In a number of environments, Mac admins are transitioning from hosting their Mac-supporting services in on-site datacenters to now hosting them with various cloud service providers. These service providers can include Jamf Cloud, Amazon Web Services, Akamai or Rackspace.
For Mac admins using Jamf Pro, one way to start this transition is to use a Cloud Distribution Point (CDP). This allows a Jamf Pro server to use several specific cloud services’ content delivery networks to host installers and (if applicable) in-house developed applications and eBooks.
For my own needs, I was looking into setting up a CDP on Amazon Web Services (AWS). Jamf provides some documentation on how to set a CDP up with AWS, but doesn’t provide specific guidance. After some research and testing though, I was able to figure out the process for Jamf Pro 9.97x. For more details, see below the jump.
Before I was able to set up the CDP in my Jamf Pro server, I first needed to log into AWS and set up the needed permissions and policies for Amazon’s Simple Storage Service (S3). S3 is AWS’s primary service for storing data and Jamf Pro servers use it when setting AWS-hosted CDPs. For the process I used, see below:
Setting up AWS access and permissions
1. Log into the AWS console.
2. Once at the AWS Dashboard, select Identity and Access Management (IAM).
3. Select Users from the sidebar.
4. Click the Add User button.
5. Set up a new user and select Programmatic Access for the Access type option, then click the Next: Permissions button.
6. Click the Attach existing policies directly button.
7. Click the Create Policy button.
At this point, a new Create Policy window or tab should open in your web browser.
8. Click the Select button associated with the Create Your Own Policy button.
9. Copy and paste the policy shown below.
This policy sets up the account you just created with the correct permissions for the Jamf Pro CDP to be set up and work properly with AWS’s S3 and CloudFront services.
Note: Even if you do not plan to use CloudFront services, you will still need to have these permissions included with the policy. If these permissions are not included, the CDP creation process may halt with an error.
10. Once you have the policy set up, named and described, click the Validate Policy button to make sure the policy is formatted correctly.
11. If the policy validates correctly, click the Create Policy button.
Once the policy has been created, it will now show up in the list of policies that you can select. It will have its type set as Customer Managed, since it was created by an AWS customer as opposed to being created by AWS as a service for its customers.
12. Select the new policy if needed and click the Next:Review button.
13. At the review window, make sure that the selected choices match expectations. If they do, click the Create user button.
14. Once the user has been successfully created, the Access Key ID and Secret access key for the new user account can be accessed. To view the secret key, click the Show link.
The account credentials can also be downloaded as a .csv file.
At this point, the existing AWS policy and account permissions are sufficient to create a CDP for a Jamf Pro server on AWS. For those who want to additionally secure your CDP by using CloudFront signed URLs, it will be necessary to get a copy of the appropriate CloudFront public and and private keys.
Unlike many management functions in AWS, access to the appropriate CloudFront public and and private keys is only available to the root user of the AWS account. Depending on the size of your organization, the AWS root account may be controlled by a group outside of yours, so you may need to do some investigation to see who can provide you with access to the CloudFront keys.
If you have access to your AWS account’s root user, here’s how to generate the appropriate CloudFront public and private keys.
1. Log into the AWS console.
2. Click on your account’s name in the upper right hand corner of the window.
3. Select My Security Credentials from the drop-down menu.
4. Find the CloudFront Key Pairs section and click the plus symbol, then click the Create New Key Pair button.
5. A pop up window will appear to notify that a new key pair has been created. Click the Download Private Key File button to download the private key.
Note: I also recommend downloading the public key at this time.
- The private key will download as a file named something similar to pk-033E34D4CB164A61912908A7B3EE93BE.pem
- The public key will download as a file named something similar to rsa-033E34D4CB164A61912908A7B3EE93BE.pem
To verify which is which, you can also open the .pem files with a text editor and see if the keys report themselves as private keys or public keys.
Note: Once you have the keys downloaded, store them in a secure location.
Setting up the Cloud Distribution Point
Once the needed configuration has been done in AWS and the necessary credentials have been acquired, an AWS-hosted CDP can now be set up on your Jamf Pro server using the procedure shown below.
1. Log into your Jamf Pro server
2. Go into Management: Computer Management and select Cloud Distribution Point.
3. In the Cloud Distribution Point window, click the Edit button.
4. Select Amazon Web Services from the Content Delivery Network drop-down menu.
5. Locate the account credentials of your previously created AWS user account and fill in the needed credentials for the Access Key ID and Secret Access Key blanks.
6. Once the credentials have been entered, click the Save button.
7. To check the connection between the Jamf Pro server and the CDP, click the Test button.
8. In the Test Cloud Distribution Point window, click the Test button.
If the connection is working properly, you should see a success message.
Verifying the creation of the Cloud Distribution Point in AWS
1. Log into the AWS console.
2. Once at the AWS Dashboard, select S3.
3. Verify that a new S3 bucket has been created, using a name beginning with jamf.
At this point, the CDP should be up and working but it is not using signed URLs at this point. If you want to enable signed URLs, use the procedure shown below.
Enabling signed URLs on the Cloud Distribution Point
1. Log into the Jamf Pro server
2. Go into Management: Computer Management and select Cloud Distribution Point.
3. In the Cloud Distribution Point window, click the Edit button.
4. Select the Require Signed URLs checkbox.
5. Click the Upload CloudFront Private Key button.
6. In the pop-up window that appears, click the Choose File button and select the appropriate CloudFront private key.
7. Once the CloudFront private key has been selected, click the Upload button.
8. Once the private key has uploaded, the name of the private key file should appear and be grayed out in the CloudFront Private Key blank. The CloudFront Access Key ID blank should also be populated with the Access Key ID.
9. Once all settings appear to have been applied correctly, click the Save button.
The CDP should now automatically begin using signed URLs.
Hat tip to my colleague François Levaux-Tiffreau, for providing the best documentation I came across in my research on how to set up a CDP with Jamf Pro.
