- Jamf Nation Community
- Products
- Jamf Pro
- Re: Restricting internet inbound network
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2024 01:46 AM
Greetings!
We have received a notice from campus network security team, saying that in coming months, internet inbound network traffic, where network traffic originated from public internet and to be received within campus networks, will be denied as default, but the outbound to the internet is allowed
I am concerned the connection of our 60 iPads to JamfPro cloud, I read the document at https://learn.jamf.com/en-US/bundle/technical-articles/page/Permitting_InboundOutbound_Traffic_with_... . I'd like to clarify whether I need to ask the campus network team to add the IPs of "ap-northeast-1" under "Outbound Traffic from Jamf Cloud" onto their whitelists.
Regards.
Simon
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2024 05:29 AM - edited 07-22-2024 05:29 AM
It seems very backwards allowing all outbound traffic and block all inbound. Usually is a mix of both. To answer your question, yes you need to have the Jamf hosts and ports bypassed, or MDM will not function. In addition, you need to bypass Apples Hosts and Ports as MDM leans on APNS to communicate with devices and deploy apps from the AppStore, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2024 01:44 PM
I'm not sure I disagree, that is pretty much the default setting on any network for the past 20 years or so. All traffic from the internal trusted network to Internet is permitted, but traffic originating at the Internet destined to the internal network is dropped by default.
If I had to guess, this person is on a publicly addressed network where all hosts have public IPs and historically there has not been a firewall preventing inbound connections from the Internet, and this is going to change.
I think the key phrase from OP's post is "where network traffic originated from public internet and to be received within campus networks". This should not affect MDM because that traffic does not actually originate from the Internet, even though it seems like it would. What I mean is, the MDM agent on the clients is what initially establishes a connection outbound to the JAMF servers. That connection is periodically polled to see if there are pending commands and if so the client processes them. This is how all MDM apps have to work since the vast, vast majority of networks do not allow inbound traffic originating from the Internet.
It may be helpful to look up a stateful firewall. Essentially, once a client initiates an outbound connection to a host on the Internet, that host on the Internet can send data back through the firewall to the client, but the host on the Internet cannot initiate the connection. As long as the client initiates the connection, there is no problem with inbound traffic.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2024 05:29 AM - edited 07-22-2024 05:29 AM
It seems very backwards allowing all outbound traffic and block all inbound. Usually is a mix of both. To answer your question, yes you need to have the Jamf hosts and ports bypassed, or MDM will not function. In addition, you need to bypass Apples Hosts and Ports as MDM leans on APNS to communicate with devices and deploy apps from the AppStore, etc.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2024 01:44 PM
I'm not sure I disagree, that is pretty much the default setting on any network for the past 20 years or so. All traffic from the internal trusted network to Internet is permitted, but traffic originating at the Internet destined to the internal network is dropped by default.
If I had to guess, this person is on a publicly addressed network where all hosts have public IPs and historically there has not been a firewall preventing inbound connections from the Internet, and this is going to change.
I think the key phrase from OP's post is "where network traffic originated from public internet and to be received within campus networks". This should not affect MDM because that traffic does not actually originate from the Internet, even though it seems like it would. What I mean is, the MDM agent on the clients is what initially establishes a connection outbound to the JAMF servers. That connection is periodically polled to see if there are pending commands and if so the client processes them. This is how all MDM apps have to work since the vast, vast majority of networks do not allow inbound traffic originating from the Internet.
It may be helpful to look up a stateful firewall. Essentially, once a client initiates an outbound connection to a host on the Internet, that host on the Internet can send data back through the firewall to the client, but the host on the Internet cannot initiate the connection. As long as the client initiates the connection, there is no problem with inbound traffic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2024 06:10 PM
Hi @vrtigo1 , thx for the reply. I see what you mean. Say if I trigger a software update command from JamfCloud console, it is not pushing the command to my devices inside the campus network, but the devices polling the JamfCloud server periodically for any pending actions. It sounds clear to me.
Have a good day.
Simon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-22-2024 06:02 PM
@AJPinto , thx for the information, I have missed the part on Apple School Manager. The network team urges us to provide a set of service (e.g. https, smtp, DNS) that requires inbound to internal campus network, where my Jamf Cloud MDM falls into this category, they will then put the information into their firewall (whitelist).
have a good day.
Simon
