Posted on 05-12-2022 01:41 AM
I'm looking to identify which tomcat servlets within a Jamf Pro instance are required for each of the following functions:
(with the understanding that a single servlet may fall into multiple categories).
The list of servlets present (as of 10.38) is
BinServlet
ClassicAPIDocRedirectServlet
ClientCommunicationServlet
DEPQuickAddController
DEPQuickAddManifestController
DeviceComplianceRegistrationDispatcher
DistributionFileUploader
EnrollmentController
EnrollmentCustomizationView
EnrollmentProfileDownload
FileVault2InstitutionalKeyDownload
FlatPackageCreationServlet
FrontEndAJAXController
FrontEndController
FrontEndUploadController
IconDownloadServlet
ImageRedirectServlet
InitializeDatabaseConnectionServlet
InitializeDatabaseConnectionServletV1
InitializeServer
JAMFCRLServlet
JSSCheckConnection
LegacyComputerInvitationServlet
LegacyRestRedirectServlet
LegacyUpgrade
MDMServiceConfigServlet
MobileDeviceAppManifestController
ModemDispatcher
NetworkIntegrationServlet
OTAEnrollmentController
PresentationLayerServlet
RestletServlet
SCEPConfigServlet
SCEPEnrollmentServlet
SelfServiceDownloadURL
SelfServiceWebClipServlet
ServiceDiscoveryUserEnrollmentDispatcher
SpringCPDispatcher
SpringCertApiDispatcher
SpringConditionalAccessCloudConnectorDispatcher
SpringDispatcher
SpringSSAPIDispatcher
SpringUAPIDispatcher
StartupCompleteServlet
StartupStatusServlet
SubmitFileVault2KeyServlet
UpdateMDMProfile
VPPAcceptInvitationServlet
VPPInvitationServlet
WorkPlaceJoin
disabledController
enrollmentAJAXMonitor
iconController
mobileDeviceAppController
remoteController
remoteControllerXML
I've seen other posts in the past (e.g. https://community.jamf.com/t5/jamf-pro/filter-block-jss-startup-pages/m-p/167166) which suggest that the following servlets are responsible for the admin web interface:
FrontEndController
FrontEndUploadController
InitializeServer
PresentationLayerServlet
but I'm not sure if that is still current, or what is needed for the other two functions.
The client communication function will need to be exposed to the internet, but I'd prefer to do this in an allow-list format, rather than exposing it by default.
(Note that we would want to apply different controls to the different functions, and we won't simply be restricting by IP as in the linked post)