where is Lock command being sent from?

mmarzouk
New Contributor

Hello,

I just have a quick question. If a jamf instance is locked down to our network and we need to send a lock command to a machine. My understanding is that the lock command will come from apple so the machine will lock. is that true?

4 REPLIES 4

ateazzie
New Contributor III

good question, I would like to know as well

cdenesha
Valued Contributor II

A lock command is an MDM command, so will be sent via Apple's APNS service. Jamf Pro does not need to be available outside your network.

chris

[edit] I stand corrected, the JSS needs to be available to the device to provide the actual command. Sorry!

alexjdale
Valued Contributor III

I'm pretty sure the system needs to be able to reach your JSS to complete the lock command, at least in my testing the command wouldn't go through until I connected to the corporate network. I might be wrong, but that's what I've seen.

To clarify: it's my understanding that APNs will send a command to your device to check in with your JSS, which is when it would complete the command push.

mm2270
Legendary Contributor III

@alexjdale is actually correct. The way APNs commands work is, your Jamf Pro server sends a command to APNs to instruct it to tell a machine to check back in with it for further instructions. The Mac gets the instruction from APNs to “check in” with its MDM server, either immediately or whenever the Mac comes online. If the Mac can’t connect to the Jamf server for its instruction it won’t get the lock command. It doesn’t actually come entirely from APNs. The Mac does need to be able to communicate with the Jamf server.

If you have a cloud instance there’s no issue, but if you have an on-perm server you’ll need to get it into your DMZ or externally facing in some way if it’s not already.