Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Setting Up a File Share Distribution Point

Overview

A server with an AFP or SMB share can be used as a file share distribution point. Before you can use a file share distribution point with Jamf Pro, you must set up the distribution point and add it to Jamf Pro.
Note: A server with an AFP share cannot share files on the Apple File System (APFS), which is the default file system for computers with macOS 10.13 or later. Computers with macOS 10.13 or later that are HFS+ formatted can still support AFP. If you need a file share distribution point for APFS formatted computers, SMB is an option.

For more information, see the following Apple macOS Deployment References:

This article explains the general procedure for setting up a file share distribution point for use with Jamf Pro.

Procedure

  1. On the server that you want to use as a file share distribution point, create an Apple Filing Protocol (AFP) or Server Message Block (SMB) share.
  2. Create an account that has "Read only" access to the share. Note: Do not use spaces in the account username.
  3. Create an account that has "Read & Write" access to the share. Note: Do not use spaces in the account username.
  4. Make sure "Everyone" has "No Access" to the share.
  5. (Optional) Enable HTTP downloads on the server.
  6. (Optional) Enable HTTPS on the server.

Additional Information

For information on managing file share distribution points in Jamf Pro, see File Share Distribution Points in the Jamf Pro Administrator's Guide.

Like Comment
Order by:
SOLVED Posted: by Millertime

This is great info, though what I'm trying to figure out is how to assign a group of computers to a specific distribution point. I can't seem to find that info so far.... Any thoughts?

Like
SOLVED Posted: by Snickasaurus

On your JSS:

-> Management -> Policies -> Create Policy -> Create policy manually

Under the "General" tab look towards the bottom and click the triangle next to "Override Default Policy Settings"

From there you can assign specific distribution points. Once you've done that the chance to the "Scope" tab and set that policy to the building/user group/etc...

Like
SOLVED Posted: by sumit.batra

We are planning to windows file share as distribution point. As it has been mentioned that Enable HTTP downloads on the server as optional. I would appreciate if someone can let me know the pros & cons of enabling HTTP downloads. In what all situation should we enable HTTP & HTTPS downloads.

Cheers

Like
SOLVED Posted: by elliotjordan

Two very minor typos in this article:

Create an account that has "Read only" access to the share. Create an account that has "Read & Write" access to the share.
Like
SOLVED Posted: by CasperSally

When I set everyone to no access, it breaks http downloads (osx server). Is that expected?

Like
SOLVED Posted: by cvgs

@CasperSally: The apache user also needs read access to that share, so you should create an ACL allowing user "_www" read-only access to it – Otherwise it cannot read the files it is supposed to distribute.

Like
SOLVED Posted: by mikethompsett

This has always been the case or you end up with random NilObjectException Error, we have found so read-only access is the only option here.

Like
SOLVED Posted: by luisgiraldo

@Millertime \- you can force a DP via network segments. If all the computers in that group are in the same subnet, create a network segment and associate the DP with it directly.

Like
SOLVED Posted: by CasperSally

@mikethompsett \- Where were you seeing "NilObjectException Error"? I've only seen those in Netboot is why I ask.

Like
SOLVED Posted: by CasperSally

@cvgs][/url \- can you do that with osx server? I don't seem to be able to add user _www, or very likely i'm doing it wrong. Is _www same as wwwstaff?

Thanks

Like
SOLVED Posted: by cvgs

@CasperSally \- you first have to enable "Show System Accounts" in the View menu (or wherever it is in the version of OS X Server you are using); then it definitely works.

Like
SOLVED Posted: by CasperSally

@cvgs \- learn something new every day. That worked it seems, thanks!

Like
SOLVED Posted: by Leal

Can the source files on a JDS and Distribution point be in the same location?

Like
SOLVED Posted: by alexjdale

Old thread, I know, but I am also trying to set up an HTTPS share on a 10.9.5 Server. After adding _www to the file share ACL with Read Only access and setting Everyone to No Access, I am still able to anonymously browse the share and download files in a browser. Does anyone know what I am missing? I can't seem to get it to prompt for/require credentials.

Like
SOLVED Posted: by bentoms

@alexjdale the _www group is used by the Server to run the site.. create a group called "Casper" add you "casper admin" & "casper install" as needed & limit access to that group.

Like
SOLVED Posted: by Dooley

Anybody have a link to requirements for setting up a JAMF Distro point on Windows Server 2008 R2? IIS is obvious but are there any other roles or features (like latest .Net Framework) that are needed?

Like
SOLVED Posted: by luispalumbo

Hi there,

After reading this post HTTP downloads are still not working for me.

At the moment my configuration is: Tomcat running on port 8443 Web server from Server.app turned off Port 80 not available

I then changed my configuration to: Tomcat running on port 8443 Web server from Server.app turned on Port 80 still not available

If I restart Tomcat with the Web server from Server.app on, I can access port 80 but not port 8443.

Is there something I'm missing in the configuration?

Thanks,
Luis

Like
SOLVED Posted: by millersc

@luispalumbo get with your TSM and work through some compatibility config with software. I recently went through the same problem and found Java 1.8 was not happy with my MySQL version and Server.app version. Down graded the java and worked again. But work with the TSM so they can document with the dev team and try to squash this little problems.

Like
SOLVED Posted: by luispalumbo

Thanks, @millersc

I've sent an email to my TSM to check it for me. I wouldn't like downgrading my Java as there are always security issues but, lets see what he says and as a last resort I will downgrade it.

Thank you very much for the light...

Like
SOLVED Posted: by luispalumbo

Just an update on the problem I had, I spoke to the JAMF support and the support person gave me the right answer straight away.

The problem was that the configuration of Web server on Server.app was listening to port 8443 too and all I had to do was to comment that line and restart the services.

The file edited was /Library/Server/Web/Config/Proxy/apache_serviceproxy.conf.

Like
SOLVED Posted: by jonathanla

I'm setting up a new FDS and I want to use a Mac. Possible? or should I just stick to a Windows box?

Like
SOLVED Posted: by benducklow

@jonathanla Depends on your infrastructure preference. Just to let you know, we setup and use distribution points on Macs (worldwide) that also share the Netboot/NetInstall function.

Like
SOLVED Posted: by sumit.batra

Just a quick question around accounts required for file share distribution point. Can the domain account work or it is mandatory to use local account (created on each DP)

Like
SOLVED Posted: by mackin_j

@sumit.batra I was just wondering this myself. What are the pros and cons of using domain accounts vs just using local accounts on each DP to access the content? I guess one pro if you have many DP's is that you don't have to create individual accounts on each DP by using a single domain account. Anyone else have feedback?

Like
SOLVED Posted: by jrippy

Just an FYI, this has changed pretty substantially with the release of macOS 10.13 High Sierra and even more so with Server.app 5.4.
To enable this on High Sierra, I had to create the folder on the Hard Drive (CasperShare, JamfProShare, something like that). I set permissions to root:admin but that is up to you.
Open System Preferences, Sharing, and add the folder for sharing. Enable SMB in the options window.
Make sure "Everyone" has read only permissions. If you change this to No Access, then no matter what you do with other permissions and ACLs, you will not be able to access the share with any user.

If you have Server.app, it is much easier to set the ACLs and add a service user. Open Server.app, Go to Users. Create 2 new users - a read only user and a read write user, each with its own distinct password.
Then, click back on your server name (top left item in the side menu). Go to the storage tab and navigate to the shared folder.
Click on the gear and click edit permissions
Add the read only user with read privileges. Add the read write user with read write privileges. Save/Ok.
Click on the gear again and click Propagate Permissions.

If you do not have Server.app, you will probably need to use chmod from the command line (Terminal).

cd /path/to/ShareFolder
chmod -R +ai "user:jamfreaduser allow list,search,readattr,readextattr,readsecurity,file_inherit,directory_inherit" ShareFolder
chmod -R +ai "user:jamfreadwrite allow list,search,add_files,add_subdirectory,delete_child,readattr,writeattr,readextattr,writeextattr,readsecurity" ShareFolder

Disclaimer: These ACLs are what Server.app adds to the files and directories. Run these commands at your own risk.
Please understand what these commands are doing before running them. A good resource is the man page man chmod.

After that, you should have a functional SMB share.
I am still trying to get a https share working on 10.13.

Like
SOLVED Posted: by eorioj

Just an update make sure you close and re-open Casper admin if you make any changes in the Jamfcloud like changing password for the share . Casper admin uses a cashed password and will not use the new one till you logout and then in, hope this saves someone the time I wasted

Like
SOLVED Posted: by MrRoboto

@jrippy Any luck with HTTPS on 10.13? If serving internal clients only, is there any benefit to enabling HTTP downloads vs SMB?

Like
SOLVED Posted: by jrippy

@MrRoboto Yes, I was able to get all of this working.
There were a couple of gotchas so I'll go over the entire process.

Note: I did use Server.app for certain parts of this. Apple has sent out an email stating that changes are coming to the Server.app and that more functionality will leave it in favor of that functionality being built-in directly to macOS or going away. Hence, this is subject to change.

  1. Using Server.app, I created 3 users. These users should have strong passwords and notes/keywords for your records. By using Server.app, I was able to specify them as Service accounts, such that they do not have a home folder. They do need the checkbox next to "login". I'm not sure how you would accomplish this for sure using System Preferences, but it would probably involve Advanced User Properties and/or command line. a. A readonly user b. A read and write user c. An http read only user (Optional - Only needed if distributing via http/s)
  2. Using Server.app, I created a group. (Optional - Only needed if distributing via http/s) a. An http read only group (Optional - Only needed if distributing via http/s) b. This group, used later for securing WebServices, needs a single member - your http read only user.
  3. Create a directory on a hard drive. a. Most of my Mac Mini's are still of the server variety. As such, they have 2 hard drives. With the recent filesystem changes (APFS), they are set as independent drives. On the secondary drive, which I name Services, I created a directory called JamfProShare. b. Using Server.app, I was able to go to the Storage tab, navigate to the directory modify the permissions with the gear. c. I added the read only user with read only permissions. d. I added the read write user with read write permissions. e. I did NOT add permissions for the http read only user. f. I was able to propagate the ACL permissions to the folder and all subfolders.
  4. Back in System Preferences, you can now enable File Sharing in the Sharing Preference Pane.
  5. At this point, switch to your Jamf Pro Server instance and enable the File Share Distribution Point.
  6. Management -> Server Infrastructure -> File Share Distribution Points (DP) a. Fill out the General Tab. b. In the File Sharing tab, I ran into one setting that was causing me grief. i. Set the protocol (SMB in my case) ii. Share name would be the name of the Folder that you created iii. For Workgroup or Domain, if you are using the accounts that I told you to create (i.e. Local Accounts on the server), then leave this field empty. Otherwise, it could cause connection issues. iv. Port number would be 548 for AFP and 139 for SMB. v. Enter your read-write and read-only credentials. vi. Save the configuration.
  7. From an administration workstation, open Casper Admin and sync/replicate from your existing JDS/DP to the new DP. a. This serves several purposes. b. This verifies the file share is working and in good shape before you proceed to the https portion. c. This creates the needed directories for the https portion.
  8. The rest of this is intended only if you are proceeding to use an https DP
  9. In Server.app, go to Certificates. a. Click "+" and choose "Get a Trusted Certificate" to generate a CSR. b. Use the CSR to get an actual certificate (either from an AD Certificate Server or trusted 3rd party such as GoDaddy, Verisign, etc.). c. Once a valid certificate has been issued, add it to the non-trusted certificate stub to update it and make it valid.
  10. Still in Server.app, go to Websites and modify the SSL site. a. Change "Who can access" to the http read only GROUP that you created. b. Click "Edit Advanced Setttings..." and enable "Folder Listing". c. Before enabling Websites, you need to get the content to the correct place so it can be served out. The guide Jamf had suggested changing the Site Files location to the directory you created earlier. However, I prefer a different way.
  11. Based on how it seems Netboot is set up, I navigated to the Default file system location. With Server.app, this is /{Possibly path to Services HD}/Library/Server/Web/Data/Sites/Default/. I'm not sure what the path would be using the built-in macOS Apache. a. In the Default location, create a folder named exactly like your distribution folder (i.e. if you created a folder named CasperShare on your hard drive, create another folder named CasperShare here). b. Create symbolic links for each of the folders from the folder you created to the folder here. Normally, that includes "Casper Data", "CompiledConfigurations", "Packages", and "Scripts". c. In Terminal, this is accomplished for Packages by
    ln -s /Path/to/CasperShare/Packages  /Path/to/Library/Server/Web/Data/Sites/Defaults/CasperShare/
    d. Do this for all the folders in CasperShare.
  12. You can now turn on the Websites service.
  13. Back to the Jamf Pro Server File Share Distribution Point, go to the "HTTP" tab. a. Enable HTTP downloads. b. Enable SSL. c. Set the Port number to 443 for SSL. d. The context would be the name of the folder you created (eg. CasperShare) e. Change the Authentication type to Username and Password. f. Enter the credentials for the http read only user account that you created. g. Save the configuration.

If your certificate was not a trusted 3rd party, that is, if it is from an internal CA such as Active Directory, then you will need to get the Root and possibly Intermediate certificates from the CA and distribute them via configuration profile to all of your clients.

Finally, to answer the question of SMB vs HTTPS, I found in my environment that SMB would quite often fail to mount the share on my clients. I'm betting there's probably a setting in the 10.13 Samba implementation that is restricting the number of connections and/or the daemon restricting the number of threads/processes. This doesn't seem to be true of HTTPS as Apache is very good about managing those threads. Therefore, I chose HTTPS for stability and so far, it seems to be working without issue.
For comparison sake, my environment consists of ~1500 Macs and 300 or so Mobile Devices.

I think that covers everything. I hope that is thorough enough to be helpful.

Like
SOLVED Posted: by alexyu650

@jrippy Are you using a hosted instance of Jamf pro or on Prem? If you are using hosted, did you run into any issues getting your hosted instance to connect to your local DP? What ports needed to be open in the firewall?

Like
SOLVED Posted: by jrippy

@alexyu650 On Prem.
Additionally, we have since put the DP behind an F5 load balancer and are using it with our wildcard cert to do the SSL termination.
I ran into a problem where policies would fail in the time between enrollment and getting the certificates from a profile. It was a race condition that we could not reliably solve.

Like
SOLVED Posted: by cwaldrip

So, now that Apple's server app no longer offers a web server, and they long ago removed it from the OS, what are people using for file sharing over HTTP? I don't think I can get our firewall admins to allow SMB through the firewall. Apache I guess? How would that get setup like I used to under the server.app?

Like
SOLVED Posted: by benducklow

@cwaldrip I still have a some macOS devices hosting as an internal DP. Its basically setup via File Sharing via System Preferences; I don't really reference the Server.app for that anymore. We have this using SMB protocol successfully using the read/write accounts...

Like
SOLVED Posted: by atlantamacguru

@cwaldrip Actually, the web server (Apache) is still installed and running when using macOS 10.13 and 10.14 with the Server app. Apple simply removed the ability to configure the web server via the GUI. To enable HTTP downloads, make a symbolic link from the folder with your packages to the default web folder (usually /Library/Server/Web/Data/Sites/Defaults/). Just be sure to setup the FTP service and users via the Sharing pane in the System Preferences according to the JAMF documentation and if using APFS, use SMB and not AFP.

Like
SOLVED Posted: by cwaldrip

Thanks @benducklow and @atlantamacguru - I remembered Apache was still there after I posted it, but for some reason the standard sudo apachectl start runs, and the syntax check is ok, but it doesn't load the It Works default page.

Downloaded MAMP as a workaround, but started looking into configuring it for SSL and decided to just roll back my two file shares in the DMZ back to 10.13 for the time being. Under a bit of pressure because our default file shares are based in Atlanta for users in the wild, and the SMB mount is timing out for everyone not within a digital stone's throw of the server (say, users in Hong Kong or even DC). It works fine from my home, with 300Mbps down and 23 miles from the office. Setting up HTTPS will be easier than modifying the SMB timeout.

I was also afraid there was still a concurrent user limit (5 I think) with SMB in the default OS, but that looks like it's gone.

Next update I'll just ask for a trip to a small Caribbean island with meh-speed internet so I can better test things. ;-)

Like
JAMFBadge
SOLVED Posted: by diana.breza

This article was updated with a note about not using spaces in account usernames.

Like