Network Config / Port Questions

bcheney
Release Candidate Programs Tester

Hey everyone! We're a long time JAMF school, we've been using JAMF Pro/Casper since I arrived at BSM about 6 or 7 years ago.

We are currently looking to move JAMF to the cloud, to hopefully gain functionality. Currently, our server resides locally, and doesn't reach out to the outside world. Self service, tracking laptops, and pushing updates can ONLY happen at school, and some of those features only work on our wired network, which requires the kid to stop by the help desk.

My network admin (and the recent penetration test the school has) has zero interest in opening up ports, we are almost down to 80 and 443 at this point (with LDAP currently outward facing, for now). I'm wondering if other schools have fought this battle and have any recommendations, or would be willing to chat with me about how they have implemented their JAMF services into the school.

Even a post listing if you're K-12, Higher Ed, or a business and if you have all ports open or closed on your firewall would be helpful. I'm at a loss, and wondering where I can gain additional info other than the list of ports that need to be open from JAMF.

Thank you guys so much! We'll see you at JNUC!

1 REPLY 1

easyedc
Valued Contributor II

Throwing my 2¢ into this. We're HIPPA bound business (Fortune 50 health insurance) and security rules around here. We do very little outside. We have a DMZ server that solely exists to provide global inventory reporting. Our security teams veto putting packages out into the DMZ because they are then able to be downloaded over HTTPS and we can lose control for licensing. We have just enough ports open. We can lock you down via our config profiles and get inventory updates off network.

Everything else requires being on-site or coming through our VPN to receive any packages, policies, etc.

We have:

TCP Ports 8080 and 8443 from ANY Internet IP Address to IP Address of DNS Record/JSS

and

TCP Port 3306 from IP Address DMZ to IP Address INTERNAL for DMZ firewall opening for new JAMF Server.

and last we put a network whitelist on 17.x.x.x for Apple's APN over the ports per this KBase Article.