What's New

Compatibility with macOS, iOS, and tvOS

Jamf Pro 10.3.0 provides compatibility with macOS 10.13.4, iOS 11.3, and tvOS 11.3. This includes compatibility for the following management workflows:

  • Enrollment and inventory reporting

  • Configuration profiles

  • App deployment

  • Self Service installation

  • Self Service launches and connections

  • App deployment via Self Service

  • Policies

  • Restricted software

User Approved MDM Enrollment

User Approved MDM can now be managed with Jamf Pro. User Approved MDM is required for certain performance and security enhancements, like managing kernel extensions.

There are a number of ways in which a computer can be enrolled with Jamf Pro to achieve a User Approved MDM status. These include:

  • Enrollment in MDM prior to being upgraded to macOS 10.13.4

  • Enrollment via Apple’s Device Enrollment Program (DEP) using a PreStage enrollment

  • Enrollment via user-initiated enrollment with an MDM profile (new in Jamf Pro 10.3.0)

For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

User-Initiated Enrollment with an MDM Profile

User-initiated enrollment is one of the methods that results in a User Approved MDM status for eligible computers. Starting with Jamf Pro 10.3.0, users will be prompted to download either an MDM profile or QuickAdd package during user-initiated enrollment based on the version of macOS on their computer.

Enrollment Type

Applies To

Description

User-initiated enrollment with an MDM profile

macOS 10.13 or later

The user will be prompted to download and install a CA certificate (CA Certificate.mobileconfig) and then an MDM profile (enrollmentProfile.mobileconfig) during the user-initiated enrollment process. Users must manually return to the enrollment portal webpage after CA certification installation to install the MDM profile and complete the enrollment process.

Note: In environments with a trusted third-party signed SSL certificate in Jamf Pro, administrators may choose to skip the installation of the CA certificate and only require the installation of the MDM profile. To allow the CA certificate installation to be skipped, navigate to Settings > Global Management > User-Initiated Enrollment and select the Skip certificate installation during enrollment checkbox.

The QuickAdd package (jamf binary) is installed automatically after MDM enrollment is complete.

User-initiated enrollment with a QuickAdd package

macOS 10.12.6 or earlier

The user will be prompted to download and install a QuickAdd package during the user-initiated enrollment process.

Configuration Profiles

Computer Configuration Profile Enhancements

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

OS Requirement

Description

Restrictions

Allow software update notifications

macOS 10.10 or later

You can now prevent software update notifications from displaying to end users. When this is selected, the computer will display the software update notifications.

Defer software updates

macOS 10.13.4 or later

You can now customize the number of days software updates can be deferred. The date the deferment period expires is based on the software update release date, not the time the configuration profile was installed. The default deferment value is 30 days.

Restrict App Store to software updates only

macOS 10.10 or later

You can now restrict app installations to software updates only. When this is selected, end users cannot install apps without limitations.

SmartCard

Enforce SmartCard use

macOS 10.13.2 or later

You can now require users to use their SmartCard to log in to and authenticate computers.

Important: If a user does not have a paired SmartCard at the time of configuration profile deployment, the user will be locked out of their computer.

Verify Certificate Trust

macOS 10.13.2 or later

The following options have been added to the Verify Certificate Trust pop-up menu for computers:

  • Check Certificate and Soft Revocation
    Unless the certificate is explicitly rejected by CRL/OCSP when the trust check is performed, it is considered valid.

  • Check Certificate and Hard Revocation
    Unless the certificate is explicitly found to be trusted by CRL/OCSP when the check is performed, it is considered invalid.

Mobile Device Configuration Profile Enhancements

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

OS Requirement

Description

Restrictions

Allow proximity setup to new device

Supervised devices with iOS 11.0 or later

You can now prevent the prompt to set up new devices that are nearby from displaying to end users. This ensures that the security settings are not shared between devices that are close to one another.

Allow Touch ID/ Face ID to unlock device

N/A

You can now prevent devices from being unlocked using Face ID. When this is not selected, end users cannot use biometric authentication methods to unlock their devices.

Allow USB restricted mode

Supervised devices with iOS 11.3 or later

You can now require the end user to input the passcode to connect their device to any USB hardware. This option is selected by default. When it is not selected, the device will be able to connect to USB accessories when it is locked.

Defer software update

Supervised devices with iOS 11.3 or later

You can now defer software update notifications from displaying to end users for a maximum of 90 days after the software update release date. After 90 days, the software update notifications will appear. The default deferment value is 30 days.

Require Face ID authentication before AutoFill

Supervised devices with iOS 11.3 or later

You can now enforce the use of Face ID to automatically fill usernames and passwords in Safari. When this is selected, end users must use Face ID for authentication in Safari.

Require teacher permission to leave Classroom unmanaged classes

Supervised devices with iOS 11.3 or later

You can now prevent students from leaving the unmanaged classes that were created in the Classroom app. When this is selected, students enrolled in an unmanaged Classroom course need to request permission if they attempt to leave the course.

Computer Inventory Reporting Capabilities

User Approved MDM and DEP Enrollment

You can now view the statuses for the following attributes in the General category of a computer’s inventory information:

  • User Approved Enrollment (enrollment in MDM)

  • Enrolled via DEP

This information is collected and displayed for macOS 10.13.2 or later only.

Security

You can now view statuses for the following attributes in the Local User Account category of a computer’s inventory information:

  • Minimum Number of Complex Characters

  • Maximum Passcode Age

  • Password History

You can also view the status for the Disable Automatic Login attribute in the Security category of a computer's inventory information.

Smart Device Groups and Advanced Mobile Device Search Enhancements

Smart device groups and advanced mobile device searches now contain the ability to match certain criteria against a regular expression.

To use this feature in Jamf Pro, navigate to Devices > Smart Device Groups for a smart device group search or Devices > Search Inventory for an advanced mobile device search. Navigate to the Criteria tab, where you can now choose “matches regex” and “does not match regex” as an operator.

Microsoft Intune Integration Enhancements

  • An Azure administrator can now open the consent URL for the Jamf Native macOS Connector app to be added to your Azure AD tenant via the Microsoft Intune Integration settings. The Jamf Native macOS Connector app allows each registered computer to connect to Azure Active Directory to collect its device identifier.

  • Statuses for Azure Active Directory ID now appear in the Local User Account category of a computer’s inventory information.

PreStage Enrollment Enhancements

Additional Skip Steps

You can now select the following skip steps for computer and mobile device PreStage enrollments:

  • Privacy (macOS, iOS, and tvOS)

  • iCloud Storage (macOS only)

  • One Home Screen for Every Apple TV (tvOS only)

  • Sign In to Your TV Provider (tvOS only)

  • Where is this Apple TV? (tvOS only)

Language Updates for Skip Steps

The following language updates have been made in Jamf Pro:

Previous Name

New Name

Affected OS

Zoom

Display Zoom

iOS

Terms of Service

Terms and Conditions

iOS and tvOS

Diagnostics

App Analytics

iOS and tvOS

Set Up with Device

Set Up Your Apple TV

tvOS

Location

Location Services

iOS and tvOS

Passcode

Passcode Lock

iOS

Watch Migration

Apple Watch

iOS

Restore

Apps & Data

iOS

Touch ID

Touch ID/Face ID

macOS and iOS

Jamf Pro User-Initiated Enrollment Messaging in Chinese and Japanese

The following Knowledge Base articles are now available as a reference guide for configuring user-initiated enrollment messaging in Chinese and Japanese:

Further Considerations

  • Privileges associated with new features in Jamf Pro are disabled by default.

  • It is recommended that you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.

Copyright     Privacy     Terms of Use     Security
© copyright 2002-2018 Jamf. All rights reserved.