Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

jamf binary to use both DNS name and IP address when checking in etc

jamf binary to use both DNS name and IP address when checking in etc, let's say we're having issues with DNS on Macs or the network the binary would try to check back to the JSS using the DNS name but as a fallback a feature should be it can check back to the JSS by IP Address so there's never a break in connectivity with the Mac and the JSS.

Comment
Order by:

Posted: 8/12/16 at 1:39 PM by bvrooman

I definitely won't vote this down because I can see where it might be helpful for some implementations, but I would hope something like this is implemented in a manner that makes it optional. We rely on the jamf binary only caring about the DNS name, because we direct traffic to our internal/external JSSes with split-horizon DNS.

Like

Posted: 8/15/16 at 2:12 PM by mike.paul

I see this request is about the binary for OS X devices so it might not apply, but I just wanted to point out that Apple's MDM for both iOS and OS X doesnt allow for the communication to IP, just via DNS. This is likely due to strictness URL matching the Common Name, CN, in the certificate signed by a Certificate Authority. Basically devices will only trust and communicate with a server when the URL hard-coded in the jamf plist and the MDM profile matches exactly what is presented as the Common Name in a certificate signed by some certificate authority.

This could also cause issues if people configured their macs to enforce "Enable SSL certificate verification" within Settings>Computer Management>Security and didnt have an SSL certificate with a subject alternative name, ext SAN, that includes the IP along with the DNS common name. NOTE: This option should only be configured if the JSS is currently using a certificate from the large list of trusted 3rd party SSL vendors and its to help mitigate risks of Man In the Middle Attacks among other things. Basically only communicate with servers you can trust per your pre-defined list, Lists of available trusted root certificates in OS X

Like

Posted: 8/15/16 at 2:21 PM by Sachin_Parmar

@mike.paul - That's correct it was more aligned to the jamf binary on OS X devices, Interesting points you raised around the Apple MDM.

I had a few mac issues in my environment where the mDNSresponder.plist was unloaded therefore any potential fixes to reload this on the system alternatively didn't work as the jamf binary was trying to resolve by DNS and failing however if it caught it's policy over IP it would have known to run the "load" command and we would have been back up and running almost instantly.

I guess it's a case by case basis but certainly an optional button or feature dependant on the user's environment?

Like