Manually Installing Jamf Pro on Windows

This section provides a basic set of steps for manually installing and configuring Jamf Pro on Windows Server.

Note:

The supporting scripts and configuration used for manual installation differ from an installation using the Jamf Pro Installer for Windows. If you do not want to manually install Jamf Pro, you can use the Jamf Pro Installer for Windows. For information about obtaining the installer and installation instructions, see Installing Jamf Pro Using the Installer.

Note:

If you are upgrading to Tomcat 8.5, you will need to manually modify the server.xml file to make it compatible with Tomcat 8.5. For more information, see the Server.xml Changes for Tomcat 8.5 article.

General Requirements

Note:

The Jamf Pro web app and the MySQL database can be installed on the same server or different servers. You may want to install the MySQL database on a different server if you have a larger environment that requires more resources. Additional configuration is required to implement this scenario. For more information, see Installing the Jamf Pro Web App and MySQL on Different Servers.

The server used to host Jamf Pro should meet the minimum requirements for operating system, Tomcat version, database configuration, and Java installation. For additional information on these Jamf Pro Server Environment requirements, see the Jamf Pro Release Notes for your version of Jamf Pro.

In addition, the following resources are recommended as the minimum allocation for a typical installation of Jamf Pro:

Windows
  • A 64-bit capable Intel processor

  • 8 GB of RAM

  • 150 GB of disk space available

  • Ports 8443 and 8080 available

In environments where the double-byte character set encoding is required, use English as the system language for the server used to host Jamf Pro to avoid potential display issues.

Full local administrator privileges are required to install Jamf Pro on Windows Server. If you are unable to install Jamf Pro, Group Policy Object restrictions may be the cause. Check the GPO settings or contact someone in your organization who can ensure that GPO restrictions allow you full administrator privileges.

Note:

You will need to manually add a firewall exception for port 8443.

You must also obtain the following to manually install Jamf Pro:
  • Jamf Pro web app (ROOT.war)To obtain this item in the Jamf Pro manual installation archive, log in to Jamf Account and navigate to the Products page for Jamf Pro.
  • Jamf Pro Server Tools Command-Line Interface (CLI)Instructions for obtaining this item are provided below.
Note:

Each installation of Jamf Pro and its required services is unique, and requirements, such as Jamf Pro web app memory, may vary depending on your implementation. For information about allocating additional memory to the Jamf Pro web app, see Jamf Pro Web App Memory.

If you have questions regarding scaling your environment's resources beyond the typical recommendations, contact Jamf Support.

Step 2: Installing Tomcat

Apache Tomcat is the web application server that runs Jamf Pro.

Jamf tests each version of Jamf Pro with the corresponding version of Tomcat listed in the Apache Tomcat Versions Installed by the Jamf Pro Installer article. You are highly encouraged to install the version of Tomcat associated with the version of Jamf Pro you are installing.

The following instructions explain how to manually configure Tomcat to use a self-signed SSL certificate on port 8443.

  1. In a web browser, open the Tomcat 8 download page: https://tomcat.apache.org/download-80.cgi
  2. If you need the latest version of Tomcat:
    1. On the Tomcat 8 download page, navigate to Tomcat 8.5.x > Binary Distributions > Core.
    2. Click the "32-bit/64-bit Windows Service Installer" link to download the installer.
  3. If you need a previous version of Tomcat:
    1. On the Tomcat 8 download page, navigate to the Quick Navigation section and click Archives.
    2. Click the folder for the version of Tomcat that you want.
    3. Click the bin/ folder.
    4. Click the "apache-tomcat-8.5.x.exe" link to download the installer.
  4. Launch the Apache Tomcat 8.5.x Windows Service Installer.
  5. Follow the onscreen instructions, and choose Minimum from the Select the type of install pop-up menu.
  6. Expand the option for Tomcat and select the Service Startup option to customize the install.
    Note:

    Selecting the Service Startup option automatically starts Tomcat when the computer starts.

  7. Click Next and use the default settings to configure the rest of the installation.

Step 3: Installing the Jamf Pro Server Tools CLI

  1. Download the Jamf Pro Server Tools CLI. For instructions, see the The Jamf Pro Server Tools Command-Line Interface article.
  2. Open Command Prompt.
  3. Configure the Tomcat directory by executing a command similar to the following:
    jamf-pro config set --tomcat-dir "C:\Program Files\Apache Software Foundation\Tomcat 8.5"
  4. Configure the Tomcat service by executing a command similar to the following:
    jamf-pro config set --tomcat-service Tomcat8

Jamf highly recommends that you regularly create backups as you work toward a fully configured and operational Jamf Pro. For instructions, see Backing Up the Database.

Note:

You can also download the Jamf Pro Server Tools GUI by clicking the following link: https://archive.services.jamfcloud.com/jamf-pro-server-tools/release/latest/gui/server-tools.jar

For more information, see the Jamf Pro Server Tools Overview article.

Step 4: Allocating Additional Memory to Tomcat

You can allocate additional memory to Tomcat by using one of the following methods:

  1. Allocating Additional Memory to Tomcat Using the Jamf Pro Server Tools CLI:
    1. Open Command Prompt.
    2. Set the minimum Tomcat memory by executing the following command:
      jamf-pro server config set --min-memory 256M
    3. Set the maximum Tomcat memory by executing the following command:
      jamf-pro server config set --max-memory 512M
  2. Manually Allocating Additional Memory to Tomcat:

    The default Java Maximum Memory Pool for Tomcat on Windows is set to 256 MB. This should be increased to at least 512 MB. To accommodate a large number of computers in Jamf Pro, you will have to allocate additional Java Virtual Machine (JVM) memory to Tomcat. If other services are running on your server, make sure to leave enough memory to accommodate them.

    1. Open the Tomcat8w.exe application found in the C:\Program Files\Apache Software Foundation\Tomcat 8.5\bin path.
    2. Click the Java tab.
    3. Enter the amount of memory you want to allocate in the Maximum Memory Pool field.
    4. Click Apply.
    5. Open Command Prompt and start Tomcat by executing:
      net start Tomcat8

      The Tomcat service should be running and will automatically unpack the ROOT.war file into a ROOT directory in the webapps directory.

Step 5: Creating the Jamf Pro Database

A MySQL database must be created before you can install Jamf Pro.

You can create the Jamf Pro database using one of the following methods:

Step 6: Installing Jamf Pro

  1. (Optional) Create a C:\temp\jamf directory in which to temporarily store downloads, tools, and scripts for Jamf Pro by executing:
    mkdir C:\temp\jamf
  2. Copy the ROOT.war file from the Jamf Pro manual download archive to the C:\temp\jamf directory that you just created.
  3. Open Command Prompt.
  4. Stop Tomcat by executing:
    net stop Tomcat8
  5. Rename the ROOT web app directory to something like TOMCAT in Windows Explorer or at the Command Prompt by executing a command similar to the following:
    move "C:\Program Files\Apache Software Foundation\Tomcat 8.5\
      webapps\ROOT" "C:\Program Files\Apache Software Foundation\
      Tomcat 8.5\webapps\TOMCAT"
  6. Copy the Jamf Pro ROOT.war web app to the Tomcat webapps directory in Explorer or at the Command Prompt by executing a command similar to the following:
    copy C:\temp\jamf\ROOT.war "C:\Program Files\Apache Software Foundation\Tomcat 8.5\webapps\"
  7. Generate a keystore to enable SSL for Tomcat by executing a command similar to the following:
    "C:\Program Files\Amazon Corretto\jdk11.0.3_7\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -keypass "changeit" -storepass "changeit" -dname "CN=jamf.mycompany.com, OU=Jamf IT, O=Jamf, L=Minneapolis, ST=MN, C=US" -keystore "C:\Program Files\Apache Software Foundation\Tomcat 8.5\keystore" -validity <numdays>

    Make sure to change the following attributes as appropriate to your site:

    AttributeValueExample
    CN= Fully qualified domain name of the serverjamf.mycompany.com
    OU= Organizational unitJamf IT
    O=OrganizationJamf
    L=Location (city or office)Minneapolis
    ST=State, province, or countyMN
    C=Country or regionUS
  8. Back up the Tomcat server.xml configuration file by executing a command similar to the following:
    copy "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml" "C:\Program Files\Apache Software Foundation\Tomcat 8.5\conf\server.xml.bak"
  9. Open the server.xml configuration file.
    Note:

    You can do this with Wordpad, as long as the file is saved as a plain text document named server.xml.

  10. Locate the following comment section in the file (note that this is the Connector on port 8443 not the Connector on port 8443 with HTTP/2 section):
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
            This connector uses the NIO implementation.
            ...
    -->
  11. Replace the commented out (initial <!-- and trailing -->) Connector tag immediately following the comment (shown in "a" below) with the Connector tag text shown in "b" below:

    1. <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
           ...
      -->
      <!--
      <Connector port="8443" ...
        ...
      />
      -->

    2. <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
                 This connector uses the NIO implementation that requires the
                 JSSE style configuration. When using the APR/native
                 implementation, the OpenSSL style configuration is required
                 as described in the APR/native documentation -->
      <Connector URIEncoding="UTF-8"
                 server="Apache Tomcat"
                 port="8443"
                 executor="tomcatThreadPool"
                 SSLEnabled="true"
                 maxPostSize="-1"
                 scheme="https"
                 protocol="org.apache.coyote.http11.Http11Nio2Protocol"
                 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
                 secure="true">
        <SSLHostConfig sslProtocol="TLS"
                       protocols="TLSv1.2"
                       honorCipherOrder="true"
                       certificateVerification="none"
                       ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
                                TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
                                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
                                TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
                                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
                                TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
                                TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA" >
          <Certificate type="RSA"
                       certificateKeystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.5\keystore"
                       certificateKeystorePassword="changeit" />
        </SSLHostConfig>
      </Connector>
  12. Go back to Command Prompt, and add a rule to the firewall configuration to allow access to port 8443 by executing:
    netsh advfirewall firewall add rule name=Jamf_Secure dir=in action=allow protocol=TCP localport=8443
  13. Open the log4j2.xml file and change all of the log file paths from the following:
    fileName="/Library/JSS/Logs/[filename].log"
    filePattern="/Library/JSS/Logs/[filename].log.%i">

    to:

    fileName="C:\Program Files\JSS\logs\[filename].log"
    filePattern=" C:\Program Files\JSS\logs\[filename].log.%i">
  14. Start Tomcat by executing the following command:
    net start Tomcat8

Step 7: (Optional) Disabling TLS 1.0 and 1.1 in Java 11

If you are using the TLS 1.0 or 1.1 protocols in Java 11 for any existing workflows, it is recommended that you disable them since they are deprecated. For instructions, see the Disabling TLS 1.0 and 1.1 in Java 11 article.

Step 8: Connecting to the Jamf Pro Server

  1. Configure the database connection settings using Jamf Pro Server Tools GUI or CLI. For instructions, see the Editing the Database Connection Using Jamf Pro Server Tools article.
  2. Access Jamf Pro by opening a web browser and typing the protocol, IP address or hostname of the server, and port. For example: https://JAMF_PRO_URL.com:8443
    Note:

    Some web browsers may initially prevent access to Jamf Pro on port 8443 and may produce an "invalid certificate" error. If this error occurs, do the following:

    1. Enter your Jamf Pro server URL in the web browser's address bar using "http" and port 8080 (e.g., "http://jamf.mycompany.com:8080").

    2. When prompted by the Jamf Pro setup assistant for the Jamf Pro URL, enter your Jamf Pro server URL using "https" and port 8443 (e.g., https://JAMF_PRO_URL.com:8443).

    You can begin using your Jamf Pro server URL to access Jamf Pro after you have uploaded a valid certificate and restarted Tomcat. For more information, see SSL Certificate in the Jamf Pro Documentation.