Home > Amazon Web Services, Casper, Jamf Pro > Creating a Jamf Pro Cloud Distribution Point using Amazon Web Services

Creating a Jamf Pro Cloud Distribution Point using Amazon Web Services

In a number of environments, Mac admins are transitioning from hosting their Mac-supporting services in on-site datacenters to now hosting them with various cloud service providers. These service providers can include Jamf Cloud, Amazon Web Services, Akamai or Rackspace.

For Mac admins using Jamf Pro, one way to start this transition is to use a Cloud Distribution Point (CDP). This allows a Jamf Pro server to use several specific cloud services’ content delivery networks to host installers and (if applicable) in-house developed applications and eBooks.

For my own needs, I was looking into setting up a CDP on Amazon Web Services (AWS). Jamf provides some documentation on how to set a CDP up with AWS, but doesn’t provide specific guidance. After some research and testing though, I was able to figure out the process for Jamf Pro 9.97x. For more details, see below the jump.

Before I was able to set up the CDP in my Jamf Pro server, I first needed to log into AWS and set up the needed permissions and policies for Amazon’s Simple Storage Service (S3). S3 is AWS’s primary service for storing data and Jamf Pro servers use it when setting AWS-hosted CDPs. For the process I used, see below:

Setting up AWS access and permissions

1. Log into the AWS console.

Screen Shot 2017 03 06 at 2 50 19 PM

2. Once at the AWS Dashboard, select Identity and Access Management (IAM).

Screen Shot 2017 03 06 at 2 51 34 PM

3. Select Users from the sidebar.

Screen Shot 2017-03-06 at 2.54.11 PM

4. Click the Add User button.

Screen Shot 2017 03 06 at 2 54 12 PM

5. Set up a new user and select Programmatic Access for the Access type option, then click the Next: Permissions button.

Screen Shot 2017 03 06 at 2 54 14 PM

6. Click the Attach existing policies directly button.

Screen Shot 2017 03 06 at 2 54 15 PM

7. Click the Create Policy button.

Screen Shot 2017 03 06 at 2 54 16 PM

At this point, a new Create Policy window or tab should open in your web browser.

8. Click the Select button associated with the Create Your Own Policy button.

Screen Shot 2017 03 06 at 2 57 02 PM

9. Copy and paste the policy shown below.

This policy sets up the account you just created with the correct permissions for the Jamf Pro CDP to be set up and work properly with AWS’s S3 and CloudFront services.

Screen Shot 2017 03 06 at 3 01 22 PM

Note: Even if you do not plan to use CloudFront services, you will still need to have these permissions included with the policy. If these permissions are not included, the CDP creation process may halt with an error.

10. Once you have the policy set up, named and described, click the Validate Policy button to make sure the policy is formatted correctly.

Screen Shot 2017 03 06 at 3 01 23 PM

Screen Shot 2017 03 06 at 3 01 37 PM

11. If the policy validates correctly, click the Create Policy button.

Screen Shot 2017 03 06 at 3 01 38 PM

Once the policy has been created, it will now show up in the list of policies that you can select. It will have its type set as Customer Managed, since it was created by an AWS customer as opposed to being created by AWS as a service for its customers.

Screen Shot 2017 03 06 at 3 02 37 PM

12. Select the new policy if needed and click the Next:Review button.

Screen Shot 2017 03 06 at 3 02 38 PM

13. At the review window, make sure that the selected choices match expectations. If they do, click the Create user button.

Screen Shot 2017 03 06 at 3 02 47 PM

14. Once the user has been successfully created, the Access Key ID and Secret access key for the new user account can be accessed. To view the secret key, click the Show link.

screen-shot-2017-03-06-at-3-03-11-pm

The account credentials can also be downloaded as a .csv file.

screen-shot-2017-03-06-at-3-03-13-pm

Screen Shot 2017 03 06 at 3 04 05 PM

At this point, the existing AWS policy and account permissions are sufficient to create a CDP for a Jamf Pro server on AWS. For those who want to additionally secure your CDP by using CloudFront signed URLs, it will be necessary to get a copy of the appropriate CloudFront public and and private keys.

Unlike many management functions in AWS, access to the appropriate CloudFront public and and private keys is only available to the root user of the AWS account. Depending on the size of your organization, the AWS root account may be controlled by a group outside of yours, so you may need to do some investigation to see who can provide you with access to the CloudFront keys.

If you have access to your AWS account’s root user, here’s how to generate the appropriate CloudFront public and private keys.

1. Log into the AWS console.

2. Click on your account’s name in the upper right hand corner of the window.

Screen Shot 2017 03 06 at 3 07 51 PM

3. Select My Security Credentials from the drop-down menu.

Screen Shot 2017 03 06 at 3 07 59 PM

4. Find the CloudFront Key Pairs section and click the plus symbol, then click the Create New Key Pair button.

Screen Shot 2017 03 06 at 3 09 08 PM

5. A pop up window will appear to notify that a new key pair has been created. Click the Download Private Key File button to download the private key.

Screen Shot 2017 03 06 at 3 09 27 PM

Note: I also recommend downloading the public key at this time.

Screen Shot 2017 03 06 at 3 09 28 PM

  • The private key will download as a file named something similar to pk-033E34D4CB164A61912908A7B3EE93BE.pem
  • The public key will download as a file named something similar to rsa-033E34D4CB164A61912908A7B3EE93BE.pem

Screen Shot 2017 03 06 at 3 12 44 PM

To verify which is which, you can also open the .pem files with a text editor and see if the keys report themselves as private keys or public keys.

Screen Shot 2017 03 06 at 3 12 45 PM

Screen Shot 2017 03 06 at 3 12 46 PM

Note: Once you have the keys downloaded, store them in a secure location.

Setting up the Cloud Distribution Point

Once the needed configuration has been done in AWS and the necessary credentials have been acquired, an AWS-hosted CDP can now be set up on your Jamf Pro server using the procedure shown below.

1. Log into your Jamf Pro server

2. Go into Management: Computer Management and select Cloud Distribution Point.

Screen Shot 2017 03 06 at 3 16 45 PM

3. In the Cloud Distribution Point window, click the Edit button.

Screen Shot 2017 03 06 at 3 16 54 PM

4. Select Amazon Web Services from the Content Delivery Network drop-down menu.

Screen Shot 2017 03 06 at 3 18 14 PM

5. Locate the account credentials of your previously created AWS user account and fill in the needed credentials for the Access Key ID and Secret Access Key blanks.

6. Once the credentials have been entered, click the Save button.

Screen Shot 2017 03 06 at 3 18 18 PM

7. To check the connection between the Jamf Pro server and the CDP, click the Test button.

Screen Shot 2017 03 06 at 3 21 59 PM

8. In the Test Cloud Distribution Point window, click the Test button.

Screen Shot 2017 03 06 at 3 22 07 PM

If the connection is working properly, you should see a success message.

Screen Shot 2017 03 06 at 3 22 11 PM

Verifying the creation of the Cloud Distribution Point in AWS

1. Log into the AWS console.

2. Once at the AWS Dashboard, select S3.

Screen Shot 2017 03 06 at 3 21 02 PM

3. Verify that a new S3 bucket has been created, using a name beginning with jamf.

Screen Shot 2017 03 06 at 3 21 14 PM

Screen Shot 2017 03 06 at 3 21 37 PM

At this point, the CDP should be up and working but it is not using signed URLs at this point. If you want to enable signed URLs, use the procedure shown below.

Enabling signed URLs on the Cloud Distribution Point

1. Log into the Jamf Pro server

2. Go into Management: Computer Management and select Cloud Distribution Point.

3. In the Cloud Distribution Point window, click the Edit button.

4. Select the Require Signed URLs checkbox.

Screen Shot 2017 03 06 at 3 22 26 PM

5. Click the Upload CloudFront Private Key button.

Screen Shot 2017 03 06 at 3 22 35 PM

6. In the pop-up window that appears, click the Choose File button and select the appropriate CloudFront private key.

Screen Shot 2017 03 06 at 3 22 40 PM

Screen Shot 2017 03 06 at 3 23 27 PM

7. Once the CloudFront private key has been selected, click the Upload button.

Screen Shot 2017 03 06 at 3 23 34 PM

8. Once the private key has uploaded, the name of the private key file should appear and be grayed out in the CloudFront Private Key blank. The CloudFront Access Key ID blank should also be populated with the Access Key ID.

9. Once all settings appear to have been applied correctly, click the Save button.

Screen Shot 2017 03 06 at 3 23 48 PM

The CDP should now automatically begin using signed URLs.

Hat tip to my colleague François Levaux-Tiffreau, for providing the best documentation I came across in my research on how to set up a CDP with Jamf Pro.

  1. jhbush
    March 7, 2017 at 4:21 am

    Very nice writeup.

  2. François 'ftiff' Levaux
    March 8, 2017 at 9:56 pm

    Thank you very much for this post (and for the mention)! About IAM… It would make sense to close down the rights. s3:* is required for initial creation (as Jamf uses a generated UUID), but not after. I cannot tell more as I haven’t tested it.

  3. Ryan Taylor
    March 14, 2017 at 4:17 pm

    Great write up Rich. I’m still waiting for Jamf to implement custom bucket URL support. It’s a feature request under review. We use AWS internally with custom URL’s for our corporate network. Jamf assumes you’re using the public AWS URL. Until then, we can’t move to AWS. Also need to wonder if Jamf will eventually support Azure.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: