I'm trying to create a new prestige-enrollment so that I can deploy DEPNotify to our lab Macs. However when I go to choose a distribution point I get the following error:
The distribution point does not meet the requirements to host packages for enrollment.
We use a windows server for our distribution point and we have completed the steps here: https://docs.jamf.com/technical-articles/Using_IIS_to_Enable_HTTPS_Downloads_on_a_Windows_Server_201... the only difference being is that we use an external ssl certificate instead of one generated from our Jamf Pro.
The questions I have is that when we turn on anonymous authentication instead of basic authentication on our default web site I am able to choose our DP in the pre-stage enrollment.
Is it ok to leave it like this?
Has anyone got it set up this way?
If so have you noticed anything unwanted happening?
Would it be worth setting up a separate DP with anonymous authentication set but just to house the DEPNotify package, keeping it separate from our main DP?
in the Enrollment Packages section of this article
you can find all the details.
it is important that the
- authentication is disabled
- the packets are signed
- at the end, do not forget the custom manifest file ;-)
Refer to the Package Hosting section here:
Packages must reside on a web server accessible without authentication. Jamf Cloud's distribution point servers secure the downloads with a JSON web token that changes with each download. I've never found good documentation that explains how to implement JWTs with IIS.
Amazon web services offers hosting that supports JWTs, but you'll do a lot of manual custom development work and you'll need to pay for hosting.
Thank you all for the replies,
Our current DP has a lot of packages, not signed when created in the composer or uploaded directly into jamf admin (A legacy practice of how to do things in our department which I have not really changed since joining)
Turning on anonymous authentication on our DP lets us allocate it in a prestage policy, which is good to know.
I have done some reading on anonymous authentication for IIS, I'm still a little confused to be honest. I'm just concerned that this is not entirely secure given that our other packages haven't been signed.
If anyone thinks differently, or if I'm being too safe any advice would be appreciated.