Jamf Nation Community

mikenichols · ‎02-08-2016

We just recently set up an externally facing JSS. We have been trying to send out remote lock and remote wipe commands to Macs outside of our network but they keep failing. These are the ports we opened up on our firewall: 443, 548, 2195, 2196, and 5223.
Are we missing something?

davidacland · ‎02-08-2016

Does it work if the device is inside the network? If not, it could be something cert related.

The server needs to reach "Apple" (17.0.0.0/8) on 2195 & 2196

The clients need to be able to reach Apple on 5223.

Thats all we open externally on the firewall normally.

Oh, and the HTTPS port inbound to your JSS if you want the devices to be able to check-in.

mikenichols · ‎02-08-2016

Yes it works fine with devices that our connected to our wifi. Devices outside our network can connect to self service and see the apps we have inside of it but can't download those apps of receive the remote lock commands.

davidacland · ‎02-08-2016

Thats positive. At least its not an APNS / cert issue.

For the policies in self service, if the user is outside the network, you will need to allow an inbound connection to your JSS (it sounds like its already open), and to your distribution point. I noticed you listed 548 up there, thats more suited to LAN based deployments. I would use HTTPS and webdav if you can.

The remote lock commands just need the ports I listed above.

In case it helps, this is what I normally email to the people managing the firewall:

TCP port 5223 outbound from the client devices to Apple’s 17.0.0.0/8 range to allow the client devices to receive Push notifications
TCP ports 2195 and 2196 outbound from the JSS to Apple’s 17.0.0.0/8 range to allow the client devices to receive Push notifications
TCP ports 1640, 443 and 8443 outbound from the client devices to the JSS for SCEP and management.

Would be worth testing from a client with https://itunes.apple.com/gb/app/push-diagnostics/id689859502?mt=12

Jamf Nation Community

Remote Lock and Remote Wipe