Help

Network Scanning from 3rd party being blocked by Jamf

Go to solution
kprimm
New Contributor III

‎07-19-2023 02:15 PM - edited ‎07-19-2023 02:16 PM

Hello, 

I searched Jamf Nation for a similar issue and came up short, if I missed a post that would provide info please let me know.  My networking lead has brought it to my attention that a 3rd party company that does occasional network scans on our network to keep us compliant in things like, number of O365 licenses, Oracle licenses, etc has spotted an issue with our Mac's.  At first they mentioned there was a feature in Jamf that was simply a check box that would allow SSH commands to be let through, which are blocked by default in Jamf.  But the tech claims the console has changed a bit since he last worked with Jamf and isn't sure where to go, I Googled it, ran it through GPT4, and can't seem to find an answer.  Is there a simple way to open Port22 or SSH for network scanning to be performed on our Mac's that are currently enrolled in Jamf?

Thanks a ton!

Kerry

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
sdagley
Esteemed Contributor II

‎07-19-2023 07:25 PM - edited ‎07-19-2023 07:26 PM

@kprimm Check your User-initiated enrollment settings (under Settings->Global) to see if you have enabled the "Allow SSH access for management account only" in the macOS section. This should only impact ssh enabled accounts that exist when your Macs were enrolled. If the account this scanning tool creates for ssh access is created after enrollment the installer for it should create the proper access. Not that creating an account that allows ssh access for scanning is really a good idea. The days having some sort of scanning agent which you can use a PPPC configuration to grant the appropriate access for doing scans would be the "better" way to do that so maybe ask your networking lead to ask the 3rd party company if they have a more up to date Mac client.

View solution in original post

Reply
1 REPLY 1

Go to solution
sdagley
Esteemed Contributor II

‎07-19-2023 07:25 PM - edited ‎07-19-2023 07:26 PM

@kprimm Check your User-initiated enrollment settings (under Settings->Global) to see if you have enabled the "Allow SSH access for management account only" in the macOS section. This should only impact ssh enabled accounts that exist when your Macs were enrolled. If the account this scanning tool creates for ssh access is created after enrollment the installer for it should create the proper access. Not that creating an account that allows ssh access for scanning is really a good idea. The days having some sort of scanning agent which you can use a PPPC configuration to grant the appropriate access for doing scans would be the "better" way to do that so maybe ask your networking lead to ask the 3rd party company if they have a more up to date Mac client.

Reply