Locking Remote Computers

DBrowning
Valued Contributor II

I have recently setup a JSS in the DMZ and have computers successfully checking in. But if I send a "Lock Computer" Command, the command only works if the computer connects to my VPN. The whole point of putting a JSS in the DMZ was so that the lock/wipe commands would work on a machine outside of my network.

Any ideas?

11 REPLIES 11

rderewianko
Valued Contributor II

Is your DMZ server publicly accessible, aka are all the clients talking to it? Or are they talking to your internal server?
Do you have the push notification ports unblocked?
As listed on this KB: https://jamfnation.jamfsoftware.com/article.html?id=34

DBrowning
Valued Contributor II

@rderewianko Yes it is publicly accessible. I can see that the computer i'm testing with checked in while not on my domain or internal network. We have the ports opened (or so I'm told they are). Would anything else stop the APN from going through?

rderewianko
Valued Contributor II

When you built the public jss did it have the same DNS as the private?

Cause the APN's tie to the domain used.
- RD

DBrowning
Valued Contributor II

Yes.

rderewianko
Valued Contributor II

I know when we had probs, it turned out to be our licence key had disappeared..

Jamf also had us run

nc -z gateway.sandbox.push.apple.com 2195
nc -z gateway.sandbox.push.apple.com 2196
nc -z 35-courier.push.apple.com 5523
nc -z albert.apple.com 443
nc -z jssurl jssport

DBrowning
Valued Contributor II

I was able to do all of the successfully except the 35-courier.push.apple.com 5523. did you have to fully open the entire 17.0.0.0/8 range as well?

rderewianko
Valued Contributor II

yes we did, despite our infrastructures unease with it.

DBrowning
Valued Contributor II

thats what i was afraid of. and i've been given the big X on that request. Trying to see if they will do it by address rather then IP.

rderewianko
Valued Contributor II

they own the whole 17.0.0.0/8 address box, which made our case easier.
http://support.apple.com/kb/TS4264

ddasilva
New Contributor

I know this is an old thread but I seem to be having the same issue. I can execute the nc-z to all those addresses except 35-courier.push.apple.com, same as @ddcdennisb . not blocking outbound currently from the DMZ Server or the remote system i'm trying to lock. Any suggestions?

ddasilva
New Contributor

Spoke with JAMF support and turns out the SSL cert on the DMZ server was not in sync with the one on the primary server. Fixed that and all good now. Just sharing incase anyone else runs into this down the line.