Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Jamf Discontinuing JDS

Jamf will be discontinuing the Jamf Distribution Server (JDS). We know many of you use and rely on the JDS, but in its current state we cannot recommend it. Therefore, Jamf is planning to end of life JDS at the end of 2017 and access to the JDS installer on Jamf Nation has been removed. The decision to discontinue the JDS is due to several key issues:

  • Reliance on TLS 1.0
  • Incompatibility with InnoDB for MySQL, making it reliant on MyISAM
  • Incompatibility with Jamf Pro 9.100 and newer

Jamf has determined that now is the proper time to move forward with new technologies. Jamf will be focusing on making improvements to the Jamf Cloud Distribution Server (JCDS). Our goal is to provide quality products and help to find a solution for anyone using the JDS. There are a number of alternatives and we are ready to assist you in migrating away from the JDS.

Like Comment
Order by:
SOLVED Posted: 10/9/17 at 3:05 PM by bvrooman

I understand the decision to not put development effort into the JDS to solve the TLS 1.0 and MyISAM dependencies, but I am a bit confused by the mention of an incompatibility with Jamf Pro 9.100+. We have an all-JDS setup with Jamf Pro 9.101.0 and haven't encountered any issues.

Is Jamf going to be providing guidance in migrating to a now-preferred distribution infrastructure?

Like
SOLVED Posted: 10/9/17 at 3:23 PM by were.wulff

@bvrooman

The incompatibility statement stems from PI-004248 which caused an issue with the JDS certificate that was built by the built-in CA that would break communication with the JSS by having an incorrect Subject Alternative Name.

Since each environment is likely to have different criteria for what an acceptable alternative to the JDS is, it'll be best to handle those individually with Support so something more tailored to your environment can be worked out.

If you need guidance on JDS alternatives or want to go over possible ideas for alternative setups, the best option will be to get in touch with Support to go over what you're looking for for your environment, and they can help you come up with an alternative solution to the JDS. You can get in touch with Support by either calling, sending an e-mail to support@jamf.com, or using the My Support section of Jamf Nation.

Support will be able to help you work out an alternative as well as working with you to plan out a migration plan to get away from the JDS and onto something else.

Thanks!
Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/9/17 at 3:35 PM by RobertHammen

As someone who tried to use JDS twice in customer environments, and repeatedly ran into reliability and functionality issues that made me swear "never again", I'm glad to see this decision was officially made and communicated. The ideas behind JDS were good, the actual execution (running large packages/DMGs through the MySQL database) was not.

Like
SOLVED Posted: 10/9/17 at 4:22 PM by jrippy

As someone who has relied on the JDS product since it was introduced, I have seen the benefits and drawbacks and the benefits STILL outweigh the drawbacks. I was really looking forward to 2.0 and I'm sorry to hear it will never make it to light.
The ability to have all of my distribution points remain true without having to manually trigger syncs was awesome!
I hope you will bring us a local version of the JCDS or a way to keep smb shares in sync reliably and in an automated fashion.
Thanks for the update.

Like
SOLVED Posted: 10/9/17 at 4:28 PM by znilsson

Am I the only one who has noticed that there is an actual werewolf posting from Jamf under the flimsy pseudonym "Were Wulff"? Dear sir or madame, it is insulting that you would assume we could not see through your paper-thin alias, and we demand that Jamf audit their employees for werewolfery. This is a serious post and we are serious people who will not tolerate this type of shameful flim-flappery from werewolves masquerading as Jamf employees.

And that goes for fairies, cyclopses, unicorns, basilisks, banshees, poltergeists, wendigos, kobolds, leprechauns, and lawyers, too.

Signed,
Very Serious People

Like
SOLVED Posted: 10/9/17 at 4:33 PM by were.wulff

@znilsson

Someone finally noticed that my name changed! :)

I changed my first name legally back in May for reasons that amount to, "I'm an adult, and I could." I've got a pretty awesome last name and figured why not make the whole thing great?

It's been pretty fun, honestly!

Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/9/17 at 8:24 PM by damienbarrett

Good thing I've been stocking up on silver bullets for my trip to JNUC next week.

Like
SOLVED Posted: 10/10/17 at 2:10 AM by emilh

Wow. We've been using the JDS as our sole distribution platform since we started using Jamf a couple of years back and currently running it along with JAMF Pro 9.101 without any apparent issues.

Guess I need to start looking into JCDS then.
Will there be some JDS -> JCDS migration documentation made available?

Like
SOLVED Posted: 10/10/17 at 4:02 AM by RobertHammen

@emilh There are some alternatives being developed and/or discussed. Would personally wait until JNUC for more details...

Like
SOLVED Posted: 10/10/17 at 5:58 AM by karlmikaeloskar

Well...

Like
SOLVED Posted: 10/10/17 at 7:06 AM by jrwilcox

inconceivable

Like
SOLVED Posted: 10/10/17 at 8:34 AM by blackholemac

It had a loyal following for those that relied on it, but every Jamf I've ever discussed it with was always quick to point out the "file distribution points are a good option" while answering all my questions diligently on the topic.

I'm interested in the JCDS personally but am wondering what my options are given I host our JSS cluster on prem.

Like
SOLVED Posted: 10/10/17 at 8:34 AM by Sonic84

Will the cost of the jamfPro product be going down to reflect the reduction in supported features?

Like
SOLVED Posted: 10/10/17 at 8:50 AM by were.wulff

@blackholemac @emilh

Currently, JCDS is for our hosted customers only, however, there is this Feature Request to make it available to on prem JSSes so feel free to upvote and comment.

@damienbarrett

Sadly, I won't be at the JNUC this year. :(

Thanks!
Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/10/17 at 9:02 AM by cwaldrip

First, thanks for pulling the plug on the JDS. It was a great concept, but the execution and reliability was questionable at the best.

Second, thanks for hiring a Lycanthrope-American. They're truly under represented in the corporate world. ;-)

Like
SOLVED Posted: 10/10/17 at 9:24 AM by donmontalvo

@cwaldrip wrote:

Second, thanks for hiring a Lycanthrope-American. They're truly under represented in the corporate world. ;-)

Great...coffee on my laptop monitor again! LOL

We're doing fine with a couple dozen RHEL DPs, and rsync using RSA keys. Hasn't missed a beat in a year and a half. Upload to master, the rest is automagical.

Like
SOLVED Posted: 10/10/17 at 10:22 AM by dfarnworth_barc

Based on the spelling of Wulff, I'd say it's far from clear that this is an American Werewolf... Also, I thought that the last of these died in London in the 1980s

Like
SOLVED Posted: 10/10/17 at 12:24 PM by strider.knh

We have been told for a few years now that they were working on a full re-write of the software. Guess that won't ever get done.

We have multiple JDSs scattered around our 10 campuses, we are k-12 with 1:1 in the middle schools, high schools and staff with multiple labs. We liked the JDSs since it allowed for distribution of software from the local site and not have to use the external the bandwidth. If we now need to pull that 15GB Adobe installer from the cloud hosted site instead of a local server that will be annoying landfill up our pipe.

Like
SOLVED Posted: 10/10/17 at 12:43 PM by were.wulff

@strider.knh

There are non-cloud options for distribution points.

Please get in touch with Support to go over what your organization's needs are and we can help you come up with a plan for new, non-JDS distribution points and migration to those.

If your JDSes are working, there is likely not large rush to get the actual migration to something different done; the JDSes will not (usually) stop working if they're left alone to do their thing, it's just something you'll want to plan for, ideally, by the end of the year.

Thanks!
Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/10/17 at 1:46 PM by chris.kemp

Rsync takes jumping a few hoops to set up, but it worked better (imho) than the JDS replication.

Oh and:

Like
SOLVED Posted: 10/10/17 at 2:03 PM by exno

Since the JDS installers have been pulled for a while, i think we all saw this coming. My experience with the JDS was all aces, but a few cases of it working really well can't balance the scales since it was unreliable for so many others.

I look forward to seeing what new tool will replace the JDS for on premiere, or options to have a JCDS only option for subscriptions.

And as far as the lycanthropic name change... I like it! It conjures the image of a wolf typing responses to all our questions. But its got to be difficult playing One Night Ultimate Werewolf.

Like
SOLVED Posted: 10/10/17 at 3:05 PM by sgorney

@donmontalvo We use Resilio Sync for all our on prem SMB distribution points. Fast and relatively flawless.

Like
SOLVED Posted: 10/10/17 at 3:47 PM by walt

We never really took advantage of JDS'...we are currently setting up with just our JSS and that as our main distribution point. Possible something similar to a caching server set-up will take its place or be an option?

Like
SOLVED Posted: 10/10/17 at 4:01 PM by dgreening

For those of you hosting your DPs on Windows Server boxes, I will heartily recommend DFS for replication! It has been working excellent for us! Up to ~150 distribution points currently.

Like
SOLVED Posted: 10/10/17 at 5:49 PM by donmontalvo

@sgorney interesting stuff:

Reselio Sync

Like
SOLVED Posted: 10/11/17 at 4:42 AM by Lotusshaney

I use Syncthing for all my 50 DP's around the globe. Its free and works fantastically well

Syncthing

Like
SOLVED Posted: 10/11/17 at 9:13 AM by gshackney

So if anyone calls you Amanda, do we get bitten?

Gabe Shackney
Princeton Public Schools

Like
SOLVED Posted: 10/11/17 at 9:53 AM by were.wulff

@gshackney

Some people forget, which is fine as I still respond to it (nearly 38 years of habit), but most correct themselves.
A few people thought I'd somehow got IT in on a prank at first but, considering everything they had to change for me to change my name across our systems, there's no way they would have done it for a prank! It would have been a pretty good prank, though.

My parents still call me that, though, as they felt the whole thing was silly but, "you're an adult and can do what you want." :D

Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/11/17 at 9:57 AM by gshackney

@were.wulff BTW love the Black Hole pic.
I had the read along record for that movie as a kid.

Gabe Shackney
Princeton Public Schools

Like
SOLVED Posted: 10/11/17 at 10:02 AM by mjhersh

There's a lot of talk about replication, but aren't there still important features that are only available when using a JDS?

Is there any way to allow techs to upload packages through the JSS, besides using a JDS? We rely on this very heavily, since Casper Admin is not safe for multiple people to use concurrently. What are our options, besides reinventing the wheel with API scripts? Do I now need to be middleman for every department's techs to upload packages? (It's too early to start drinking, isn't it?)

What about in-house apps and eBooks? Is that just going away?

I mean, I get it, the JDS had problems...but the proper response to outdated TLS support not "welp, better kill the whole thing".

Like
SOLVED Posted: 10/11/17 at 10:20 AM by mscottblake

I'm in a very similar situation to @mjhersh. I have other site admins that have the ability to upload packages via the JSS web interface. This setup works great as it limits the damage that can be done with Casper Admin (I don't give them access to it either).

We have been working with Jamf Support on this already and the response has left a pretty sour taste in our mouths. The only way to continue using that feature is to switch our Master DP to a Cloud Distribution Point, which costs more money. That topic received pushback from my leadership about covering extra costs when we already pay for Jamf Pro (a solution that did not previously require anything be hosted).

Basically, our options are either to use a CDP or to roll our own scripts to create the packages via API and then scp the files to the DP. Neither is desirable.

Like
SOLVED Posted: 10/11/17 at 10:28 AM by were.wulff

@mjhersh

Cloud distribution points (JCDS, AWS, Rackspace, or Akamai) can use the web interface to upload to the JSS.

File share distribution points, at the moment, still go through Casper Admin.

In-House apps and eBooks were around long before the JDS, and a JDS is not required to use these features. It never has been, the JDS was simply an additional method that customers could use to host In-House apps and eBooks.

Information on using In-House eBooks can be found in here, in the Casper Suite Administrator’s Guide.

Information on using In-House Apps can be found here, in the Casper Suite Administrator’s Guide.

It is also possible to host In-House eBooks and apps on a Tomcat instance; we have a KB on how to do that here.

If you have additional questions or need more detailed help on getting any of the above set up, please contact Support and they'll be able to assist you with specific how-to or setup questions for your environment.

Thanks!
Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/12/17 at 10:18 AM by lashomb

Would love to use a cloud distribution point, but you guys don't support the up and coming small tech startups out there... like Google GCP.

Like
SOLVED Posted: 10/12/17 at 11:18 AM by blackholemac

Official support for Azure could help us here. Probably not a popular option for heavy Apple folks but we get Azure services provided to the district at a steep discount.

Like
SOLVED Posted: 10/12/17 at 11:27 AM by were.wulff

@blackholemac

It looks like you've already voted it up and commented but for others who haven't and are interested, we have a Feature Request to add Microsoft Azure distribution point support here.

Comments about the why/use case for your organization are super helpful for our Product Management teams on Feature Requests so, if you have the time, it's definitely worth both voting up and leaving a comment.

Thanks!
Were Wulff
Jamf Customer Experience

Like
SOLVED Posted: 10/15/17 at 9:47 PM by a.stonham

Does this now mean that INNODB will supported by Jamf in future update of Jamf Pro?

Like
SOLVED Posted: 10/16/17 at 5:11 PM by a.holley

This is terrible news.

We are a NFP that relies on our JDSs to get our 600 Macs up to date across 60 remote sites. We have invested a lot of money in having Mac Minis at every site, which are almost exclusively used for JDSs. Being that some of our sites are in rural Australia, we don't have the infrastructure for our Macs to download from our data centre or the cloud. Our links just aren't good enough.

Yeah, great, they will still work for now. But what happens when Jamf Pro 10 comes out? How are we going to get (for example) Microsoft Office updates out to our 10 Macs on a shitty link in the middle of nowhere?

We have invested too much in JSS to switch to something else, but this has seriously got me considering our options.

Like
SOLVED Posted: 10/17/17 at 1:48 AM by martin

JDS has been badly designed from the start but it offered HTTPS distribution and it replicated the packages automatically to other JDS servers.

Jamf has been promoting JDS 2.0 for a long time but it seems that it is has become vaporware.

Your JDCS is not available to customers that use on-premise installations. The JDCS is not capable of replicating packages to another distribution point. None of the option that you provide provide automated replication.

This requires us to invest in other (paid) solutions. There is not even a proper statement which alternative we could use. Therefor people are referring to “Resilio Sync” (paid software) but for me it’s hard to believe that Jamf had increased there licensing costs again in just a few year. This increase does not reflect the features we as customers get.

So explain to me, why are we paying more for Jamf?

Like
SOLVED Posted: 10/17/17 at 7:17 AM by martin

I was reading @brysontyrrell's blog and he posted about a distribution server named Open Distribution Server (ODS):

The Open Distribution Server (ODS) is an open-source package distribution and syncing solution for IT administrators to serve as a potential alternative for the Jamf Distribution Server.

It looks promising and I'll definitely give it a try.

Like
SOLVED Posted: 10/17/17 at 7:48 AM by stevewood

@a.holley if you already have hardware out in the field that has your packages on it, pivot away from JDS and simply create File Share Distribution points out of them. Yes, you will have to come up with a sync strategy, but that can be accomplished with a launch daemon and a script to run rsync or one of the many paid sync tools (Resilio Sync for example). Yes, there's the question of immediate (or near so) availability of packages on all of your distro points due to sync schedules, but it isn't the end of the world, and certainly not something that would cause me to want to walk away from the Jamf product.

And if you read @joe.bloom's post again, the very last line says that Jamf is there to help you identify and move to a new solution.

As @martin mentioned, @brysontyrrell has the ODS that he is working on, and presenting on at JNUC. This is an open-source project that we, the community can help mold and shape in a way that we need.

Yes, the discontinuation of the JDS is a big deal, especially for large enterprises with a large distribution of JDS servers, but it is an opportunity to look at new technologies and design something that will work better for our environments.

Like
JAMFBadge
SOLVED Posted: 10/17/17 at 10:29 AM by brysontyrrell

@a.holley @martin @stevewood

If you're able to come to the ODS session at JNUC please do. As Steve said, my intent is to have the community drive where the project needs to go, and there will be many ways to contribute to it that don't involve writing code.

I'll make another post here on JN containing the session details.

Like
SOLVED Posted: 10/18/17 at 1:57 AM by a.holley

@brysontyrrell given I'm in Australia, and as previously mentioned, working for an NFP, attendance at JNUC isn't happening unfortunately.

Like
SOLVED Posted: 10/24/17 at 11:24 AM by jrippy

@were.wulff @brysontyrrell Quick Question - you covered all the in house ebooks and apps and such.
What about scripts? Will they still remain in the database or will there be some function to pull them back out?
If we switch from JDS back to a SMB file share, will the scripts be properly deployed?
I assume this will be less of an issue as DEP really gains ground but for now, how will the Jamf Pro Server handle scripts?

Thanks! And I love the name change, Were!

Like
SOLVED Posted: 11/12/17 at 12:37 PM by raybanks

Going back to memory... IIRC, the JDS really started to have issues in Sierra 10.12.4 when Server 5.3 was released and TLS 1.0 and 1.1 support went away. So, until @brysontyrrell can get a big launch on "JDS 2.0" AKA "ODS" is released, wouldn't it make sense to rebuild a JDS with OS X 10.12.4 and running Server 5.2 without upgrading to Server 5.3?

The next question would then be... Could we get away with upgrading to JAMF Pro 10.0 and still maintain the legacy JDS instances?

Like
SOLVED Posted: 11/12/17 at 12:58 PM by chriscollins

@jrippy looks like you didn’t get an answer but I’m case you still need one, since JAMF moved the scripts to the database, scripts have never used any DPs for distribution be they SMB, AFP, HTTP, etc. The scripts are downloaded from the JSS directly by the Jamf binary to the local machine and then run directly.

So it’s copied over from the same connection that is pulling down policies, doing recons, etc, so nothing should change.

Like
SOLVED Posted: 11/20/17 at 8:17 PM by donmontalvo

@stevewood wrote:

that can be accomplished with a launch daemon and a script to run rsync or one of the many paid sync tools (Resilio Sync for example).

If you're on RHEL (or CentOS, etc.), a one line script is all you need, with a crontab, and RSA keys so no passwords are needed (but still secure).

The technology is native to the OS, so no Reselio marketing department to feed. :)

Maybe over the holidays I'll put together a how-to, with credits to the folks the bits and pieces were stolen from.

Like
SOLVED Posted: 11/21/17 at 3:19 AM by Eigger

Below is the script we use for DP Syncing instead of Rsync. You need HomeBrew, LFTP, ssh-keygen, ssh-copy-id. Lingon-X (optional) or launch daemon if using Mac Servers. If using Ubuntu or CentOS, I believe LFTP is native.

Good for Large Packages, Split files for faster upload. Continue interrupted transfers.

#!/bin/sh
lftp -u casperrw,pass -e "set sftp:connect-program 'ssh -a -x -T'; mirror -R -v -c --loop --delete --use-cache --log=/var/log/dpsync.log --use-pget-n=10 -P 2  /Volumes/ServerHD/MasterShare/Packages /Volumes/ServerHD/RemoteShare/Packages ; quit" sftp://remote.host.ip:22

Credits

http://www.commandlinefu.com/commands/view/13759/fastest-segmented-parallel-sync-of-a-remote-directory-over-ssh

http://www.thegeekstuff.com/2008/11/3-steps-to-perform-ssh-login-without-password-using-ssh-keygen-ssh-copy-id

https://lftp.yar.ru/lftp-man.html

Like
SOLVED Posted: 11/21/17 at 1:05 PM by donmontalvo

@Eigger awesome stuff...can you put the commands into code format by selecting the text and hitting ">_" in the post window, so we can see the command with proper wrapping?

Like
SOLVED Posted: 11/21/17 at 2:01 PM by exno

@donmontalvo I look forward to seeing your how-to.

Over the holiday break I am cleaning up a bash script I built for uploading packages to the parent distro then creating the Jamf Pro entry with API. It uses RSA keys and SCP for the package transfer. and if I can gleam an easier way to move packages and then replicate.. I may owe you a beverage of choice lol

Like
SOLVED Posted: 11/23/17 at 6:06 AM by listec

Like @strider.knh we are also a (Pre)K-12 site in a country where bandwidth is astronomically priced. (We currently pay nearly USD $100k/yr for 65Mbps!) So... NO cloud options are good options! In fact, we just left Adobe CC in favor of Inkscape and GiMP for that very reason.

However, we've become somewhat disillusioned with JAMF. We were promised it would be an all-inclusive package... that we wouldn't need rsync or any other kludgy "solutions". All we needed was Casper. However, what we got is a system which needs to be rebooted nearly every day and we're constantly running SQL queries for the past several months to help "support" to do their jobs. And to top it off, 16 months after installing, it's still not managing even 1 of our iPads.

Frustrated and feeling duped,
Brian

Like
SOLVED Posted: 11/27/17 at 8:16 AM by Gill

Hello, I'm Robby from Resilio. Please email me if you have a use case that you think could benefit from an alternative to JDS like Resilio Connect.

Resilio branched off BitTorrent and our Connect software is an enterprise-level distributed file delivery solution that uses peer-to-peer for the most reliable and efficient file replication possible. We can easily arrange a POC for each use case.

Thanks!

-Robby (robby@resilio.com)

Like
SOLVED Posted: 12/14/17 at 1:38 PM by jrippy

@chriscollins Thanks for the reply.
Actually, my post was to see if Jamf might remove the scripts from the database again.
It still doesn't make sense to me why they would be stored there.

Like
SOLVED Posted: 12/14/17 at 2:03 PM by chriscollins

@jrippy I got to be honest, I think that would be a terrible idea. We have tons of policies that just run scripts. Scripts are so lightweight I don't see the need to mount a file share or connect to another HTTPS server when the script data can be sent along in the same data as the already minimal jamf binary traffic.

Like