I'm just setting up a new JSS installation for our (sometimes rather globally distributed) employees that doesn't require that they're on a VPN, and would like to make sure their macs can check in without exposing the JSS itself to all the horrible things out there.
Sadly, there is very little documentation about this that I could find. While chatting with our security folks, they said they'd be pretty comfortable with this if the web interface wasn't accessible on the wide internet (there should be inside-the-VPN web service to access the JSS's web interface).
One of my guesses is that since the web interface's URL routes all seem to go to .html pages, we can have our load balancer setup just 403 requests to those pages if they come from outside the VPN. That works pretty well so far - nobody can log into the web interface like this, and I feel that this can already eliminate a bunch of terrible security problems (fewer XSS vectors, for one!). However, I'd really like to some docs where I can check what the casper suite needs to do on checkins / policy downloads - I really don't want to filter out legitimate requests from macs checking in! (:
So - all that's a long-winded way of asking if what I want to do is completely impossible, or if somebody has had any success locking down a relatively-publicly-accessible instance of the JSS. I'd love to hear your war stories.
Thanks in advance,
Andreas.
