- Jamf Nation Community
- Products
- Jamf Pro
- Re: Managing macs both internal and external
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Managing macs both internal and external
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2017 09:54 AM
I'm wondering what other groups are doing in this situation to best manage your macs and reduce bandwidth usage on wan connections. For instance, we have most of our machines internal to our network... however some are work from home users, and some semi-mobile... meaning they are sometimes in the office, and sometimes not. More often than not, the remote users will be connecting via OpenVpn (non split-tunnel).
I'm looking for infrastructure suggestions... how to best manage both types of machines, while not crushing internet lines. For instance, are you using an internal JSS, internal JDS, Cloud JDS, Cloud JSS... or a mixture of all?
Labels:
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2017 10:38 AM
Not sure how you plan to deploy or what other considerations that you have to think about, but here's our set up. We have 2 servers, Internal and DMZ, with respective DNS entries in both internal and external records and the proper firewall holes poked. We do not publish software through our DMZ, due to our internal security's fear/guidance to have a) more holes are a risk and b) the fact that if you have http file sharing through your DMZ anyone can go to http://your.jss.com/package and download that installer. We often bake license keys into packages, and so those would be come loose and un-trackable at that point. We only have a single DP off our main JSS. At some point I need to get satellite DP's working, but have not had time to spend on that. Our DMZ server exists solely to provide any-where in the world visibility/reporting. Every thing else is done on internal networks. We only have a single JSS since we're not big enough to require more than that.
I've just recently set up a new JSS environment to migrate off of a RHEL 5 infrastructure and just had the pleasure of going through this all again. Fairly straight forward, just have to identify what matters to you. I did debate using AWS for this, but for me, I didn't see any real advantage to it in our environment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2017 08:43 AM
Thanks @easyedc this is similar to what we are doing today... we have only our one internal JSS (we too have a small Apple footprint), and remote users come in via OpenVPN (non split-tunnel). I have three JDS instances and a couple of file share distribution points on windows servers where it was easier. My concern is software distribution via VPN connections would take a long time, and potentially flood our internet lines. I do see though that having a JDS available to the outside would be a security/licensing issue.
So at this point, I don't think there is much I can do to change our jamf pro infrastructure to work any better with remote users. Unless anyone out there has come up with a more creative solution to a similar issue. I wish that Apple and Microsoft would come together and offer Microsoft's Direct Access solution to MacOs computers in the same way that it works on Windows machines. An always-on split-tunnel would be great!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2017 09:47 AM
@Kedgar We have a cloud hosted JSS. It is great as machines will check in from anywhere and it was very easy to setup at our org. Minimal firewall rules as outgoing traffic was already open to access the JAMF server in the cloud. We have three internal DP's as well as a JAMF hosted Cloud instance. I replicate everything except for OS installers out to the cloud. That way anything I put into self service or push out policy wise will work on or off prem. Only major issues we have run into is the upload size issues that the Cloud has. We are not putting any one item over 5GB up there but things over 1GB tend to fail on the first try and so we have to keep trying over and over until it eventually uploads. Other than that, It has been a great experience. We were cloud hosted from the start so I don't know anything else in regards to on prem JAMF servers. As long as AWS stays up......everything works!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-01-2017 09:49 AM
@Kedgar We have a cloud hosted JSS. It is great as machines will check in from anywhere and it was very easy to setup at our org. Minimal firewall rules as outgoing traffic was already open to access the JAMF server in the cloud. We have three internal DP's as well as a JAMF hosted Cloud instance. I replicate everything except for OS installers out to the cloud. That way anything I put into self service or push out policy wise will work on or off prem. Only major issues we have run into is the upload size issues that the Cloud has. We are not putting any one item over 5GB up there but things over 1GB tend to fail on the first try and so we have to keep trying over and over until it eventually uploads. Other than that, It has been a great experience. We were cloud hosted from the start so I don't know anything else in regards to on prem JAMF servers. As long as AWS stays up......everything works!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2019 03:24 AM
@canopimp I am curious as to how you have managed to setup cloud DP and File Share DP's. Have you made it work seamlessly so that when users are in house the local DP's are automatically used, and when outside the cloud DP is used? How is this done exactly?
Currently we have a cloud only solution, but we want to also use a File Share DP to take the load of our internet connection when deploying large applications in house (Microsoft office updates, Mac-OS etc.).
I would love to be able to configure the File Share DP as primary and the Cloud DP as fail-over, that would be the solution (as far as I can see), but unfortunately setting the Cloud DP as fail-over is not possible even though it has been a feature request for years.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2019 06:15 AM
@jolatlytzenit.dk You can define Network Segments in your JSS console (Settings->Network Organization->Network Segments) and assign a default File Share DP for that network segment. It doesn't quite do what you want with a Cloud DP as failover, but it does allow you to easily define which File Share DP to use based on the Mac's IP address.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-02-2019 07:43 AM
@jolatlytzenit.dk That was from my old shop but yes, we accomplished this with network segments. The other part is that we did not have our cloud DP as the primary. Our on prem DP was the primary with another on prem DP as the fail over. We did have a network segment for IP ranges that were off of our network (presumably the machine was at home if it did not have one of our private addresses) and that segment was set for the cloud DP.
