Posted on 09-09-2014 08:26 AM
I have recently setup a JSS in the DMZ and have computers successfully checking in. But if I send a "Lock Computer" Command, the command only works if the computer connects to my VPN. The whole point of putting a JSS in the DMZ was so that the lock/wipe commands would work on a machine outside of my network.
Any ideas?
Posted on 09-09-2014 08:58 AM
Is your DMZ server publicly accessible, aka are all the clients talking to it? Or are they talking to your internal server?
Do you have the push notification ports unblocked?
As listed on this KB: https://jamfnation.jamfsoftware.com/article.html?id=34
Posted on 09-09-2014 09:10 AM
@rderewianko Yes it is publicly accessible. I can see that the computer i'm testing with checked in while not on my domain or internal network. We have the ports opened (or so I'm told they are). Would anything else stop the APN from going through?
Posted on 09-09-2014 09:41 AM
When you built the public jss did it have the same DNS as the private?
Cause the APN's tie to the domain used.
- RD
Posted on 09-09-2014 09:51 AM
Yes.
Posted on 09-09-2014 10:03 AM
I know when we had probs, it turned out to be our licence key had disappeared..
Jamf also had us run
nc -z gateway.sandbox.push.apple.com 2195
nc -z gateway.sandbox.push.apple.com 2196
nc -z 35-courier.push.apple.com 5523
nc -z albert.apple.com 443
nc -z jssurl jssport
Posted on 09-09-2014 11:13 AM
I was able to do all of the successfully except the 35-courier.push.apple.com 5523. did you have to fully open the entire 17.0.0.0/8 range as well?
Posted on 09-09-2014 11:37 AM
yes we did, despite our infrastructures unease with it.
Posted on 09-09-2014 01:00 PM
thats what i was afraid of. and i've been given the big X on that request. Trying to see if they will do it by address rather then IP.
Posted on 09-10-2014 08:48 AM
they own the whole 17.0.0.0/8 address box, which made our case easier.
http://support.apple.com/kb/TS4264
Posted on 08-04-2016 09:42 AM
I know this is an old thread but I seem to be having the same issue. I can execute the nc-z to all those addresses except 35-courier.push.apple.com, same as @ddcdennisb . not blocking outbound currently from the DMZ Server or the remote system i'm trying to lock. Any suggestions?
Posted on 08-04-2016 11:54 AM
Spoke with JAMF support and turns out the SSL cert on the DMZ server was not in sync with the one on the primary server. Fixed that and all good now. Just sharing incase anyone else runs into this down the line.