What's New in This Release

Apple Compatibility

The Casper Suite is now compatible with macOS 10.13, iOS 11, and tvOS 11.

To prepare for updates in your environment, see the following articles from Apple's support website:

Imaging Considerations with macOS 10.13

Starting with macOS 10.13, Apple does not recommend or support monolithic system imaging when updating or upgrading macOS. To prepare for this change, see the following article from Apple's support website:
Upgrade macOS on a Mac at your institution

In a future release of the Casper Suite, Casper Imaging will support re-provisioning a macOS 10.13 computer with up-to-date firmware using an imaging workflow.

Deprecation of Shared APFS-Formatted Volumes Using AFP

Starting with macOS 10.13, Apple has deprecated the ability to share Apple File System (APFS)-formatted volumes using Apple Filing Protocol (AFP). Computers formatted with APFS can still mount AFP shares but cannot share over AFP.

When preparing to upgrade your file share server to macOS 10.13, change the sharing protocol to SMB and update the protocol set for that distribution point in the JSS. If you need assistance or have questions, contact your Jamf account representative.

For additional information regarding APFS, see the following article from Apple's support website:
Prepare for APFS in macOS High Sierra

Configuration Profiles

Computer Configuration Profile Enhancements

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

OS Requirements

Description

Certificate and SCEP

Certificate Preference

macOS 10.12 or later

You can now set a certificate preference for user level configuration profiles in the Certificate or SCEP payload. Setting a certificate preference automatically selects the correct certificate in a user's keychain, preventing users from needing to manually select the correct certificate after a new certificate is installed on the user’s device. Multiple preferences per payload may be specified.

Login Window

Disable Siri setup during login

macOS 10.13 or later

 

Network

TLS Minimum and Maximum Version

macOS 10.13 or later

You can now define minimum and maximum TLS network security versions using a configuration profile. Selecting a minimum and maximum TLS version allows you to define a range of protocols for the security levels that are appropriate for your network or to meet compatibility requirements for your environment.

Ethernet

macOS

You can now select an Ethernet network option based on status, for example, first, second, first active, second active, and so on.

Fast Lane Quality of Service (QoS) Marking

macOS 10.13 or later

You can now use Cisco Fast Lane Quality of Service (QoS) Marking for macOS apps.

Restrictions

Allow Content Caching

macOS 10.13 or later

You can now control if Content Caching is allowed. Content caching can be used to store content on one computer that sends content to other computers. This can save bandwidth since each computer does not need to download and install content separately.

Defer software update notifications for 90 days

macOS 10.13 or later

You can now defer software update notifications from displaying for 90 days after the date that the software updates became available. After 90 days, the software update notifications will appear. Users will still be able to manually install the software updates using the App Store during the 90-day deferment period.

Allow AirPrint

macOS 10.13 or later

The following AirPrint settings are now available:

  • Disallow AirPrint to destinations with untrusted certificates

  • Allow discovery of AirPrint printers using iBeacons

Security & Privacy

FileVault tab

macOS 10.13 or later

New options have been added to the FileVault tab on the Security & Privacy payload to enable and manage the personal FileVault recovery key.

In addition, you can use the new Recovery Key Encryption Method option to choose the method the JSS will use for encrypting and decrypting the personal recovery key. For more information, see the following Knowledge Base article: Configuration Profiles Reference.

Note: On macOS 10.13 or later, you must use these options instead of the FileVault Recovery Key Redirection payload which is not supported on macOS 10.13. However, you must continue to use the FileVault Recovery Key Redirection payload to manage the personal FileVault recovery key for computers with macOS 10.12 or earlier.

System Migration

 

macOS 10.12 or later (target computer)

You can now configure the System Migration payload on computers and customize the source and target path pairs when data is transferred to a computer using Apple's Migration Assistant. You can migrate data from both Mac and Windows (Windows XP or later) computers. The target folder is created if not present. For more information about moving data from a Windows PC to a Mac computer, see the following article from Apple's support website:
Move your data from a Windows PC to your Mac


Mobile Device Configuration Profile Enhancements

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

OS Requirements

Description

AirPlay Security

 

tvOS 11 or later

You can now control tvOS password requirements and access methods using the new AirPlay Security payload for configuration profiles.

Home Screen Layout

Dock Layout

Supervised devices with iOS 10.3.2 or later

You can configure the Home Screen Layout to display folders in the Dock. This helps you organize the application content on a device.

If an application configured in the Home Screen Layout payload is not installed on a device, it will not display, or download and install automatically.

 

Supervised devices with tvOS 11 or later

You can now configure the Home Screen Layout on supervised Apple TV devices using the JSS. The content of the Home Screen can include applications and folders. They are displayed on the screen in the same order as configured in the profile payload.

If an application configured in the Home Screen Layout payload is not installed on a device, it will not display, or download and install automatically.

Note: Any existing Home Screen Layout configuration profiles will be automatically set to iOS when upgrading to the JSS v9.101.0. You will need to update the setting manually to the reflect the new payload configuration. For more information on how to manage Apple TV devices with tvOS 10.12 or later, see the Managing Apple TV Devices with tvOS 10.2 or Later Using the Casper Suite technical paper.

Restrictions

Allow AirPrint

Supervised devices with iOS 11 or later

The following AirPrint settings are now available:

  • Disallow AirPrint to destinations with untrusted certificates

  • Allow discovery of AirPrint printers using iBeacons

  • Allow storage of AirPrint credentials in Keychain

Allow adding VPN configurations

Supervised devices with iOS 11 or later

Allow removing system apps

Supervised devices with iOS 11 or later

 

Allow Classroom app to lock student devices to an app and lock device screens without prompting

Supervised devices with iOS 11 or later

This restriction applies to manually created classes in Apple's Classroom app only. Classes managed in the JSS automatically have this feature.

Automatically join Classroom classes without prompting

Supervised devices with iOS 11 or later

This restriction applies to manually created classes in Apple's Classroom app only. Classes managed in the JSS automatically have this feature.

Allow modifying device name

tvOS 11 or later

 

Media Content

tvOS 11 or later

 

Restrict App Usage

Supervised devices with tvOS 11 or later

You can now restrict app usage by creating an allowed or disallowed app list. When searching for apps to add to the list, the bundle ID can help differentiate between tvOS (e.g., com.apple.TVappname) and iOS (e.g., com.apple.appname) apps. Devices will ignore the bundle IDs that do not pertain to their device type.

Wi-Fi

TLS Minimum and Maximum Version

  • iOS 11 or later

  • tvOS 11 or later

You can now define minimum and maximum TLS network security versions using a configuration profile. Selecting a minimum and maximum TLS version allows you to define a range of protocols for the security levels that are appropriate for your network or to meet compatibility requirements for your environment.

Remote Commands

The following remote commands have been added in this release:

Command

OS Requirements

Description

Remove User

macOS 10.13 or later enrolled via a PreStage enrollment

You can now remotely delete a local or mobile user account on computers.

To access this feature in the JSS, navigate to the Local User Accounts category in inventory information for the computer. Click Manage in the respective row of the Local User Accounts table to view the available commands for this user.

Note: If the JSS cannot identify the type of a user account, the Type value in the Local User Accounts table is blank.

Unlock User

macOS 10.13 or later enrolled via a PreStage enrollment

You can now remotely unlock a local user account on computers.

To access this feature in the JSS, navigate to the Local User Accounts category in inventory information for the computer. Click Manage in the respective row of the Local User Accounts table to view the available commands for this user.

Note: If the JSS cannot identify the type of a user account, the Type value in the Local User Accounts table is blank.

Retain cellular data plan

iOS 11 or later

You can now retain cellular data plans on mobile devices when sending the Wipe Device remote command.

To access these remote commands in the JSS, view mobile device group memberships or view simple or advanced search results, and navigate to Action > Send Remote Commands. The retaining cellular data plan option can also be selected when sending the Wipe Device command as a mass action.

In addition, for supervised devices with iOS 10.3 or later, enrollment via a PreStage is not required for the Update iOS Version on supervised devices command to work.

Re-enrollment Settings Enhancements

You can now clear or retain the values for extension attributes for computers and mobile devices during re-enrollment with the JSS.

To access this feature in the JSS, navigate to Settings > Global Management > Re-enrollment.

JSON Web Token (JWT) Option for In-House App Distribution

You can now secure in-house app downloads with JWT. JWT configurations can be enabled or disabled to allow you to troubleshoot your web server setup without deleting the setup.

This feature requires in-house apps configured in the JSS and a web server configured to require JSON Web Token authentication.

Note: If your web server is not set up to require tokens, apps will download as usual. If your web server is set up to require tokens and the token expires, the next push of the app installation will retrieve a new token with a new expiration time.

This feature is located in Settings > Global Management > PKI Certificates > JSON Web Token tab.

Jamf Self Service for iOS

The following enhancements have been made to Jamf Self Service for iOS:

  • “Self Service Mobile” has been renamed “Jamf Self Service” in the App Store.

  • Jamf Self Service is now compatible with iOS 11.

Jamf Self Service v9.101.0 will be available from the App Store when it is approved by Apple.

Healthcare Listener Enhancements

The following functionality has been added to the Healthcare Listener rules:

  • You can choose to apply a rule to either tvOS or iOS.

  • You can enter a custom field from the ADT message to use to map to an attribute in mobile device inventory information.

  • You can now send an email notification in the event that a remote command is sent to an unsupported device.

To access these enhancements in the JSS, navigate to Settings > Service Infrastructure > Infrastructure Managers > Click the Healthcare Listener on the Infrastructure Manager instance.

Other Changes and Enhancements

The following additional changes and enhancements have been added in this release:

  • The JSS Installer for Mac no longer requires credentials for the MySQL database connection step in the assistant.

  • You can now select "Google" from the Identity Provider pop-up menu when configuring Single Sign-On in the JSS.

  • Added the Disable SAML token expiration checkbox for users using Google or Okta as an Identity Provider for Single Sign-On.

  • Renamed the "WEP Enterprise" security type to "Dynamic WEP" in the Wi-Fi payload in the JSS.

  • A JSS user account with the "Casper Imaging - PreStage Imaging and Autorun Imaging" privilege is now required for PreStage imaging and Autorun imaging workflows.
    For more information on the permissions required for imaging computers, see the following Knowledge Base article:
    Imaging Computer Permission Requirements

  • New skip steps have been added to PreStage enrollments: iCloud Diagnostics for computers, and New Feature Highlights, Keyboard, and Watch Migration for mobile devices. To select or deselect all skip steps, use the dynamic All/None button.

  • The JSS now analyzes whether a scoped device is compatible with an app, based on the operating system requirements listed by the developer. This prevents deployment of incompatible apps to devices with older operating systems installed.

Memcached Future Requirement for Clustered Environments

Starting with the future release of Jamf Pro 10.0.0, Memcached will be required for clustered environments.

To prepare for this change, see the following Knowledge Base article:
Memcached Installation and Configuration for Clustered JSS Environments

 
For a complete list of deprecations, removals, bug fixes, and enhancements, see the Deprecations and Removals and the Bug Fixes and Enhancements sections.

To view a complete list of the feature requests implemented in v9.101.0, go to:
https://www.jamf.com/jamf-nation/feature-requests/versions/179/casper-suite-9-101-0

Note: New privileges associated with new features in the Casper Suite are disabled by default.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.