jamf createConf and “insecure” SSL connections

Back in the JAMF 6.01 and 7.21 days, we had a login policy that re-created the jamf.conf file on each client. This policy ran the following command once a day:

jamf createConf -server <fully.qualified.server.name> -path / -isSecure

This command specified to create a jamf.conf file that connected the client to the FQDN of the JSS using the https:// protocol and port 8443.

JAMF Software has done away with the -isSecure switch, and after a recent upgrade to JSS 8.1, our clients stopped checking in to the JSS, and subsequently stopped receiving policies. This is due to a certificate-based security feature of the upgraded JSS. a jamf recon run on one of these affected clients reported that the client did not trust the JSS at <fully.qualified.domain.name>. It seems that unless your JSS has a valid 3rd party SSL certificate, you need to specify that the server does not have an SSL certificate (even if there is a self-signed certificate. I verified this information with JAMF) at all, even though you may be specifying a secure connection ala https://fully.qualified.server.name:8443/ (the trailing slash here is very important). This wouldn’t be so confusing if not for the next part.

The new createConf command creates some fairly confusing output when run:

jamf createConf -url https://fully.qualified.server.name:8443/ -allowInvalidCertificate

creates the following output:

The SSL certificate for https://fully.qualified.server.name:8443/ will not need to be trusted

Sorry. What SSL certificate? Even if your server does not have an SSL certificate or has a self-signed certificate, you need to specify allowing an invalid one regardless. Furthermore, if you DO NOT explicitly specify to allow invalid certificates, your clients will assume there is a valid certificate. IMO, this is extremely poor implementation on JAMF’s part. Note that this applies even if you have the proper settings in the JSS Web interface > Settings > Management Framework Settings > JSS URL/Certificate page and run this createConf command without specifying to allow invalid certs.

Additionally you need to specify the GUI apps – Recon, Casper Admin, Casper Imaging, and Casper Remote to also allow invalid certificates.



About this entry