wrong on this. The enroll page is available from a Limited Access JSS. For some reason at some point when we set up our Limited Access JSS back on version 8.x, the enroll page wasn't available from the outside. It supposedly should have been working, so I don't know what was happening there. Anyway, under version 9, its available. As well, the API is available on a Limited Access JSS too, which was definite news to me.
The only caveat is that in a true Limited Access JSS sitting in the DMZ, unless you also allow access to your internal LDAP servers, its likely users wouldn't be able to go through enrollment anyway if they are using their LDAP creds for authentication. In your case though, it should work since you were talking about having it be an internal server.

Also, take a look at this thread for more info, and optionally, reach out to Mike Paul @ JAMF, as he seems to be the one doing the most testing with optional setups and Limited access JSS.
https://jamfnation.jamfsoftware.com/featureRequest.html?id=2853

So anyway, ignore everything I said earlier. I was wrong, and frankly, I'm glad I was. The API bit was good news to my ears as I was never previously able to access it from outside.

thoule · ‎12-18-2014

Well that's interesting news. I'm not sure if it's good or bad right now - we want easy access, but are very concerned about security. That's somewhat disturbing that the API stays enabled on a limited access JSS. I'm going to be doing testing with this setup soon so I'll be sure to report back.

mm2270 · ‎12-18-2014

I get the security concern over having the API available from outside. I guess the way I see it is, API privileges are completely optional and not at all required for just about any JSS account, LDAP or local. You can just make sure that all JSS accounts that have web UI access don't have API access. Bottom line is, although the API is "available" from outside doesn't mean you can actually use it without having both valid account credentials and the account must be able to use the API.
Plus, you can restrict API access to read only for either a single LDAP account, or a local one, so it can read all it wants, but not write anything back, which limits any possible damage. Given how granular the controls currently are on a per account basis, its not much of a concern to me. But I understand every environment is different and you working in health care certainly raises the bar on the security side of things.

The only account that might actually need API access would be the initial JSS admin account that gets created when the JSS was first set up, but I'm not even certain that account needs it. That might be something for JAMF to chime in on. I'm not going to disable it on our account to test that. :)

thoule · ‎01-06-2015

Don't know who you spoke to at Jamf, but I just setup two test servers, clustered them and set one 'computers only' limited access. The /enroll page is 'disabled'. I went through the web.xml file and couldn't figure how to re-enable it. I'd love to have the API and JSS disabled, and /enroll enabled. Maybe I'll start with limited access off, and try to disable the JSS... I'll post here if I discover anything.

mm2270 · ‎01-06-2015

Hey @thoule][/url, as I mentioned above, I got this directly from Mike Paul @ JAMF. Also, I tested and verified everything he was saying on our own Limited Access JSS. From the outside, I can hit the enroll page and also access the API now (when authenticating with a local JSS account)

Additionally, look at Mike Paul's instructions here to see how to disable the API but leave Enrollment available, assuming you get that working.

chriscollins · ‎01-06-2015

Just to add my experience here as well, our public facing JSS in the DMZ is set to limited access and you can enroll machines and access the API from the outside but the admin web interface says its disabled so this should work.

mike_paul · ‎01-06-2015

Just for some clarification on Limited Access as of 9.62: Computer Access Only disables JSS Admin portal and enrollment for mobile devices
Mobile Device Access Only disables JSS Admin portal, enrollment for computers and disables the API
Computer and Mobile Device Access disables JSS Admin portal.

What functionalities are disabled during Limited Access is defined by their respective filters in that web.xml.

If you are looking to do things beyond what is described in the FR that mm2270 linked to or have other questions, feel free to reach out to me for information. I can be reached by emailing Mike.Paul at JAMF Software

thoule · ‎01-07-2015

Thanks for the support. It does work as both you have (repeatedly) said. In my test environment, I had forgotten that I need to explicitly enable user initiated enrollment. I was thinking the 'disabled' message was a function of the limited access. I'm going to go ask the wizard for brains.

mallej · ‎06-23-2017

Changing the Limited Access setting to anything other than "Full Access" disables the JSS interface.

How can i undo that?
How can i enable the JSS interface on my Limited Access JSS back?
I had a look into the /usr/local/jss/tomcat/webapps/ROOT/WEB-INF/web.xml , but it seems that this is not the right place to reenable the JSS interface back, right? Comparing this file with the file on my internal JSS showed me now differences..

chriscollins · ‎06-23-2017

@jensm contact support. That setting is almost assuredly stored in the database since you can set that setting for one server from a different one in a cluster.

They'll probably have to give you a SQL statement to run against the database.

mallej · ‎06-27-2017

Here is how to undo Limited Access. Provided by Jamf Support and worked for me.

Thank you for contacting JAMF Support.
We can disable limited access by going through below workflow.

Stop Tomcat
```
sudo /etc/init.d/jamf.tomcat8 stop
```
Log in to MySQL
```
mysql -u root -p
```
Choose database
```
use jamfsoftware;
```

Let's check the limited access settings:

select address, access_mode from limited_access_mode_settings;

Change flag from 1 to 0 to disable limited access: (serverIP will be address listed in point 4)
```
update limited_access_mode_settings set access_mode = 0 where address ='serverIP';
```
Start Tomcat
```
sudo /etc/init.d/jamf.tomcat8 start
```
We should now be able to log in to our JSS.