Manually Installing Jamf Pro: Ubuntu

This section provides a basic set of steps for manually installing and configuring Jamf Pro on Ubuntu LTS Server.

Note:

The supporting scripts and configuration used for manual installation differ from an installation using the Jamf Pro Installer for Linux. If you do not want to manually install Jamf Pro, you can use the Jamf Pro Installer for Linux. For information about obtaining the installer and installation instructions, see Installing Jamf Pro Using the Installer.

Note:

If you are upgrading to Tomcat 8.5, you will need to manually modify the server.xml file to make it compatible with Tomcat 8.5. For more information, see the Server.xml Changes for Tomcat 8.5 article.

Follow the step-by-step instructions in this section to install and configure Jamf Pro on Ubuntu LTS Server.

General Requirements

Note:

The Jamf Pro web app and the MySQL database can be installed on the same server or different servers. You may want to install the MySQL database on a different server if you have a larger environment that requires more resources. Additional configuration is required to implement this scenario. For more information, see Installing the Jamf Pro Web App and MySQL on Different Servers.

The server used to host Jamf Pro should meet the minimum requirements for operating system, Tomcat version, database configuration, and Java installation. For additional information on these Jamf Pro Server Environment requirements, see the Jamf Pro Release Notes for your version of Jamf Pro.

In addition, the following resources are recommended as the minimum allocation for a typical installation of Jamf Pro:

Linux
  • A 64-bit capable Intel processor

  • 8 GB of RAM

  • 150 GB of disk space available

  • The "wget" utility installed

  • Ports 8443 and 8080 available

You must also obtain the following to manually install Jamf Pro:
  • Jamf Pro web app (ROOT.war)To obtain this item in the Jamf Pro manual installation archive, log in to Jamf Account and navigate to the Products page for Jamf Pro.
  • Jamf Pro Server Tools Command-Line Interface (CLI)Instructions for obtaining this item are provided below.
Note:

Each installation of Jamf Pro and its required services is unique, and requirements, such as Jamf Pro web app memory, may vary depending on your implementation. For information about allocating additional memory to the Jamf Pro web app, see Jamf Pro Web App Memory.

If you have questions regarding scaling your environment's resources beyond the typical recommendations, contact Jamf Support.

Step 2: Installing Tomcat

Apache Tomcat is the web application server that runs Jamf Pro.

Jamf tests each version of Jamf Pro with the corresponding version of Tomcat listed in the Apache Tomcat Versions Installed by the Jamf Pro Installer article. You are highly encouraged to install the version of Tomcat associated with the version of Jamf Pro you are installing.

You will need URLs to download and verify the Tomcat binary distribution that you intend to install. If you have access to a web browser on the Ubuntu system or if you are remotely connected to an Ubuntu shell session from your computer, you may want to copy these URLs just before executing the download commands. If not, you may want to copy the URLs into a text document for reference as you type them.

Requirements

Copy the necessary URLs:

  1. In a web browser, open the Tomcat 8 download page: https://tomcat.apache.org/download-80.cgi

  2. If you need the latest version of Tomcat:

    1. On the Tomcat 8 download page, navigate to Tomcat 8.5.x > Binary Distributions > Core.

    2. Right-click the "tar.gz" link, and choose Copy Link to copy the URL.

    3. Paste the copied URL into a document for reference, or paste it directly into the download command (see below).

    4. On the Tomcat 8 download page, right-click the "sha512" link, and choose Copy Link to copy the URL.

    5. Paste the copied URL into a document for reference, or paste it directly into the download command (see below).

  3. If you need a previous version of Tomcat:

    1. On the Tomcat 8 download page, navigate to the Quick Navigation section and click Archives.

    2. Click the folder for the version of Tomcat that you want.

    3. Click the bin/ folder.

    4. Right-click the "apache-tomcat-8.5.x.tar.gz" link, and choose Copy Link to copy the URL.

    5. Paste the copied URL into a document for reference, or paste it directly into the download command (see below).

    6. On the Tomcat 8 webpage, right-click the "apache-tomcat-8.5.x.tar.gz.sha512" link, and choose Copy Link to copy the URL.

    7. Paste the copied URL into a document for reference, or paste it directly into the download command (see below).

Additional notes:

  • Tomcat 8.5.42 is used in the commands in this section. When you execute the commands, substitute "8.5.42" with the specific version of Tomcat 8.5.x that you want to install. The most recent version of Tomcat 8.5.x can be downloaded from the following page: https://tomcat.apache.org/download-80.cgi

  • You may need to install the "wget" utility to execute the commands found in this guide. Install "wget" by executing:

    sudo yum install wget
  1. Create a "tomcat" group by executing:
    sudo groupadd tomcat
  2. Create a "tomcat" user by executing:
    sudo useradd -r -g tomcat -d /opt/apache-tomcat-8.5.42 -s /bin/nologin tomcat
  3. Create a temporary directory for the downloads and change to the directory by executing:
    mkdir /tmp/tomcat && cd /tmp/tomcat
  4. Download the Tomcat binary distribution using the tar.gz URL (see above) with a command similar to:
    wget https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.42/bin/apache-tomcat-8.5.42.tar.gz
  5. Download the Tomcat sha512 reference file using the URL (see above) with a command similar to:
    wget https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.42/bin/apache-tomcat-8.5.42.tar.gz.sha512
  6. Using the filename of the sha512 reference file, verify the binary distribution has not been modified with a command similar to:
    sha512sum -c apache-tomcat-8.5.42.tar.gz.sha512

    The result should be something like:

    apache-tomcat-8.5.42.tar.gz: OK
  7. If the result of the check indicates that the downloaded binary is "OK", extract the contents of the file with a command similar to
    tar -zxvf apache-tomcat-8.5.42.tar.gz
  8. Move the extracted contents to the desired location with a command similar to:
    sudo mv apache-tomcat-8.5.42 /opt/
  9. Ensure the "tomcat" user and group have ownership of the directory and contents with a command similar to:
    sudo chown -R tomcat:tomcat /opt/apache-tomcat-8.5.42
  10. Create a symlink to the directory with a command similar to:
    sudo ln -s /opt/apache-tomcat-8.5.42 /opt/tomcat
    Note:

    Installing Tomcat in a directory named with the version number and then symlinking to this directory allows for an easy Tomcat upgrade path later—simply install a newer version of Tomcat in a new directory with its version number in the name and change the symlink to point to the new version.

Step 3: Creating a Tomcat Management Service

Requirements

You will need to know the path to the base Java folder (the path without /bin/java at the end) to provide it as the JAVA_HOME environment variable in the management service. The specific path to Java will vary depending on the platform, OS version, OpenJDK vs. Oracle JDK, etc.

Following are different methods that you can use to find the path to Java on your system:

  • Reference the JAVA_HOME environment variable:

    $ echo $JAVA_HOME
    /usr/lib/jvm/java-11-openjdk-amd64
  • Use update-alternatives:

    $ sudo update-alternatives --config java
    There is only one alternative in link group java (providing /usr/bin/java): /usr/lib/jvm/java-11-openjdk-amd64/bin/java
    Nothing to configure.
  • Use whereis to find "java" and follow the breadcrumbs:

    $ whereis java
    java: /usr/bin/java /usr/share/java /usr/share/man/man1/java.1.gz
    
    $ ls -la /usr/bin | grep java$
    lrwxrwxrwx 1 root root 22 Jun 26 11:29 java -> /etc/alternatives/java
    
    $ ls -la /etc/alternatives | grep java$
    lrwxrwxrwx 1 root root 43 Jun 26 11:32 java -> /usr/lib/jvm/java-11-openjdk-amd64/bin/java
    
  1. Using your preferred text editor, create a tomcat systemd service file with a command similar to
    sudo vi /etc/systemd/system/tomcat.service
  2. Paste the following into the tomcat.service file:
    [Unit]
    Description=Jamf Pro Web Application Container
    Wants=network.target
    After=syslog.target network.target
     
    [Service]
    Type=forking
     
    Environment=JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64
    Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
    Environment=CATALINA_HOME=/opt/tomcat
    Environment=CATALINA_BASE=/opt/tomcat
    Environment='CATALINA_OPTS=-server -XX:+UseParallelGC'
    Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.net.preferIPv4Stack=true'
     
    ExecStart=/opt/tomcat/bin/startup.sh
    ExecStop=/opt/tomcat/bin/shutdown.sh
     
    User=tomcat
    Group=tomcat
    UMask=0007
    RestartSec=10
    Restart=always
     
    [Install]
    WantedBy=multi-user.target 
  3. Ensure the JAVA_HOME value in the tomcat.service file matches the path to the JDK installed on the system, not including /bin/java at the end (see above for guidance on finding this path).
  4. Save the tomcat.service file.
  5. Restart the systemd daemon by executing:
    sudo systemctl daemon-reload
  6. Start the Tomcat service by executing:
    sudo systemctl start tomcat
  7. To check the status of Tomcat, execute:
    systemctl status tomcat
    Note:

    You need to press the Q key to exit from the status reporting.

  8. Enable auto startup of the Tomcat service at boot by executing:
    sudo systemctl enable tomcat

Step 4: Installing the Jamf Pro Server Tools CLI

  1. Download the Jamf Pro Server Tools CLI. For instructions, see the The Jamf Pro Server Tools Command-Line Interface article.
  2. Configure the Tomcat directory by executing a command similar to the following:
    jamf-pro config set --tomcat-dir /opt/tomcat
  3. Configure the Tomcat service by executing a command similar to the following:
    jamf-pro config set --tomcat-service tomcat.service

Jamf highly recommends that you regularly create backups as you work toward a fully configured and operational Jamf Pro. For instructions, see Backing Up the Database.

Note:

You can also download the Jamf Pro Server Tools GUI by clicking the following link: https://archive.services.jamfcloud.com/jamf-pro-server-tools/release/latest/gui/server-tools.jar

For more information, see the Jamf Pro Server Tools Overview article.

Step 6: Allocating Additional Memory to Tomcat

Note:

To accommodate a large number of computers in Jamf Pro, it may be necessary to allocate additional Java Virtual Machine (JVM) memory to Tomcat. If there are other services running on your server, make sure to leave enough memory to accommodate them when configuring the --max-memory setting with Jamf Pro Server Tools.

  1. Open Terminal.
  2. Set the minimum Tomcat memory by executing the following command:
    jamf-pro server config set --min-memory 256M
  3. Set the maximum Tomcat memory by executing the following command:
    jamf-pro server config set --max-memory 512M

Step 7: Configuring the Firewall

Requirements

The firewall is not enabled by default in Ubuntu. However, it is highly recommended that you enable and configure the firewall on any production systems.

  1. Check to see if the firewall is running by executing the following command:
    sudo ufw status
  2. If the firewall is not running, enable it by executing the following command:
    sudo ufw enable
  3. Edit the firewall configuration to allow access to port 8443 by executing the following commands
    sudo ufw allow 8443/tcp
    sudo ufw reload

For more information, see Firewall in the Ubuntu Server Guide.

Step 8: Installing Jamf Pro

  1. (Optional) Create a /tmp/jamf directory in which to temporarily store downloads, tools, and scripts for Jamf Pro by executing:
    mkdir /tmp/jamf
  2. (Optional) Copy the ROOT.war file from the Jamf Pro manual download archive to the /tmp/jamf directory that you just created:
  3. Stop the Tomcat service by executing:
    sudo systemctl stop tomcat

    or

    sudo service tomcat stop
  4. Move the default Tomcat web app out of the way by executing:
    sudo mv /opt/tomcat/webapps/ROOT /opt/tomcat/webapps/TOMCAT
  5. Copy the Jamf Pro web app archive to the Tomcat webapps directory by executing a command similar to the following:
    sudo cp /tmp/jamf/ROOT.war /opt/tomcat/webapps/
  6. Assign appropriate access to the ROOT.war by executing:
    sudo chown tomcat:tomcat /opt/tomcat/webapps/ROOT.war
    sudo chmod 750 /opt/tomcat/webapps/ROOT.war
  7. Generate a keystore to enable SSL for Tomcat by executing a command similar to the following with the keypass, storepass, dname, and validity values customized for your environment:
    sudo keytool -genkey -alias tomcat -keyalg RSA -keypass
      "changeit" -storepass "changeit" -dname "CN=jamf.mycompany.com,
      OU=Jamf IT, O=Jamf, L=Minneapolis, ST=MN, C=US"
      -keystore /opt/tomcat/keystore -validity <numdays>

    Make sure to enter the following attributes as appropriate to your site:

    AttributeValueExample
    CN=Fully qualified domain name of the serverjamf.mycompany.com
    OU=Organizational unitJamf IT
    O=OrganizationJamf
    L=Location (city or office)Minneapolis
    ST=State, province, or countyMN
    C=Country or regionUS
  8. Back up the Tomcat server.xml configuration file by executing:
    sudo cp /opt/tomcat/conf/server.xml /opt/tomcat/conf/server.xml.bak
  9. Open the server.xml configuration file in a text editor with a command similar to:
    sudo vi /opt/tomcat/conf/server.xml
  10. Locate the following comment section in the file (note that this is the Connector on port 8443 not the Connector on port 8443 with HTTP/2 section):
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
            This connector uses the NIO implementation.
            ...
    -->
  11. Replace the commented out (initial <!-- and trailing -->) Connector tag immediately following the comment (shown in "a" below) with the Connector tag text shown in "b" below:

    1. <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
           ...
      -->
      <!--<Connector port="8443" ...
        ...
      />
      -->

    2. <Connector URIEncoding="UTF-8"
                 server="Apache Tomcat"
                 port="8443"
                 executor="tomcatThreadPool"
                 SSLEnabled="true"
                 maxPostSize="-1"
                 scheme="https"
                 protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
                 secure="true">
        <SSLHostConfig sslProtocol="TLS"
                       protocols="TLSv1.2"
                       honorCipherOrder="true"
                       certificateVerification="none"
                       ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" >
          <Certificate type="RSA"
                       certificateKeystoreFile="/opt/tomcat/keystore"
                       certificateKeystorePassword="changeit" />
        </SSLHostConfig>
      </Connector>
  12. Before saving the file, ensure the keystorePass value is set to the value you used for storepass when creating the keystore.
  13. Save the server.xml file.
  14. Open the log4j2.xml file and change all of the log file paths from the following:
    fileName="/Library/JSS/Logs/[filename].log"
    filePattern="/Library/JSS/Logs/[filename].log.%i">

    to:

    fileName="/usr/local/jss/logs/[filename].log"
    filePattern="/usr/local/jss/logs/[filename].log.%i">
  15. Start the tomcat service by executing:
    sudo systemctl start tomcat

    or

    sudo service tomcat start

    The Tomcat service will automatically unpack the ROOT.war file into a ROOT directory in the webapps directory.

Step 9: (Optional) Disabling TLS 1.0 and 1.1 in Java 11

If you are using the TLS 1.0 or 1.1 protocols in Java 11 for any existing workflows, it is recommended that you disable them since they are deprecated. For instructions, see the Disabling TLS 1.0 and 1.1 in Java 11 article.

Step 10: Connecting to the Jamf Pro Server

  1. Configure the database connection settings using Jamf Pro Server Tools GUI or CLI. For instructions, see the Editing the Database Connection Using Jamf Pro Server Tools article.
  2. Access Jamf Pro by opening a web browser and typing the protocol, IP address or hostname of the server, and port. For example: https://JAMF_PRO_URL.com:8443
    Note:

    Some web browsers may initially prevent access to Jamf Pro on port 8443 and may produce an "invalid certificate" error. If this error occurs, do the following:

    1. Enter your Jamf Pro server URL in the web browser's address bar using "http" and port 8080 (e.g., "http://JAMF_PRO_URL:8080").

    2. When prompted by the Jamf Pro setup assistant for the Jamf Pro URL, enter your Jamf Pro server URL using "https" and port 8443 (e.g., https://JAMF_PRO_URL.com:8443).

    You can begin using your Jamf Pro server URL to access Jamf Pro after you have uploaded a valid certificate and restarted Tomcat. For more information, see SSL Certificate in the Jamf Pro Documentation.