Security

 View Only
last person joined: 20 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

JAMF School

This thread has been viewed 58 times

  • 1.  JAMF School

    MVP
    Posted Jul 03, 2023 10:52 AM

    EDIT 1 uch, just noticed "zuluDeskPullOnStart" being set to FALSE.  True now.. will update later if this was the fix.
    EDIT 2 no such luck 

    [2023-07-03T17:07:00.103] [INFO] ZuluDesk - ZuluDesk pull on start is true. Starting pull process.
[2023-07-03T17:07:00.105] [DEBUG] ZuluDesk - Making GET request to https://<customer>.jamfcloud.com/devices?includeApps=false.
[2023-07-03T17:07:00.107] [INFO] ZuluDesk - Enabling ZuluDesk pull processor.
[2023-07-03T17:07:00.107] [INFO] ZuluDesk - Using the pull schedule "0 3 * * *".
[2023-07-03T17:07:00.119] [INFO] ZuluDesk - The next ZuluDesk pull processor is set to run at Tue Jul 04 2023 03:00:00 GMT+0200.
[2023-07-03T17:07:00.124] [INFO] ZuluDesk - Starting extension web services...
[2023-07-03T17:07:00.127] [INFO] ZuluDesk - Server listening on port 80.
[2023-07-03T17:07:00.238] [DEBUG] ZuluDesk - Request "GET 'https://172.17.0.1/api/server/version'" took 78.45ms.
[2023-07-03T17:07:00.239] [DEBUG] ZuluDesk - {"cppm_version":"6.11.3.253363","guest_version":"6.11.3.253363","installed_patches":[{"name":"6.11.1_source-rollback-package","description":"Optional ClearPass 6.11.x package required to rollback to previously installed 6.11.X version for customers using 6.11.1 as base image","installed":"2023-06-28T10:01:47+02:00"},{"name":"20230306-clearpass-6.11-updates-3","description":"ClearPass Policy Manager Cumulative Patch 3 for 6.11.0, 6.11.1 and 6.11.2","installed":"2023-06-28T10:20:20+02:00"}]}
[2023-07-03T17:07:00.653] [DEBUG] ZuluDesk - Request "GET 'https://<customer>.jamfcloud.com/devices?includeApps=false'" took 86.43ms.
[2023-07-03T17:07:00.654] [ERROR] ZuluDesk - SyntaxError: Unexpected token < in JSON at position 0
    at JSON.parse (<anonymous>)
    at ext.makeRequest (/src/server.js:292:34)
    at Request.newCallback [as _callback] (/src/node_modules/clearpass-node-extension-sdk/extension-sdk.js:460:17)
    at Request.self.callback (/src/node_modules/request/request.js:185:22)
    at emitTwo (events.js:126:13)
    at Request.emit (events.js:214:7)
    at Request.<anonymous> (/src/node_modules/request/request.js:1161:10)
    at emitOne (events.js:116:13)
    at Request.emit (events.js:211:7)
    at IncomingMessage.<anonymous> (/src/node_modules/request/request.js:1083:12)

    So back to my original post:

    First time configuring JAMF endpoint context server and running into some issues.

    Trying with simple basic auth but keep getting "Failed to fetch Endpoint details from <customer>.jamfcloud.com Error code: 302 Verify Proxy settings, Server credentials and retry." Mind you this is an 302 error, not 404. This same address into a browser does pop up the jamf webgui.

    Researching a bit further I can find an (old?) Clearpass extension "Jamf School (formerly ZuluDesk)".Mmm, maybe JAMF (PRO?) vs JAMF School is an important difference?
    Anyway, creating an API interface on the jamf site, then using the network ID and API key gives all the info I need to configure this extension it seems.  However.. this also doesn't appear to work: "[WARN] ZuluDesk - The ZuluDesk pull processor is disabled.".

    So, who has some experience with JAMF that can tell me if I should be using the extension or the endpoint context server settings? And maybe why either isn't working?



  • 2.  RE: JAMF School

    EMPLOYEE
    Posted Jul 04, 2023 04:18 AM

    Seems to me that this JAMF does not match with what ClearPass is expecting:

    SyntaxError: Unexpected token < in JSON at position 0

    This suggests to me that ClearPass receives HTML or XML instead of (expected) JSON. Can be version/product mismatch or failing authentication/authorization where the JAMF service returns HTML error message instead of the JSON.

    I don't have experience. If no other responses appear, it may be best to open a TAC Support case if you verified that the JAMF School is supported and is the same as ZuluDesk.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: JAMF School

    Posted Jul 19, 2023 09:13 AM

    Well, we had Jamf Pro configured as an endpoint context server, and found out it stopped working in late December 2022. First I noticed that enable cert, enable fetch and enable bypass proxy were all off. I enabled fetch endpoints, but getting a similar error as yours: 

    "Failed to fetch Endpoint details from xxx.xxx.xxx Error code: 401 Verify Proxy settings, Server credentials and retry."

    Looking into info on how to configure, current clearpass docs mention that Jamf stopped allowing basic auth but then, everything points to configure a new plugin in the guest module. My question is, is there a way to get the current one working again or do we have to use the new plugin?

    BUT - the date coincides when we upgraded our CPPM from 6.8.6 to 6.10.8 which failed and with TAC had to redeploy a new instance, restoring from backups. Maybe we had an old plugin installed before which did not come back with the restore? UGH.



    ------------------------------
    ---
    °(((=((===°°°(((=================================
    ------------------------------

    Original Message


  • 4.  RE: JAMF School

    Posted Sep 08, 2023 12:18 PM

    Just seeing this thread now.  I ran into this with a customer a while back and it turned out the problem was that Zuludesk changed their endpoint URL format for certain customers, and the plugin was not able to accommodate the new format and kept trying to visit an incorrect URL.  I had to turn on debugging on the plugin before I saw it.  TAC was able to push a fix for me.  It did not affect all customers at that particular time.  This was about a year ago, I think.  The behavior matches exactly what you are describing; basically the plugin got an HTML reply (due to incorrect URL error page) rather than a JSON reply (what it expects from the API).


    Original Message


  • 5.  RE: JAMF School

    Posted 23 days ago

    I'm also having issues configuring Jamf School, I went thru the API docs of Jamf School and it appears it wants a Base64 code with your network ID and API key for authorization, weird thing is if you use the extension on the Guest module, there isn't an attribute for it, I tried adding the authorization attribute and it still did not work. I attempted to add jamf school as an endpoint context server and still no worky.

    I found a doc on how to configure Jamf School, but it's back from 2019 and the configuration is outdated, has anyone been able to successfully integrate jamf school? Can't seem to find any resources. 


    Original Message


  • 6.  RE: JAMF School

    Posted 23 days ago

    I have with the Guest extension, but it has been a few years.  I ran into some problems because JAMF had changed some of the API behavior (particularly the endpoint URL format) and the plugin had not been updated to keep up with those changes.  I got TAC to do a temporary fix which I assume they rolled into the next regular release.

    The configuration options depend on the plugin version from the store.  Looking at version 2.0.9, those options are present in the extension configuration, although they are named differently than the docs from 2019: jamfSchoolNetworkId and jamfSchoolApiKey.  You may also need to override the ACCOUNT in jamSchoolHost to point to the correct JAMF account.  If you are installing the extension for the first time, it should autogenerate a template config for you.


    Original Message


  • 7.  RE: JAMF School

    Posted 22 days ago

    Yeah, even when you post the sample code from the outdated doc, clearpass will correct you and make you change the old variables to the new ones, I filled out the info that was generated by the extension but keeps generating a unauthorized error and with can't find credentials which makes it weird.


    Original Message


  • 8.  RE: JAMF School

    Posted 3 days ago

    Hi,

    JAMF school and JAMF Pro are two different systems.

    We are using the following Guest Extension and are pulling attributes from JAMF School (formerly ZuluDesk) for use in the policy manager with no issues.

    ClearPass ZuluDesk Integration Guide (hpe.com)


    Extension Configuration:

    {
        "zuluDeskUrl": "api.zuludesk.com",
        "zuluDeskNetworkId": "********",
        "zuluDeskApiKey": "********",
        "endpointCacheTimeMinutes": 240,
        "zuluDeskPullOnStart": true,
        "enableZuluDeskPull": true,
        "zuluDeskPullSchedule": "15 * * * *",
        "asyncOperationLimit": 10,
        "cppmUserName": "zuludesk",
        "cppmPassword": "********",
        "verifySSLCerts": true,
        "logLevel": "INFO"
    }


    Original Message