Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

JAMF MDM

This thread has been viewed 3 times

  • 1.  JAMF MDM

    Posted Jan 16, 2014 03:27 PM

    Anyone have experience integrating JAMF with CPPM?  We're seeing an odd situation which happened again.

     

    In CPPM, we configure the JAMF server and life is good.  CPPM logs indicate it is communicating properly with JAMF and getting updates. 

     

    What we find is at some point, devices which are added to JAMF come over to CPPM but none of the JAMF information is in the endpoint database.  As a result, CPPM indicates the device is not in JAMF (it is there) so the device gets assigned a BYOD type role.  When this happened before, we deleted the JAMF server connection info and added it back then the endpoint database populated correctly.  Do I have to do this periodically to get JAMF to work properly with CPPM?



  • 2.  RE: JAMF MDM

    EMPLOYEE
    Posted Jan 16, 2014 03:30 PM
    Do you see any endpoint updates for those devices in the Audit Viewer?


  • 3.  RE: JAMF MDM

    Posted Jan 16, 2014 03:33 PM

    The only thing I see is when I manually changed it from unknown to known.



  • 4.  RE: JAMF MDM

    Posted Jan 17, 2014 11:53 AM

    Can you confirm what versions you have deployed for both CPPM and JAMF. Also does your JAMF deployment just contain Mac OS X devices or a mixture of iOS as well. Depnding on your version of CPPM we have an option to enable the integration to recover the managed OS X computers as well.

     



  • 5.  RE: JAMF MDM

    Posted Jan 17, 2014 11:56 AM

    CPPM is 6.2.3

    JAMF is 9.2.2

     

    We do have some MAC OS X but mainly IOS devices.



  • 6.  RE: JAMF MDM

    Posted Jan 17, 2014 02:00 PM

    We are not running the same release of JAMF in our lab environment so are attempting to update to match your deployment. In the interim it couldn't hurt to get a TAC case raised as the support team can look at some additional logs through the support shell that might be able to point us in the right direction.

     

    Keep you posted.

     

     



  • 7.  RE: JAMF MDM

    Posted Feb 11, 2014 01:57 PM

    We've discovered an odd situation: the device is only being reported to CPPM by JAMF using the hardwire LAN MAC address.  Therefore it looks to CPPM that the device is a BYOD device even though the device is in JAMF.  The WLAN MAC is in JAMF but it is listed as 'secondary' address while the LAN address is the 'primary' address.  Could that be the cause?  Does no one else using CPPM use JAMF?



  • 8.  RE: JAMF MDM

    Posted Mar 25, 2014 09:23 AM
    @-cam- wrote:

    Can you confirm what versions you have deployed for both CPPM and JAMF. Also does your JAMF deployment just contain Mac OS X devices or a mixture of iOS as well. Depnding on your version of CPPM we have an option to enable the integration to recover the managed OS X computers as well.

     

    I'm currently running CPPM 6.3.0.60537 and can't seem to find any options to import managed OS X machines.  iOS is importing fine.  Any ideas?



  • 9.  RE: JAMF MDM

    Posted Mar 25, 2014 09:31 AM

    The CPPM will automatically import all devices from JAMF.  WIth the 6.3, we now have OS X working properly.  It has to do with the order of the NICs as sent over from JAMF.

     

    You might try deleting all entries on CPPM from the JAMF and let it add them back?  We had to do that once early in the process.



  • 10.  RE: JAMF MDM

    Posted Mar 26, 2014 10:23 AM
    @pdavis wrote:

    The CPPM will automatically import all devices from JAMF.  WIth the 6.3, we now have OS X working properly.  It has to do with the order of the NICs as sent over from JAMF.

     

    You might try deleting all entries on CPPM from the JAMF and let it add them back?  We had to do that once early in the process.

    I tried deleting the Jamf JSS entry and adding it back in, but that didn't seem to help.  All of the iOS records are correct so I don't think deleting them will help get the OS X machines in.  The account CPPM is using is set up as an auidtor in the JSS.  Is there a different set of security rights that are needed on the MDM side?



  • 11.  RE: JAMF MDM

    Posted Mar 26, 2014 02:59 PM

    Can you extract the mdm.log from the Logs please?

     

    Instructions in my TechNote posted on the support.arubanetworks.com.......

     

    http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961



  • 12.  RE: JAMF MDM

    Posted Mar 28, 2014 09:14 AM

    ** Problem Solved **

    There were several computer and mobile device records in the JSS that were incomplete and causing the import to fail.  For mobile devices, there were a few without a last check-in date which CPPM would not import.  On the computer side, there was one that had some garbage characters in the asset tag field.  Appearently an error on a single record will cause the entire import to fail.  Deleting these bad records from the JSS and waiting for CPPM to reimport everything solved the problem.



  • 13.  RE: JAMF MDM

    Posted Feb 12, 2014 10:39 PM
    I seem to recall when we were doing the initial integration with JAMF that the order of interfaces is related to which interface (Ethernet or WiFi) was active during the MDM enrollment. It might be worth speaking with your JAMF contact to confirm this detail. Nonetheless, we should record each as a new endpoint within ClearPass and hence will be available for policy enforcement decisions.


  • 14.  RE: JAMF MDM

    Posted Feb 13, 2014 08:01 AM

    According to our local SE, 6.3 should address this issue. We're working to get the upgrade done for our pilot.  I'll report back on progress.



  • 15.  RE: JAMF MDM
    Best Answer

    Posted Feb 13, 2014 11:44 AM

    Hi this issue was resolved in CPPM 6.2.3. 

     

    The issue relates JAMF presenting an attribute they called alt_mac_address, we were not reading this but added this in the 6.2.3 code.