Just wanted to see if anyone had any success enabling HTTPS on macOS.
All my DP's are macOS. On-Premise Jamf.
I can see enabling Apache on macOS is straight forward but what exactly needs doing to the httpd-vhosts.conf & httpd-ssl.conf files. If thats correct?
I did add another into the DMZ for external facing devices, as the majority are WFH.
But the security team is questioning AFP or SMB through the firewall.
My company will not go down the Jamf Cloud route, as they are limiting cost expenditure. Right now, I'm telling users to connect VPN first before using Self Service etc.
I am working on this today, have an open case with Jamf for instruction, will update you later how I make out. If you're in a hurry I can share what I have so far. Trying this out so I can move away from our Distribution Point in AWS. We had a policy spin out of control and skyrocketed our data transfer costs last month.
@k84 I can't speak for configuring an HTTPS DP on macOS, but pretty much no security team is going to allow public facing AFP or SMB ports on a DMZ server, so HTTPS is definitely the way you want to go. There are other advantages to HTTPS DPs as well - resumable downloads, and faster downloads due to elimination of the mount/unmount of the server file system required with SMB.
Have you considered a non-macOS host for the DMZ DP? @Hugonaut wrote up a guide to configuring an HTTPS DP on a RHEL server: https://hugonaut.blog/configuring-rhel-7-x-server-as-a-jamf-https-distribution-point/
Here's how we do it internally...
1. Open /etc/apache2/extra/httpd-ssl.conf 2. Make sure it's listening on port 443 (uncomment)
3. Look for the term SSLProtocol and change to SSLProtocol -ALL + TLSv1.2
4. Look for the line that starts with <VirtualHost default: and remove all lines between <VirtualHost default: and </virtualhost>
5. Save the changes
1. Create a certs folder in /etc/apache2/ (or any other place in your server)
2. Download and copy your certs (CA, Intermediate and Cert) into the certs folder
3. Make sure permissions for the certs are 755, o=administrator g=wheel (or tighter)
HTTPD CONFIGURATION FILES
# Add the following lines at the end of /etc/apache2/httpd.conf # Disable Trace protocol TraceEnable off # Supplemental security options # This directive controls whether Server response header field which is sent back to clients includes a description # of the generic OS-type of the server as well as information about compiled-in modules. ServerTokens Prod # The ServerSignature directive allows the configuration of a trailing footer line under server-generated documents ServerSignature off # The FileETag directive configures the file attributes that are used to create the ETag (entity tag) # response header field when the document is based on a static file. FileETag None # Directive to mitigate XSS attacks Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure # Directive to mitigate clickjacking attacks Header always append X-Frame-Options SAMEORIGIN # Directive to mitigate CDN attacks Header set X-XSS-Protection "1; mode=block" # HTTP timeout sessions in seconds Timeout 1200 # Increase as necessary # This file should be removed or disabled in Tomcat conf directives # /Library/JSS/Tomcat/webapps/ROOT/robots.txt # global robots.txt file for controlling those crawlers (good ones anyway) <Location "/robots.txt"> ProxyPass ! </Location> Alias /robots.txt /Library/JSS/Tomcat/webapps/ROOT/robots.txt
HTTPD VIRTUAL HOST
# Add this code to /etc/apache2/extra/httpd-vhosts.conf # # HTTPS Host for File Distribution Point # <VirtualHost *:443> ServerName https://your.cdn.tld:443 ServerAdmin firstname.lastname@example.org # Create a JAMF-CDN folder in a secure volume and create a symlink to the DocumentRoot path DocumentRoot "/Library/WebServer/Documents/JAMF-CDN" # Create an index.html file that displays some disclaimer if someone tries to reach the website directly DirectoryIndex index.html index.php default.html # Set Apache logging for the vhost CustomLog /var/log/apache2/access_log combinedvhost ErrorLog /var/log/apache2/error_log # Set SSL for the vhost SSLEngine On SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES" SSLProtocol -all +TLSv1.2 SSLProxyEngine Off # Load the cert chain from the certs folder SSLCertificateFile "/private/etc/apache2/cert/certificate.crt" SSLCertificateKeyFile "/private/etc/apache2/cert/privatekey.key" SSLCertificateChainFile "/private/etc/apache2/cert/certificate_bundle.crt" SSLProxyProtocol -all +TLSv1.2 SSLProxyCheckPeerCN off SSLProxyCheckPeerName off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;" ErrorDocument 404 /error.html <Directory "/Library/WebServer/Documents/JAMF-CDN"> Options All -Indexes -ExecCGI -Includes +MultiViews AllowOverride None </Directory> </VirtualHost>
@TomDay if & when you have time to share notes that would be great. What you said about AWS shook me to my core. My management would have breakdown if that happened in our environment
@falabella_cst thanks for sharing. Looks great.
@sdagley I did look at, on was keen to try that option but the Server team stated this not a free solution as RHEL charges, so I thought lets try CentOS as its a derivative of RHEL and again they said NO because thats something that is not allowed.
Problem is they want champagne for the price of lemonade I cant win with these guys lol.
@k84 Your server team didn't give you any grief about a Mac in your DMZ? That's kind of surprising, but good as it looks like you've now got the info needed to configure it for https. I would strongly recommend you also configure that for your on-prem DPs as the performance difference is noticeable.
I'll also comment that I suspect @TomDay has a self-hosted AWS DP rather than a Jamf Cloud hosted environment. To my knowledge Jamf Cloud subscriptions do not charge for Cloud DP downloads (which is a nice "feature" of Jamf Cloud as you've got a fixed cost versus the cost volatility of a self-hosted Jamf Pro Installation in AWS).
@k84 Jamf support was great in helping me with this. they sent me an internal PDF as a guide for setting up and helped troubleshoot a few its as the formatting in the PDF was a bit odd. Below are the notes I just wrote up internally. It's a bit long, hope it helps you. A lot of my formatting was stripped in the paste, hope it doesn't make the info confusing.
Create an HTTP File Share Distribution Point on macOS
This guide walks you through enabling HTTP downloads for package deployment on a macOS server. This assumes we have an existing SMB file share distribution point already up and running on the existing server.
Create an HTTP Server
Start apache (built in to macOS)
sudo apachectl start
Create a symlink for the existing file share to the default DocumentRoot directory:
sudo ln -s /Users/Shared/jamfshare /Library/WebServer/Documents
Backup the existing Apache2 configuration file in the private/etc/apache2 folder:
sudo cp httpd.conf httpd.conf.bak
Edit the Apache2 configuration file using nano or vi:
sudo nano httpd.conf
Within the file, add the word ‘Indexes’ to the first line in the ‘Directory’ section.
Here is what that will look like in the file, I bolded where 'Indexes' needs to be added:
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
# Note that "MultiViews" must be named explicitly --- "Options All"
# doesn't give it to you.
# The Options directive is both complicated and important. Please see
# for more information.
Options FollowSymLinks Multiviews Indexes
Restart the apache2 service
sudo apachectl restart
We should see the directory structure when navigating to http://localhost/JamfShare on the server, or http://<fqdn>/JamfShare from a remote machine.
Bring on HTTPS
After the share is up and running on port 80 and we can view the contents of the directory, we can enable HTTPS. To do this follow the below steps:
Create a directory within /etc/apache2/ using Terminal.app:
sudo mkdir /etc/apache2/ssl
Create a configuration file for openssl to reference when generating the private key and certificate signing request:
Create a new configuration file within the directory for the CSR
sudo nano /etc/apache2/ssl/certconfig.cnf
Copy and paste the below into our new 'certconfig.cnf' file. Replace only '<FQDN>' with the actual server's fully qualified domain name:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
commonName = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names] DNS.1 = <FQDN>
Create a new private key and CSR for our SSL certificate using the new 'certconfig.cnf' file. Enter in the requested details. The email address and challenge password questions can be skipped by pressing Return.
openssl req -out /etc/apache2/ssl/server.csr -newkey rsa:2048 -nodes -keyout /etc/apache2/ssl/private.key -config /etc/apache2/ssl/certconfig.cnf
We can quickly list the contents of the CSR by running a “cat” command to be used for our next step:
Copy the contents of the CSR to your clipboard, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- lines.
Submit the CSR to the Jamf Pro PKI to obtain a certificate.
In Jamf Pro, navigate to Jamf Pro Settings > Global Management > PKI Certificates > Management Certificate Template
Select “Create Certificate from CSR"
Select “Web Server Certificate"
Paste our CSR contents into the text box and click “Create"
Rename the resulting certificate file to “server.pem” for simplicity and copy the file to our /etc/apache2/ssl directory.
Edit the Apache main configuration file at /etc/apache2/httpd.conf and uncomment the following lines (remove the # symbol)
1. LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
2. LoadModule ssl_module libexec/apache2/mod_ssl.so
3. Include /private/etc/apache2/extra/httpd-ssl.conf
Edit the SSL configuration file at /etc/apache2/extra/httpd-ssl.conf and pdate the paths to our SSL certificate and Private key within the “# Server Certificate:" and "# Server Private Key:” sections:
Run the following command to confirm the configuration is correct, correct any errors presented as needed:
sudo apachectl configtest
Restart the Apache2 service:
sudo apachectl restart
We should see the directory structure when navigating to https://localhost/JamfShare on the server, or https://<fqdn>/JamfShare from a remote machine.
Setting up Basic Authentication
If we need to enable basic authentication for the file share in lieu of anonymous authentication, we will need to follow these steps:
Create our HTTP user for access:
sudo htpasswd -c /etc/apache2/passwords jamfread
Edit the "/etc/apache2/httpd.conf" file again. Comment out the line that reads "Require all granted" of the <Directory "/Library/WebServer/Documents"> section.
Underneath that line, also add the below syntax to the <Directory "/Library/WebServer/Documents"> section
Require user jamfread
Run another configuration test and restart the service. You should now be prompted for authentication when hitting the /jamfshare endpoint
Enable HTTPS on the Current SMB Share
Go to the Jamf Pro Server
Settings > Server Infrastructure > File Distribution Points > Select the server > HTTP/HTTPS
Enable HTTPS Downloads, Enable SSL with Port 443, add 'JamfShare' to Context field
Set Authentication type to 'Username and Password' enter credentials we created earlier.
Test a policy to assure it pulls the pkg from the HTTPS share.
*Cert is good for 1 year, be sure to renew!
Tom, i've gotta say this worked perfectly to create a local ditsro at my org, thanks so much for posting! The only one bit of syntax I had to change was adding a newline in the cert creation between..
[alt_names] DNS.1 = <FQDN>
I combined this with the SMB article https://docs.jamf.com/technical-articles/Setting_Up_a_File_Share_Distribution_Point.html
Everything worked a treat! Thanks again