“words—
lonely written words—are all you’ve got”

—Virginia Shea

“communication happens when I know you know what I know”

—Me

Pre-work

Complete the following pre-work prior to your Casper JumpStart. If you’re planning to take advantage of Apple’s Volume Purchase Program (VPP) or Device Enrollment Program (DEP), be sure to start the enrollment process right away. Enrollment can take a few days to a few weeks to complete.

  1. If you haven’t already, visit https://my.jamfsoftware.com/products.html and create yourself an account. Be sure your company email address matches what JAMF has on file. Your account should already have the ability to access the product download and your activation code.
  2. Download the Mac software. You’ll need this to actually run the Casper applications for taking inventory, running remote commands, etc. This download includes the Mac JSS server installer as well, if you’re planning to run your server from a Mac. Otherwise…
  3. Download the Windows JSS installer or download the Linux JSS installer. You’ll find each download also has a “JAMF Software Server Installation and Configuration Guide” with setup instructions. Pages 9-10 include a list of all port numbers and how/where they’re used. You may find this worth browsing. The guide includes system requirements on page 12. The JSS runs on virtual machines just fine.
  4. Download MySQL 5.5 or 5.6 Enterprise or Community edition.
  5. Download the Open Java Development Kit (OpenJDK). I recommend using the latest version 7 or latest version JAMF recommends in its setup guide.
  6. Download the Java cryptography extensions.
  7. Create a fully qualified DNS entry for your server (e.g. https://macmanagement.mycompany.com)—preferably not a .local domain but we can use this if necessary. If you plan to manage your devices internally on your network as well as externally (home or via the Internet) then this one DNS entry must be accessible both internally and externally. Keep in mind your end users may see this URL. Name it something meaningful to them as well as you.
  8. Make note of your organization’s settings for an SMTP (outgoing mail) server if you’d like your JSS to notify you of events. Create a dedicated “service account” to authenticate to this server if necessary. During the JumpStart we’ll need the service account’s name and password.
  9. Make note of your organization’s system logging server and port number if you have one. You’ll have the option to send JSS logging information to this server.
  10. We’ll need a service account for your Casper JAMF Software Server (JSS) to access your directory server (Active Directory, Open Directory, Novell or LDAP) if using directory services. Casper will not write anything to the directory. It only connects to look up users and groups. This service account should be a simple directory user (non-admin). You can use an existing account or create a new account just for Casper. During the JumpStart we’ll need the service account’s name and password.
  11. To deploy software packages to your Macs we’ll need a file share on a server. The server can be Mac or Windows. It can be on the same server as your JSS although I usually recommend keeping these separate. You can call the file share anything you like—I’ll refer to it as “CasperShare” for these notes. Users won’t see this.Optionally, we can install a JAMF Distribution Server (JDS), which runs over HTTP rather than an AFP or SMB file share. This is ideal for multiple sites connected by slower WAN connections. A JDS requires either OS X Server or Linux server. A virtual machine is fine.

    About 25-50 GB of free space should get us started. You may need more than this depending on the number and sizes of software packages you’re deploying.

  12. We’ll need two additional service accounts (local to the file server or Active Directory) that can access your “CasperShare” file share. One account should have permissions to read/write to the share and the other should have read only access. Generally, folks name these service accounts something like “CasperAdmin” and “CasperInstall”. During the JumpStart we’ll need these service accounts’ names and passwords.
  13. Bring some software installers including the latest OS X Mavericks installer to the JumpStart. Some of these items are a few GB in size and can take a while to download. If you have them in one location and easy to access we can move very quickly. I suggest having the latest versions of OS X Mavericks, Adobe CS, Microsoft Office, printer drivers, web browsers such as Chrome and Firefox, Java from Oracle and Adobe Flash. If you have a couple of specific applications you’d like to get packaged then bring those too.
  14. You’ll want to make sure you have the following ports open from your JSS to the Internet: 2195 and 2196. These are used to communicate with Apple’s Push Notification service (APNs).
  15. You’ll need this port open from your devices to Apple’s network at 17.0.0.0: 5223. It’s used by APNs to send commands to your Macs and iOS devices.
  16. Use the command line tool “telnet” to test ports 2195 and 2196 are open.From your server run these commands for each port:
    telnet gateway.sandbox.push.apple.com 2195
    telnet gateway.push.apple.com 2195

    From a Mac workstation run:
    telnet 1-courier.push.apple.com 5223

    You’re looking for a reply of “Connected…”. If the connection closes immediately then you’re not connecting.

  17. If you don’t have one already, create an institutional Apple ID that’s tied to your organization but not to any particular person. We’ll use this to get an APNS certificate and possibly purchase software. You can also use it for your GSX login if you prefer.
  18. Consider whether you have a need for a third-party certificate. This is only necessary when you may have end-users enrolling their own devices into the JSS. A certificate will eliminate any warning messages about your website that may deter them from enrolling. You can generate a certificate signing request (CSR) from within the JSS after it’s working. Wildcard certificates seem to work fine. Upload the CSR to your vendor of choice. (I recommend not using GoDaddy.com because their root certificates are generally not pre-installed on iOS devices.) Make the purchase and add it to the JSS. Do this only after your DNS is correctly configured for your server. I can assist with this while on site.
  19. If you’re interested in taking advantage of Casper’s feature to integrate with Apple’s Device Enrollment Program (DEP) and/or Apple’s Volume Purchase Program (VPP), please be sure to complete enrollment prior to your JumpStart. This will take several days or more to complete and you should start the process ASAP. http://deploy.apple.com.
  20. Consider whether you want your JSS accessible by your Macs and iOS devices from outside your network. For example, for a Mac or an iOS device to report its current IP address and status while it’s at home with a student, a JSS needs to be available from the Internet. We can talk about this more when I arrive. If you’d like to deploy software to external machines then consider placing a JAMF Distribution Server (JDS) in your DMZ or using a third party cloud hosting service such as Akamai or Amazon. These are explained in the same installation and configuration guide you’re already referencing.
  21. Finally, a JumpStart is hands-on. Each administrator should bring a computer for connecting to the JSS. Also bring at least two Macs to an OS X JumpStart and at least two iPads to an iOS JumpStart. More and varying devices are better. We could run into hardware or model-specific issues.