Pre-stage enrolment distribution point

Redshirt26
New Contributor II

Hi Everyone,

I'm trying to create a new prestige-enrollment so that I can deploy DEPNotify to our lab Macs. However when I go to choose a distribution point I get the following error: 

The distribution point does not meet the requirements to host packages for enrollment.

We use a windows server for our distribution point and we have completed the steps here: https://docs.jamf.com/technical-articles/Using_IIS_to_Enable_HTTPS_Downloads_on_a_Windows_Server_201... the only difference being is that we use an external ssl certificate instead of one generated from our Jamf Pro.

The questions I have is that when we turn on anonymous authentication instead of basic authentication on our default web site I am able to choose our DP in the pre-stage enrollment.

Is it ok to leave it like this?
Has anyone got it set up this way?
If so have you noticed anything unwanted happening?

Would it be worth setting up a separate DP with anonymous authentication set but just to house the DEPNotify package, keeping it separate from our main DP?

Thanks

4 REPLIES 4

Redshirt26
New Contributor II

updated

ivanlovisi
New Contributor III

in the Enrollment Packages section of this article

https://docs.jamf.com/10.27.0/jamf-pro/administrator-guide/Computer_PreStage_Enrollments.html

you can find all the details.

it is important that the

- authentication is disabled

- the packets are signed

- at the end, do not forget the custom manifest file ;-) 

talkingmoose
Honored Contributor II

Refer to the Package Hosting section here:

https://docs.jamf.com/10.36.0/jamf-pro/documentation/Computer_PreStage_Enrollments.html

Packages must reside on a web server accessible without authentication. Jamf Cloud's distribution point servers secure the downloads with a JSON web token that changes with each download. I've never found good documentation that explains how to implement JWTs with IIS.

Amazon web services offers hosting that supports JWTs, but you'll do a lot of manual custom development work and you'll need to pay for hosting.

Redshirt26
New Contributor II

Thank you all for the replies, 

Our current DP has a lot of packages, not signed when created in the composer or uploaded directly into jamf admin (A legacy practice of how to do things in our department which I have not really changed since joining)

Turning on anonymous authentication on our DP lets us allocate it in a prestage policy, which is good to know.

I have done some reading on anonymous authentication for IIS, I'm still a little confused to be honest. I'm just concerned that this is not entirely secure given that our other packages haven't been signed. 

If anyone thinks differently, or if I'm being too safe any advice would be appreciated.