Home > Casper, Jamf Pro, JSS, Linux > Installing and configuring the Jamf Infrastructure Manager on Red Hat Enterprise Linux

Installing and configuring the Jamf Infrastructure Manager on Red Hat Enterprise Linux

I recently needed to configure Jamf’s Jamf Infrastructure Manager (JIM) to provide a way for a Jamf Pro server hosted outside a company’s network to be able to talk to an otherwise inaccessible Active Directory domain.

The documentation on how to set up an Infrastructure Manager covers the essentials of how to do it, but doesn’t include any screenshots or have information about how to access the logs to help debug problems. After some research and working with the JIM a bit, I was able to figure out the basics. For more details, see below the jump.

The JIM officially supports the following OSs:

  • Ubuntu 14.04 LTS Server (64-bit) or Ubuntu 16.04 LTS Server (64-bit)
  • Red Hat Enterprise Linux (RHEL) 7.0, 7.1, or 7.2
  • Windows Server 2008 R2 (64-bit), Windows Server 2012 (64-bit), or Windows Server 2012 R2 (64-bit)

In this example, I’m going to be setting the JIM up on RHEL.

Installing the JIM

Pre-requisites:

  • Supported operating system
  • Otherwise unused network port higher than 1024 opened inbound, both on the firewall and on the machine hosting the JIM
  • Ports opened from the machine hosting the JIM to your Active Directory domain. Usually, this means allowing inbound access to an AD domain controller via either port 389 (for unencrypted LDAP communication) or port 636 (for encrypted LDAP communication)

1. Download the JIM .rpm installer file from your Jamf Nation assets list (for RHEL, this is listed as the Infrastructure Manager Installer for Linux.)

Screen Shot 2017 04 29 at 4 43 37 PM

2. Copy it to a convenient place on the server you want to install the JIM on.

3. Log in to the server as a user with superuser privileges.

Screen Shot 2017 04 29 at 3 47 05 PM

4. Run the JIM installer by using a command similar to the one shown below with root privileges:

sudo rpm -i /path/to/jamf-im-1.3.0-1.noarch.rpm

Screen Shot 2017 04 29 at 3 48 32 PM

5. Once the installation process has completed, you’ll be prompted to enroll using the following command:

sudo jamf-im enroll

As part of the enrollment process, you’ll be prompted for four settings:

  • Jamf Pro URL (for example: https://jamfpro.company.com)
  • Jamf Pro user account with the Infrastructure Manager privilege (for example, your admin account)
  • Password to the Jamf Pro user account
  • Hostname of the machine you’re installing it on. (This must be the fully qualified domain name of the machine.)

Note: The hostname of the machine must resolve both for the machine hosting the JIM and for the remote Jamf Pro server, so there can’t be mismatches like having the machine itself think its hostname is blahblah.int.company.com and the remote Jamf Pro server think its hostname is blehbleh.ext.company.com.

Screen Shot 2017 04 29 at 3 50 52 PM

6. Once configured, the JIM process will restart and enroll itself with the remote Jamf Pro server.

7. To verify the enrollment succeeded, log into the remote JSS and go to Management Settings: Server Infrastructure and click on Infrastructure Managers.

Screen Shot 2017 04 29 at 4 58 28 PM

8. In the Infrastructure Managers window, you should see a listing for the enrolled JIM.

Screen Shot 2017 04 29 at 3 53 57 PM

9. To check the JIM enrollment status, click on the listing.

Screen Shot 2017 04 29 at 3 54 03 PM

Using the JIM as an LDAP Proxy

If you already have the settings configured for the Active Directory domain, enabling the JIM to act as an LDAP proxy is fairly straightforward.

1. Go to Management Settings: System Settings and click on LDAP Servers.

Screen Shot 2017 04 29 at 2 16 58 PM

2. Click on the listing for your Active Directory domain settings.

Screen Shot 2017 04 29 at 3 53 14 PM

3. In the Active Directory domain settings, click the Enable LDAP Proxy Server checkbox.

Screen Shot 2017 04 29 at 2 23 35 PM

4. In the Proxy Server drop-down menu, select the hostname of the enrolled JIM.

Screen Shot 2017 04 29 at 3 53 48 PM

5. Set the port number of your inbound port.

Screen Shot 2017 04 29 at 3 53 49 PM

Note: The port number specified here must be the same port number which is opened in the firewall and on the machine hosting the JIM. The JIM is not able to listen to alternate ports and the Jamf Pro server tells the JIM which port it needs to be listening on. This means that you will not be able to open one port in your firewall, but have the JIM listen at a different port.

6. Once your proxy settings are entered, save your changes.

Advisory: It is not currently possible to use the LDAP Proxy as part of the Microsoft’s Active Directory assistant in Jamf Pro. If the settings for your Active Directory domain have not been configured previously, you will need to use the Configure Manually option to set up your AD domain settings and domain mappings.

Screen Shot 2017 04 29 at 2 17 06 PM

Verifying connection to the Active Directory domain

Once the LDAP proxy is in place, you can verify if it is working by using the Test button in the Active Directory domain settings.

1. Open the Active Directory domain settings.

2. Click on the Test button.

Screen Shot 2017 04 29 at 5 18 47 PM

3. In the Test window, select User Mappings.

4. Enter a username to look up, then click the Test button.

Screen Shot 2017 04 29 at 5 28 08 PM

5. If all goes well, a listing for the username should be returned.

Screen Shot 2017 04 28 at 4 11 24 PM

6. Repeat lookups as needed for User Group Mappings and User Group Membership Mapping.

Accessing JIM logs

If all didn’t go well, you may need to check the JIM logs on the JIM’s host machine to see what’s going on. Those logs are available in the following location on Red Hat Enterprise Linux:

  • /var/log/jamf-im-launcher.log
  • /var/log/jamf-im.log
  • /var/log/jamf-im-pre-enroll.log
Screen Shot 2017 04 29 at 5 32 52 PM
 
Categories: Casper, Jamf Pro, JSS, Linux
  1. May 1, 2017 at 9:30 pm

    Rich, could you please clarify the section about “Note: The hostname of the machine must resolve both for the machine hosting the JIM and for the remote Jamf Pro server, so there can’t be mismatches like having the machine itself think its hostname is blahblah.int.company.com and the remote Jamf Pro server think its hostname is blehbleh.ext.company.com.”

    That trips a lot of people up. The JSS must be able to use external DNS to resolve jim.company.org to the external IP of the enrolled JIM hostname. The JIM must be able to resolve the enrolled hostname to it’s own IP address. Otherwise it will not know which network interface to listen on.

    There are two ways to do this…
    1) have split-scope DNS so internal DNS resolves to the JIM’s internal IP
    or…
    2) Add an entry to the /etc/hosts file on the JIM

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: