Ok more research has lead me to:
where i've found i needed to edit the jmx-invoker-service.xml so that:
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/jmx-console"/>
is uncommented. This allows me to use that secruity domain.
So next i need to work out JBoss roles etc so the developers can play with messgaing but can't shut the server down :-)