Using IIS to Enable HTTPS Downloads on a Windows Server 2016 or 2019 File Share Distribution Point

This article explains how to activate Internet Information Services (IIS) and use it to enable HTTPS downloads on a Windows Server 2016 or 2019 file share distribution point.

The following steps are described in detail below:

  1. Adding the Web Server (IIS) Role
  2. Adding a Virtual Directory Using the IIS Manager
  3. Adding the Certificate Snap-in in the Microsoft Management Console (MMC)
  4. Creating a Certificate Signing Request
  5. Generating an SSL Certificate Using the Jamf Pro Built-in Certificate Authority
  6. Importing the Jamf Pro CA Root Certificate
  7. Importing the New SSL Certificate
  8. Configuring Bindings Using the IIS Manager Console
  9. Verifying an Account is Available to Access the File Share Over HTTPS
  10. Enabling Basic Authentication for the jamf_share
  11. Adding MIME Types to the Virtual Directory
  12. Enabling HTTPS Downloads in Jamf Pro

General Requirements

  • Knowledge of the credentials (the read-only account) used to access the file share.

  • An existing SMB file share being used as a Jamf Pro distribution point.

Note: The example Jamf SMB file share used in this article is jamf_share, located in D:\jamf_share.

Step 1: Adding the Web Server (IIS) Role

Requirements

If the Web Server (IIS) role is not already activated, add the Web Server (IIS) role using Server Manager.

  1. Select Server Manager from the Start menu.
  2. Click Add roles and features.
  3. Follow the onscreen instructions for installing the Web Server (IIS) server role. Be sure that the Basic Authentication checkbox is selected in the Role Services list.

Step 2: Adding a Virtual Directory Using the IIS Manager

Add a virtual directory using the IIS Manager, and link the new file share to the existing file share. The existing file share is defined in Jamf Pro on the Computer Management > File Share Distribution Points page.

  1. Choose Server Manager from the Start menu.
  2. Choose Internet Information Services (IIS) Manager from the Tools menu.
    Note:

    If Internet Information Services (IIS) Manager was already open, you must close it and reopen it.

  3. Right-click Default Web Site, and choose Add Virtual Directory.

  4. Type jamf_share in the Alias field, enter the physical path to jamf_share, and then click OK.

Step 3: Adding the Certificate Snap-in in the Microsoft Management Console (MMC)

  1. Open the Run window and enter mmc.

  2. Choose Add/Remove Snap-in from the File menu.

  3. Select Certificates in the left pane, and then click Add.
  4. Select Computer account and click Next.

  5. Select Local computer and click Finish.

  6. Click OK to exit the wizard.

The Certificates snap-in will now appear in the left pane of the MMC window.

Step 4: Creating a Certificate Signing Request

  1. Expand Console Root and Certificates in the left pane of the MMC window.
  2. Right-click the Personal certificate store and select All Tasks > Advanced Operations > Create Custom Request.

  3. Click Next to continue.
  4. Select Proceed without enrollment policy, and then click Next.

  5. In the Custom Request window, select (No template) CNG key from the pop-up menu, make sure PKCS #10 is selected, and then click Next.

  6. In the Certificate Information window, expand the details on the custom request, and then click Properties.

  7. On the General tab, enter a friendly name and description of your choice.
  8. On the Subject tab, click the Type pop-up menu in the Subject name pane. Enter values for the following items, and click Add for each one:
    • Common name (The common name will match the DNS name.)
    • Organization
    • Organization unit
    • Locality
    • State
    • Country

  9. Still on the Subject tab, click the Type pop-up menu in the Alternative name pane. Select DNS from the pop-up menu, enter the Common Name/hostname in the Value field, and then click Add.
  10. On the Extensions tab, expand the Extended Key Usage section, select Server Authentication from the Available options list, and then click Add.

  11. On the Private Key tab, expand the Cryptographic Service Provider section, and ensure RSA, Microsoft Software Key Storage Provider is selected.

  12. Expand the Key options section, and ensure "Key size" is set to at least "2048".
  13. Expand the Select Hash Algorithm section, and select "sha256" or higher.

  14. Click Apply, and click OK.
  15. Click Next.
  16. When prompted to save the offline request, click Browse to select a location, include the .txt extension on the filename, and make sure File format is set to “Base 64”. Click Finish.

  17. Open the certificate request file that you saved previously, select all the text, and copy it to the clipboard.

Step 5: Generating an SSL Certificate Using the Jamf Pro Built-in Certificate Authority

  1. Log in to Jamf Pro, and click Settings in the upper-right corner.
  2. Navigate to Global Management > PKI Certificates > Manage Certificate Template, and then click Create Certificate from CSR.
  3. Paste the text from the certificate request file, select Web Server Certificate from the Certificate Type pop-up menu, and then click Create.
    Note:

    In Internet Explorer, the security settings may not allow you to download the certificate. You may need to add Jamf Pro to Trusted Sites and lower the security settings for Trusted Sites.

  4. If prompted to save the file, click Save.
  5. Click the Back button, and click Download CA Certificate.
  6. If prompted to save the file, click Save.
  7. Two certificates should now be available. Copy them to a location accessible by the Windows server.

Step 6: Importing the Jamf Pro CA Root Certificate

  1. Expand Trusted Root Certification Authorities in the left sidebar, right-click Certificates, and choose All Tasks > Import.
  2. Click Next in the Welcome to the Certificate Import Wizard window.
  3. Click Browse and find the CA certificate downloaded from Jamf Pro.
  4. Change the file type display option to All Files (.), select the Certificate Authority.pem file, and click Open.
  5. Click Next. Then, specify the file you want to import and the location where the file will be stored.
  6. Click Finish. A confirmation message should display indicating the import was successful.

Step 7: Importing the New SSL Certificate

  1. Right-click Web Hosting in the left sidebar, and choose All Tasks > Import.
  2. Click Next in the Welcome to the Certificate Import Wizard window.
  3. Click Browse and find the certificate for the virtual directory.
  4. Change the file type display option to "All Files (*.*)", select the certificate for the virtual directory, and then click Open.
  5. Click Next to initiate the file importing process and verify the location the certificate will be installed.
  6. Click Finish. A confirmation message should display indicating the import was successful.
  7. Close the management console without saving.

Step 8: Configuring Bindings Using the IIS Manager Console

  1. In the Connections pane, select Default Web Site, and then click Bindings in the Actions pane.
  2. Click Add.
  3. Set the Type to https, verify Port is set to 443, enter the FQDN for the distribution server in the Host name field, click the SSL certificate field, and choose the certificate that was imported.
  4. In the Site Bindings window, click http, click Remove, and click Yes when prompted.
  5. Close the Site Bindings window.

Step 9: Verifying an Account is Available to Access the File Share Over HTTPS

  1. In the Connections pane, select the virtual directory that you created, and then click Edit Permissions in the Actions pane.
  2. Click the Security tab, and then click Edit. In the example below, "svc_jamfshare_ro (Jamf ReadOnly)" has the appropriate permissions.

Step 10: Enabling Basic Authentication for the jamf_share

  1. Click jamf_share in the Connections pane, and then double-click Authentication.
  2. Disable Anonymous Authentication and enable Basic Authentication.
    Note:

    Restarting the IIS Manager should remove the "SSL is not being enabled..." alert.

  3. Select Basic Authentication, and click Edit.
    Note:

    If Basic Authentication is not available, see Adding the Web Server (IIS) Role to add Basic Authentication to IIS.

  4. In the Default domain field, enter the domain in which the read-only account exists, and click OK.
  5. Click jamf_share in the Connections pane, and then click Advanced Settings in the Actions pane.
  6. Click the Ellipsis (...) button across from "Physical Path Credentials". (In this example, the "svc_jamfshare_ro" account information must be added to the Physical Path Credentials.)
  7. In the Connect As window, select Specific user, and click Set.
  8. Enter the credentials for the jamf_share read-only user, and click OK.
  9. Click OK in the Connect As window.
  10. Click OK in the Advanced Settings window.

Step 11: Adding MIME Types to the Virtual Directory

Add two MIME types to ensure the files (.dmg and .pkg) download properly.

  1. Double-click MIME Types.
  2. Click Add in the Actions pane.
  3. Enter .dmg in the File name extensions field, enter file/download in the MIME type field, and then click OK.
  4. Click Add in the Actions pane again.
  5. Enter .pkg in the File name extension field, enter application/octet-stream in the MIME type field, and then click OK.
  6. Click the service in the Connections pane, and click Restart in the Actions pane.

Step 12: Enabling HTTPS Downloads in Jamf Pro

  1. Log in to Jamf Pro.
  2. Navigate to the distribution point on which HTTPS downloads will be enabled.
  3. Verify the fully qualified domain name is used in the Server field.
    Note:

    For the file share to be accessible off the local network, the server name / IP must be publicly routable.

  4. Click the HTTP/HTTPS tab and set the following:
    • Select Use HTTP downloads.

    • Select Use SSL.

    • Set the Port to 443.

    • In the Context field, enter the alias for the virtual directory that was created in IIS.

    • Choose Username and Password from the Authentication Type pop-up menu.

    • In the Username field, enter the read-only account to the file share.

    • Enter the password.

  5. Click Save.

Additional Information

To confirm HTTP distribution is working properly:
  1. Ensure Directory Browsing is enabled in IIS.
  2. Go to https://jss.mycompany.corp/jamf_share/Packages/myPackage.dmg.
  3. When prompted, enter your credentials.
  4. Enter the credentials for the read-only user on the file share.
  5. The package should download.