Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Restrict JSS console access by IP range

At one of the JNUC sessions, I could swear that a presenter commented that you could restrict access to the web console to specific IP ranges. This would be a good workaround for us to limit access to our 2FA jump host IPs rather than building a limited access JSS for this purpose.

Am I taking crazy pills and made this up, or does anyone know how to configure such access, maybe via Tomcat settings?

Like Comment
Order by:
SOLVED Posted: by alexjdale

Shameless bump... I am pretty certain this can be done with Tomcat configurations, but everything I've tried just breaks the JSS entirely.

Like
SOLVED Posted: by davidacland

It seems normal client management interactions and the management console are too closely related.

It's a shame it doesn't just have two ports, one for clients, and one for management.

The only way I've achieved it is to have two tomcat servers configured with load balancing, the client one set as limited access and the management one restricted to specific IPs by firewall rules. It works but is really over complicated.

Like
SOLVED Posted: by alexjdale

Yeah, that is what I am planning to do if needed, but I was hoping to avoid new infrastructure due to the timeline involved. It's probably how this will end up.

Like
SOLVED Posted: by __Milton__

Any update? It seems some people did it. Do we really need to figure this out by ourselves from the logs? ...

Like
SOLVED Posted: by mike.paul

Here is the config JAMF has used for doing IP whitelisting of the GUI/API. We just add this to web.xml of the web app itself (/path/to/Tomcat/webapps/ROOT/WEB-INF/web.xml). The filter defines the “approved” IPs, and the filter-mapping defines the JSPs the filter is applied to. The sample below would restrict GUI/API access to the specified IPs, while still allowing client/MDM communication from anywhere. The main thing to get below is a Regex representation of the IP addresses you wanted to allow. @david.suehring can speak more to this as he is the person who gave this to me and is much smarter than I.

<filter>
 <filter-name>Custom-RemoteAddrFilter</filter-name>
 <filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
 <init-param>
     <param-name>allow</param-name>
     <param-value>(Regex of Matching IPs)</param-value>
 </init-param>
 <init-param>
     <param-name>denyStatus</param-name>
     <param-value>404</param-value>
 </init-param>
</filter>
<filter-mapping>
    <filter-name>Custom-RemoteAddrFilter</filter-name>
    <servlet-name>FrontEndController</servlet-name>
    <servlet-name>FrontEndUploadController</servlet-name>
    <servlet-name>RestletServlet</servlet-name>
</filter-mapping>
Like
SOLVED Posted: by aulin

@mike.paul

I use this URL to create IP-rages ipregex.
Then you can use this site to check that your IP is a match just in case regextester.

Like
SOLVED Posted: by grahamfw

Has anyone tested this for Jamf Pro 10.x? It doesn't appear to take based on my experience...

Like
SOLVED Posted: by andysemak

@grahamfw Did you manage to get this working on Jamf Pro 10.*?

Like
SOLVED Posted: by grahamfw

@andysemak Nope. I had to abandon that for the time being.

Like
SOLVED Posted: by andysemak

@grahamfw

We figured it out in the end.

Need to make the filter mapping look like this

<filter-mapping> <filter-name>Custom-RemoteAddrFilter</filter-name> <servlet-name>FrontEndController</servlet-name> <servlet-name>PresentationLayerServlet</servlet-name> <servlet-name>FrontEndUploadController</servlet-name> <servlet-name>RestletServlet</servlet-name> </filter-mapping>

Note the addition of the PresentationLayerServelt

Like
SOLVED Posted: by grahamfw

@andysemak Awesome! I'll give this a try!

Just curious how you came across that? Got some resident Tomcat experts over there?

Like