Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Using IIS to Enable HTTPS Downloads on a Windows Server 2012 or 2016 File Share Distribution Point

Overview

This article explains how to activate Internet Information Services (IIS) and use it to enable HTTPS downloads on a Windows Server 2012 or 2016 file share distribution point.

Prerequisites

  • Knowledge of the credentials (the read-only account) used to access the file share.
  • An existing SMB file share being used as a Jamf Pro distribution point. Note: The example Jamf SMB file share used in this article is jamf_share, located in D:\jamf_share.

Procedures

Windows Server 2016

Summary of Steps

The following steps are described in detail below:

  1. Add the Web Server (IIS) Role
  2. Add a Virtual Directory Using the IIS Manager
  3. Confirm the Virtual Directory Has Been Created
  4. Copy the Certificate Text to Jamf Pro
  5. Open the Certificate Snap-in in the Microsoft Management Console
  6. Import the CA from Jamf Pro
  7. Import the Certificate for the Virtual Directory
  8. Verify an Account is Available to Access the File Share Over HTTPS
  9. Enable Basic Authentication for the jamf_share
  10. Add MIME Types to the Virtual Directory
  11. Enable HTTPS Downloads in Jamf Pro

Add the Web Server (IIS) Role

If the Web Server (IIS) role is not already activated, add the Web Server (IIS) role using Server Manager.

  1. Select "Server Manager" from the Start menu.
  2. Click Add roles and features.
  3. Follow the onscreen instructions for installing the Web Server (IIS) server role. Be sure that the Basic Authentication checkbox is selected in the Role Services list. Role Services list

Add a Virtual Directory Using the IIS Manager

Add a virtual directory using the IIS Manager, and link the new file share to the existing file share. The existing file share is defined in Jamf Pro on the Computer Management > File Share Distribution Points page.

  1. Choose "Server Manager" from the Start menu.
  2. Choose "Internet Information Services (IIS) Manager" from the Tools menu. Note: If Internet Information Services (IIS) Manager was already open, you must close it and reopen it. Open Internet Information Services (IIS) Manager
  3. Expand the server by expanding Sites in the Connections pane.
  4. Right-click Default Web Site, and choose Add Virtual Directory. IIS Manager window - adding a virtual directory to the default web site
  5. Type "jamf_share" in the Alias field, enter the physical path to jamf_share, and then click OK. Add Virtual Directory window

Confirm the Virtual Directory Has Been Created

  1. Click the server name in the Connections pane, and then double-click Server Certificates.
  2. Click Create Certificate Request in the Actions pane.
  3. Enter the appropriate information for the certificate. Use the fully qualified domain name of the server that is hosting the file share. Note: The fully qualified name of the server must also be used in Jamf Pro for the server hosting the distribution point.
  4. Select an appropriate bit length for the environment.
  5. Provide a location and name to store the request.
  6. Open the certificate request file from the previous step, select all the text, and copy it to the clipboard.

Copy the Certificate Text to Jamf Pro

  1. Log in to Jamf Pro, and click Settings in the upper-right corner.
  2. Navigate to Global Management > PKI Certificates > Manage Certificate Template, and then click Create Certificate from CSR.
  3. Paste the text from the certificate request file, select "Web Server Certificate" from the Certificate Type pop-up menu, and then click Create. Note: In Internet Explorer, the security settings may not allow you to download the certificate. You may need to add Jamf Pro to Trusted Sites and lower the security settings for Trusted Sites.
  4. If prompted to save the file, click Save.
  5. Click the Back button, and click Download CA Certificate.
  6. If prompted to save the file, click Save.
  7. Two certificates should now be available. Copy them to a location accessible by the Windows server.

Open the Certificate Snap-in in the Microsoft Management Console

  1. Open the Run window and enter "mmc".
  2. Choose "Add/Remove Snap-in" from the File menu.
  3. Select Certificates, and then click Add.
  4. Select Computer account, and then select Local computer.
  5. Click OK to exit the wizard.

Import the CA from Jamf Pro

  1. Expand Trusted Root Certification Authorities in the left sidebar, right-click Certificates, and choose All Tasks > Import.
  2. Click Next in the Welcome to the Certificate Import Wizard window.
  3. Click Browse and find the CA certificate downloaded from Jamf Pro.
  4. Change the file type display option to "All Files (.)", select the "Certificate Authority.pem file", and click Open.
  5. Click Next. Then, specify the file you want to import and the location where the file will be stored.
  6. Click Finish. A confirmation message should display indicating the import was successful.

Import the Certificate for the Virtual Directory

  1. Right-click Web Hosting in the left sidebar, and choose All Tasks > Import.
  2. Click Next in the Welcome to the Certificate Import Wizard window.
  3. Click Browse and find the certificate for the virtual directory.
  4. Change the file type display option to "All files (.)", select the certificate for the virtual directory (it should contain the FQDN of the file distribution server), and then click Open.
  5. Click Next to initiate the file importing process and verify the location the certificate will be installed.
  6. Click Finish. A confirmation message should display indicating the import was successful.
  7. Close the management console without saving.

  8. Perform the Following Steps Using the IIS Manager Console

  9. In the Connections pane, select Default Web Site, and then click Bindings in the Actions pane.

  10. Click Add.
  11. Set the Type to "https", verify Port is set to 443, enter the FQDN for the distribution server in the Host name field, click the SSL certificate field, and choose the certificate that was imported.
  12. In the Site Bindings window, click http, click Remove, and click Yes when prompted.
  13. Close the Site Bindings window.

Verify an Account is Available to Access the File Share Over HTTPS

The account should be the same account that has read access over SMB.

  1. In the Connections pane, select the virtual directory that you created, and then click Edit Permissions in the Actions pane. Edit permissions
  2. Click the Security tab, and then click Edit. In the example below, "svc_jamfshare_ro (Jamf ReadOnly)" has the appropriate permissions. Security permissions

Enable Basic Authentication for the jamf_share

  1. Click jamf_share in the Connections pane, and then double-click Authentication. Open Authentication
  2. Disable Anonymous Authentication and enable Basic Authentication. Note: Restarting the IIS Manager should remove the "SSL is not being enabled..." alert.
  3. Select Basic Authentication, and click Edit. Edit Basic Authentication
  4. In the Default domain field, enter the domain in which the read-only account exists, and click OK. Edit Basic Authentication Settings
  5. Click jamf_share in the Connections pane, and then click Advanced Settings in the Actions pane. Select Advanced Settings
  6. Click the Ellipsis (...) button across from "Physical Path Credentials". (In this example, the "svc_jamfshare_ro" account information must be added to the Physical Path Credentials.) Advanced Settings window
  7. In the Connect As window, select Specific user, and click Set. Connect As window
  8. Enter the credentials for the jamf_share read-only user, and click OK. Set Credentials window
  9. Click OK in the Connect As window.
  10. Click OK in the Advanced Settings window.

Add MIME Types to the Virtual Directory

Add two MIME types to ensure the files (.dmgs and .pkgs) download properly.

  1. Double-click MIME Types. Select MIMI Types
  2. Click Add in the Actions pane. Click Add action
  3. Enter ".dmg" in the File name extensions field, enter "file/download" in the MIME type field, and then click OK. Add MIMI Type extension .dmg
  4. Click Add in the Actions pane again.
  5. Enter ".pkg" in the File name extension field, enter "application/octet-stream" in the MIME type field, and then click OK. Add MIMI Type extension .pkg
  6. Click the service in the Connections pane, and click Restart in the Actions pane. Restart the service

Enable HTTPS Downloads in Jamf Pro

  1. Log in to Jamf Pro.
  2. Navigate to the distribution point on which HTTPS downloads will be enabled.
  3. Verify the fully qualified domain name is used in the Server field. Note: For the file share to be accessible off the local network, the server name / IP must be publicly routable.
  4. Click the HTTP/HTTPS tab and set the following:
    • Select Use HTTP downloads.
    • Select Use SSL.
    • Set the Port to 443.
    • In the Context field, enter the alias for the virtual directory that was created in IIS.
    • Choose "Username and Password" from the Authentication Type pop-up menu.
    • In the Username field, enter the read-only account to the file share.
    • Enter the password.
  5. Click Save.

Additional Information

To test that HTTP distribution is working properly, go to https://jss.mycompany.corp/jamf_share/Packages/myPackage.dmg

If you enabled Anonymous Authentication, the package should download automatically. If you enabled Basic Authentication, you should be prompted to enter credentials for the jamf_share read-only user, and then the package should download.

Windows Server 2012

  1. If the Web Server (IIS) role is not already activated, add the Web Server (IIS) role using Server Manager: a. From the Start menu, choose Administrative Tools > Server Manager. b. Click Roles, and then click Add Roles. c. Follow the onscreen instructions for installing the Web Server (IIS) role. Be sure that the Basic Authentication checkbox is selected.
  2. Add a Virtual Directory using the IIS Manager: a. From the Start menu, choose Administrative Tools > Internet Information Services (IIS) Manager.
    Note: If Internet Information Services (IIS) Manager was already open, you still need to close it and reopen it.
    b. Expand the server in the Connections pane.
    c. Expand Sites.
    d. Right-click Default Web Site and select Add Virtual Directory.
    external image link
    e. Type "CasperShare" in the Alias field.
    f. Enter the physical path to CasperShare.
    external image link

  3. Give the CasperShare read/write and read-only users, and the IUSR group permissions to the virtual directory:
    Note: The IUSR group already exists. Do not create this group.
    a. Right-click CasperShare and select Edit Permissions.
    external image link
    b. Click the Security tab, and then click Edit.
    external image link
    c. Click Add as needed for each user.
    external image link
    Note: Give the read/write user and read-only user their respective permissions, and the IUSR read-only permissions.

  4. Enable Anonymous or Basic Authentication for the CasperShare:

  5. To enable Anonymous Authentication:
    a. Select CasperShare in the left sidebar.
    b. Double-click Authentication.
    external image link
    c. Make sure that Anonymous Authentication is enabled.

  6. To enable Basic Authentication:
    a. Select CasperShare in the left sidebar.
    b. Double-click Authentication.
    c. Make sure that Basic Authentication is enabled.
    d. Select CasperShare in the left sidebar, and select Authentication.
    e. Click Advanced Settings in the right sidebar.
    f. Click the Ellipsis (...) button across from "Physical Path Credentials".
    g. In the dialog that appears, select the Specific User option and click Set.
    h. Enter credentials for the CasperShare read-only user, and then click OK.

  7. Add additional MIME types for PKGs:
    a. Select Default Web Site in the left sidebar.
    b. Double-click MIME Types.
    c. Click Add from the right sidebar and type ".dmg" in the File name extension field and "file/download" in the MIME type field. Then, click OK.
    external image link
    d. Click Add from the right sidebar and type ".pkg" in the File name extension field and "application/octet-stream" in the MIME type field. Then, click OK.
    e. Click Add from the right sidebar and type "." in the File name extension field and "application/octet-stream" in the MIME type field. Then, click OK.

  8. Exit Internet Information Services (IIS) Manager.

  9. Update the settings for the distribution point in the JSS:
    If you are using v8.x:
    a. Log in to the JSS with a web browser.
    b. Click the Settings tab.
    c. Click the Servers link.
    d. Click the Edit Server link across from the distribution point.
    e. Click the HTTP tab and select the HTTP Downloads are enabled for this Distribution Point checkbox.
    f. Specify the type of authentication that is configured on the server: 1. If you enabled Anonymous Authentication, select the No Authentication is Required option. 2. If you enabled Basic Authentication, select the Username & Password Authentication is Required checkbox. Then, enter credentials for the account that has read-only access to the share.
    g. Click Save.

    If you are using v9.0 or later:
    a. Log in to the JSS with a web browser.
    b. In the top-right corner of the page, click Settings.
    c. Click Computer Management. On a smartphone, this option is in the pop-up menu.
    d. In the "Computer Management \- Server Infrastructure" section, click File Share Distribution Points.
    e. Click Edit.
    f. Click the HTTP tab and select the Use HTTP downloads checkbox.
    g. Use the Authentication Type pop-up menu to specify the type of authentication that is configured on the server: 1. If you enabled Anonymous Authentication, ensure that None is chosen from the pop-up menu. 2. If you enabled Basic Authentication, choose the Username and Password from the pop-up menu. Then enter credentials for the account that has read-only access to the share.
    h. Click Save.

Additional Information

To test that HTTP distribution is working properly, go to https://jss.mycompany.corp/CasperShare/Packages/myPackage.dmg

If you enabled Anonymous Authentication, the package should be downloaded automatically. If you enabled Basic Authentication, you should be prompted to enter credentials for the CasperShare read-only user, and then the package should be downloaded.

Like Comment
Order by:
SOLVED Posted: by Cisco

The above article is geared towards just making it work, but anonymous access in prod would be bad.

For a more secure initial configuration of 2k8 IIS for Casper, see Taylor Swift's guide as posted by Kumarasinghe:

Enable HTTP Downloads on Windows 2008 Server using IIS with Basic Auth over SSL
https://jamfnation.jamfsoftware.com/discussion.html?id=4266

Like
SOLVED Posted: by Kumarasinghe

Please add "." with a MIME type of "application/octet-stream" if your any pkg (with a postflight script) fails.

Like
SOLVED Posted: by dooley_do

I have found that if using IIS to enable HTTPS downloads using basic authentication that the mac clients must trust the HTTPS certificate or downloads will fail.

We use an enterprise Windows CA, with a root plus two subordinates so I added the certificates of all 3 of these servers to my mac clients using a configuration profile. Once this was set the downloads worked correctly.

Like
SOLVED Posted: by ssrussell

I found that in 2012 R2 "basic authentication" wasn't added by default for the default IIS install. You'll have to go to "Add Roles and Features" for IIS to add Basic Authentication.

Like
SOLVED Posted: by mostlikelee

thanks @brenna.daley ! curious what you updated

Like
JAMFBadge
SOLVED Posted: by brenna.daley

Hi there, @mostlikelee

Thanks for your question. I updated this article by removing the ".bom", ".mpkg", and ".*" entries listed under step 7, as they are no longer needed with version 9 of the JSS.

Like
SOLVED Posted: by ocla&&09

Hi @brenna.daley

We are on Version 9.81 currently and .mpkg downloads did not work until we specifically added that extension as a MIME type. I woul assume the same for .bom as well.

Like
SOLVED Posted: by bradtchapman

Great article. How does replication work in this scenario? Is it supported with a read/write account through Casper Admin, or do we need to set up a task scheduler item?

Like
SOLVED Posted: by hanonuac

Using IIS 8.5 on 2012r2 i was having random issues with user downloads. Upon adding the .*, .mpkg, and .bom mime types things started working more reliably again.

Like
SOLVED Posted: by GregE

@brenna.daley Can you update the article in Step 7e, it should be ".*" rather than "."

It wouldn't download scripts until I read the above comments that had the asterix, made the change and then it's all sorted.

Like
SOLVED Posted: by naveen123

windows server 2012 r2 ftp server configuration done. but client side in browser login not working. in command line login user please help me any one.

Like
SOLVED Posted: by PhillyPhoto

Will there be an update for Server 2016?

Like
JAMFBadge
SOLVED Posted: by ron.heck

This article has been updated to include instructions for Windows Server 2016.

Like

Jamf wants to hear your general feedback around Configuration Profiles!