I recently needed to configure Jamf’s Jamf Infrastructure Manager (JIM) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain.
The documentation on how to set up an Infrastructure Manager covers the essentials of how to do it, but doesn’t include any screenshots or have information about how to access the logs to help debug problems. After some research and working with the JIM a bit, I was able to figure out the basics. For more details, see below the jump.
The JIM officially supports the following OSs:
- Ubuntu 14.04 LTS Server (64-bit) or Ubuntu 16.04 LTS Server (64-bit)
- Red Hat Enterprise Linux (RHEL) 7.0, 7.1, or 7.2
- Windows Server 2008 R2 (64-bit), Windows Server 2012 (64-bit), or Windows Server 2012 R2 (64-bit)
In this example, I’m going to be setting the JIM up on RHEL.
Installing the JIM
Pre-requisites:
- Supported operating system
- Otherwise unused network port higher than 1024 opened inbound, both on the firewall and on the machine hosting the JIM
- Ports opened from the machine hosting the JIM to your Active Directory domain. Usually, this means allowing inbound access to an AD domain controller via either port 389 (for unencrypted LDAP communication) or port 636 (for encrypted LDAP communication)
1. Download the JIM .rpm installer file from your Jamf Nation assets list (for RHEL, this is listed as the Infrastructure Manager Installer for Linux.)
2. Copy it to a convenient place on the server you want to install the JIM on.
3. Log in to the server as a user with superuser privileges.
4. Run the JIM installer by using a command similar to the one shown below with root privileges:
sudo rpm -i /path/to/jamf-im-1.3.0-1.noarch.rpm
5. Once the installation process has completed, you’ll be prompted to enroll using the following command:
sudo jamf-im enroll
As part of the enrollment process, you’ll be prompted for four settings:
- Jamf Pro URL (for example: https://jamfpro.company.com)
- Jamf Pro user account with the Infrastructure Manager privilege (for example, your admin account)
- Password to the Jamf Pro user account
- Hostname of the machine you’re installing it on. (This must be the fully qualified domain name of the machine.)
Note: The hostname of the machine must resolve both for the machine hosting the JIM and for the remote Jamf Pro server, so there can’t be mismatches like having the machine itself think its hostname is blahblah.int.company.com and the remote Jamf Pro server think its hostname is blehbleh.ext.company.com.
6. Once configured, the JIM process will restart and enroll itself with the remote Jamf Pro server.
7. To verify the enrollment succeeded, log into the remote JSS and go to Management Settings: Server Infrastructure and click on Infrastructure Managers.
8. In the Infrastructure Managers window, you should see a listing for the enrolled JIM.
9. To check the JIM enrollment status, click on the listing.
Using the JIM as an LDAP Proxy
If you already have the settings configured for the Active Directory domain, enabling the JIM to act as an LDAP proxy is fairly straightforward.
1. Go to Management Settings: System Settings and click on LDAP Servers.
2. Click on the listing for your Active Directory domain settings.
3. In the Active Directory domain settings, click the Enable LDAP Proxy Server checkbox.
4. In the Proxy Server drop-down menu, select the hostname of the enrolled JIM.
5. Set the port number of your inbound port.
Note: The port number specified here must be the same port number which is opened in the firewall and on the machine hosting the JIM. The JIM is not able to listen to alternate ports and the Jamf Pro server tells the JIM which port it needs to be listening on. This means that you will not be able to open one port in your firewall, but have the JIM listen at a different port.
6. Once your proxy settings are entered, save your changes.
Advisory: It is not currently possible to use the LDAP Proxy as part of the Microsoft’s Active Directory assistant in Jamf Pro. If the settings for your Active Directory domain have not been configured previously, you will need to use the Configure Manually option to set up your AD domain settings and domain mappings.
Verifying connection to the Active Directory domain
Once the LDAP proxy is in place, you can verify if it is working by using the Test button in the Active Directory domain settings.
1. Open the Active Directory domain settings.
2. Click on the Test button.
3. In the Test window, select User Mappings.
4. Enter a username to look up, then click the Test button.
5. If all goes well, a listing for the username should be returned.
6. Repeat lookups as needed for User Group Mappings and User Group Membership Mapping.
Accessing JIM logs
If all didn’t go well, you may need to check the JIM logs on the JIM’s host machine to see what’s going on. Those logs are available in the following location on Red Hat Enterprise Linux:
- /var/log/jamf-im-launcher.log
- /var/log/jamf-im.log
- /var/log/jamf-im-pre-enroll.log
