Primary and Secondary Web Application Responsibilities

This article describes which tasks are performed by the primary and secondary web applications in a clustered Jamf Pro configuration.

The primary web application handles recurring, scheduled, or batched (queued) communication. Other communication is handled by the server you are logged in to.

App Distribution

Task

Description

App Notifications

The primary web application is responsible for consuming items off the app push notification queue and sending the contents via the Jamf Push Proxy.

App Store Updates

The primary web application is responsible for checking with Apple for any updates available for apps that have automatic App Updates enabled. The primary web application will send the Install Application command to any devices identified as needing an update at the scheduled time.

In-House Apps

The primary web application is responsible for issuing commands to validate that in-house apps installed on managed devices do not have provisioning profiles that have expired or become invalidated.

Apple Services

Task

Description

Apple School Manager/Apple Business Manager

The primary web application is responsible for syncing data from the configured Apple School Manager/Apple Business Manager instance and Jamf Pro. This includes recurring scheduled syncs, as well as manually initiated syncs performed while logged in to a secondary web application.

DEP Device Monitor

This monitor collects information about devices that have been added to Automated Device Enrollment (formerly DEP) portals and assigned to the Jamf Pro MDM server. It is run by the primary web application. Any manually initiated refreshes are performed by the web application the user is logged in to.

Note:

Starting with Jamf Pro 10.20.0, all Automated Device Enrollment communication with Apple occurs over the primary web application, with two minute intervals between each sync.

VPP License Monitor

This monitor collects information from Apple's Volume Purchasing (formerly VPP) API on a scheduled basis. It is run from the primary web application. Any manually initiated updates for volume content are performed by the web application the user is logged into.

Certificate Services

Task

Description

Active Directory Certificate Services (AD CS)

One monitor executes exclusively on the primary web application to monitor the certificate renewal process and determine when devices need an updated certificate. It is important that all web applications are able to communicate with the configured AD CS Connector.

Certificate Revocation

The primary node will contact the associated certificate authority (CA) to revoke certificates. It is important that the primary web application can communicate with the configured CAs.

SCEP Proxy

Requests related to the SCEP Proxy are handled by the web application that receives the request. Therefore, it is important that all web applications are able to communicate with the configured SCEP service.

Distribution Points

Task

Description

JCDS Package Status Monitor

The primary web application is responsible for regularly checking the status of pending uploads to the Jamf Cloud Distribution Service (JCDS) and making sure that they are reflected correctly in the Jamf Pro web application. It is also responsible for periodically refreshing the token used for communicating with the JCDS.

Jamf Pro Core

Task

Description

Automated Management

The primary web application is responsible for performing automated management tasks on a device when the device is included in the group's membership that has been configured with automated management.

Database Schema Updates

When the primary web application starts, it checks for changes between the current database schema and the database schema module. If inconsistencies are found, the primary web application performs the necessary modifications. It is important to enable clustering within the Jamf Pro server web interface before pointing any secondary web applications to the database. Otherwise, all the secondary web applications will attempt to control the database schema version.

Log Flushing

Scheduled log flushing is performed by the primary web application. The scheduled time is relative to the system time on the server hosting the primary web application. Manual log flushing is initiated by the web application that the administrator is logged into when the action is triggered in the Jamf Pro web interface.

MDM Command Queue

Any commands that fall into the MDM command queue are sent from the primary web application. All other commands are sent by the web application the client is connected to when the initial push is created or sent. For example, when a device submits inventory information to a web application, which results in a smart group change, the issued MDM command is sent by the web application the device that submitted the inventory information to. Scheduled commands, such as Update Inventory, are handled by the primary web application. If a command fails or needs to be resent at a later time, the command is added to the MDM command queue and handled by the primary web application.

Smart Group Calculations

Groups with criteria based on a date or time are calculated by the primary web application relative to the system time on the server hosting the primary web application. All other smart group calculations are performed by the web application the device submitted their inventory information to or the web application the Jamf Pro administrator is connected to when creating or editing the group.

Jamf Pro Integrations

Task

Description

Cache Configuration

The primary web application is responsible for keeping other nodes in the cluster up to date with the currently configured cache settings, with the exception of cache type, which needs to be configured for each web application.

Change Management Logs

Each web application is responsible for sending its own Change Management log to the syslog server.

Customer Experience Metrics

The primary web application is responsible for sending Customer Experience Metrics to Jamf.

Email Notifications

The web application that receives a task which triggers an email notification is the web application responsible for sending the message to the SMTP server. Emails that are sent exclusively from the primary are the ones that result from tasks only the primary completes. For example, the primary runs the VPP License Monitor and is thereby responsible for sending email notifications when the license limit is exceeded. However, smart group calculations that trigger an email notification are sent from the same web application that performed the smart group calculation. It is important to ensure that the connectivity to your SMTP server is available from all web applications within a clustered environment.

Global Service Exchange (GSX)

GSX lookups are sent by the web application the client is connected to when communication is initiated. The web application initiates the call to Apple's GSX API to retrieve warranty information.

Healthcare Listener

The primary web application is responsible for sending email notifications to the configured recipient when commands issued as part of the Healthcare Listener workflow fail to complete successfully.

Jamf Infrastructure Manager

The primary web application is responsible for issuing notifications when a Jamf Infrastructure Manager has not been in contact with Jamf Pro for an extended period of time.

LDAP Queries

LDAP lookups are performed by the web application that the underlying task resulted from. For example, when logging into the Jamf Pro server web interface or Jamf Pro applications, the web application that you are connected to during the login process is responsible for making the LDAP connection. Similarly, when a client computer checks in for policies that are limited by LDAP user group memberships, the web application the client computer is connected to is responsible for performing the LDAP lookup. It is important to ensure that the connectivity to your LDAP server is available from all web applications within a clustered environment.

Patch Software Titles

The primary web application is responsible for checking for updates to Patch Software Titles.

Push Proxy Token Refresh

The primary web application is responsible for communicating with the Jamf Authorization Server to refresh the authentication token used to communicate with the Jamf Push Proxy.

Self Service Object Notifications

The primary web application is responsible for going through Self Service notifications for Patch and reissuing notifications if they have exceeded the reminder time.

Microsoft Intune Integration

The primary web application is responsible for scheduled communication to Microsoft Intune (e.g., Heartbeat communication). Other communication, such as submitting device inventory updates to Microsoft Intune, is sent from the web application that the inventory report was submitted to.