Skip to main content
Question

Locking Remote Computers


DBrowning
Forum|alt.badge.img+24

I have recently setup a JSS in the DMZ and have computers successfully checking in. But if I send a "Lock Computer" Command, the command only works if the computer connects to my VPN. The whole point of putting a JSS in the DMZ was so that the lock/wipe commands would work on a machine outside of my network.

Any ideas?

11 replies

Forum|alt.badge.img+18
  • Honored Contributor
  • 486 replies
  • September 9, 2014

Is your DMZ server publicly accessible, aka are all the clients talking to it? Or are they talking to your internal server?
Do you have the push notification ports unblocked?
As listed on this KB: https://jamfnation.jamfsoftware.com/article.html?id=34


DBrowning
Forum|alt.badge.img+24
  • Author
  • Esteemed Contributor
  • 668 replies
  • September 9, 2014

@rderewianko Yes it is publicly accessible. I can see that the computer i'm testing with checked in while not on my domain or internal network. We have the ports opened (or so I'm told they are). Would anything else stop the APN from going through?


Forum|alt.badge.img+18
  • Honored Contributor
  • 486 replies
  • September 9, 2014

When you built the public jss did it have the same DNS as the private?

Cause the APN's tie to the domain used.
- RD


DBrowning
Forum|alt.badge.img+24
  • Author
  • Esteemed Contributor
  • 668 replies
  • September 9, 2014

Yes.


Forum|alt.badge.img+18
  • Honored Contributor
  • 486 replies
  • September 9, 2014

I know when we had probs, it turned out to be our licence key had disappeared..

Jamf also had us run

nc -z gateway.sandbox.push.apple.com 2195
nc -z gateway.sandbox.push.apple.com 2196
nc -z 35-courier.push.apple.com 5523
nc -z albert.apple.com 443
nc -z jssurl jssport


DBrowning
Forum|alt.badge.img+24
  • Author
  • Esteemed Contributor
  • 668 replies
  • September 9, 2014

I was able to do all of the successfully except the 35-courier.push.apple.com 5523. did you have to fully open the entire 17.0.0.0/8 range as well?


Forum|alt.badge.img+18
  • Honored Contributor
  • 486 replies
  • September 9, 2014

yes we did, despite our infrastructures unease with it.


DBrowning
Forum|alt.badge.img+24
  • Author
  • Esteemed Contributor
  • 668 replies
  • September 9, 2014

thats what i was afraid of. and i've been given the big X on that request. Trying to see if they will do it by address rather then IP.


Forum|alt.badge.img+18
  • Honored Contributor
  • 486 replies
  • September 10, 2014

they own the whole 17.0.0.0/8 address box, which made our case easier.
http://support.apple.com/kb/TS4264


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • August 4, 2016

I know this is an old thread but I seem to be having the same issue. I can execute the nc-z to all those addresses except 35-courier.push.apple.com, same as @ddcdennisb . not blocking outbound currently from the DMZ Server or the remote system i'm trying to lock. Any suggestions?


Forum|alt.badge.img+3
  • New Contributor
  • 8 replies
  • August 4, 2016

Spoke with JAMF support and turns out the SSL cert on the DMZ server was not in sync with the one on the primary server. Fixed that and all good now. Just sharing incase anyone else runs into this down the line.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings