ActiveMQ comes bundled with a JMX host that is default on unauthenticated on port 1099.
Tomee's resource configuration doesn't allow this to be disabled. The above doesn't work.
This can be disabled by inspecting an activemq jar's manifest, pulling down the same version of activemq-all, and putting that in the tomee/lib directory, at which point this works:
However, convincing the guy hosting the server to inspect JAR manifests, pull down specific jars, and maintain a second configuration file seems like a lot of effort to go to just to have the ability to disable unauthenticated access to every MBean in the VM