Setup Manager and HTTPS Authentication

BCPeteo
Contributor III

We hare looking at setup manager to replace our Depnotify config as its not supported any more.

We have setup an HTTPS distribution point on an IIS server with anonymous share access added the signed setup manager pkg, uploaded the manifest file to jamf and setup the prestage enrollment package to deploy setup manager.

Setup manager launches and starts configuring and trying to deployment packages

When trying to deploy packages (from another HTTPS distribution point with authentication required) the deployments fail. Is this the case that all packages you want to deploy with setup manager need to be setup on an anonymous share accessible to all? meaning licensed software can be downloaded by anyone that knows the URL (on campus at least) Maybe I am missing something but this seems like a bad idea?

When I do enable anonymous share access and set authentication type to none on the distribution share the packages deploy.

6 REPLIES 6

sdagley
Esteemed Contributor II

Do you have the CA that issued the certificate used by your IIS deployed to Macs being enrolled in the PreStage? If the CA for that certificate isn't one of the default CAs you wouldn't be able to authenticate the connection.

Thanks, I do have a 3rd party cert in the IIS, with Sectigo RSA CA and USERTrust RSA Certification Authority. The USERTrust is on the included root cert list here:https://support.apple.com/en-us/121672 I assume that should be enough and that I do not need to include it in a profile?

sdagley
Esteemed Contributor II

No, one would expect that to be trusted. So much for that idea.

With the help of a person in the MacAdmins: Jamf-Setup-manager slack I was able to get this to work. I needed to add a PPPC policy to give setup manager SystemPolicyAllFiles allow so then it can mount the SMB share (instead of using HTTPs) this is for packages that setup manager is set to install. This way I can have setup manager PKG on its own anonymous HTTPS share and use a SMB distribution point that is secure for the other deployment packages

 

sdagley
Esteemed Contributor II

Good to hear you found a workaround but I _really_ dislike SMB shares (don't support resumable downloads and the overhead incurred to to mount a file system when all I want is to download a package) and wondering why HTTPS didn't work would drive me crazy.

Yes, Really odd that it can mount a protected share but not download a pkg from a URL. None of these packages have a manifest file (other than setup manager pkg) We do not use Jamf cloud so a Manifest file is not auto created with Jamf on prem, maybe that's it?