What's New in This Release

Important Notice—Increased Startup Time

When upgrading from v9.97 or earlier to v9.98 or later, an additional database index will be added during the initial server startup to improve performance of applications table queries. This one-time extended startup could take anywhere from a few additional minutes to several additional hours, depending on the size of your applications table and the hardware used in your environment. For example, the estimated startup time for an applications table with 7 million applications is around 4 minutes, whereas the estimated startup time for an applications table with 200 million applications would be close to 2 hours.

It is important that you do not stop the startup process. If you have questions or experience any issues during startup, contact Jamf Support.

Compatibility with iOS, macOS, and tvOS

The Casper Suite is now compatible with iOS 10.3, macOS v10.12.4, and tvOS 10.2.

iOS Management Capabilities

iOS Remote Commands

  • Shut Down Device remote command for mobile devices (iOS 10.3 or later):

    • You can now remotely shut down a mobile device.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

    • You can now use mass actions to remotely shut down mobile devices.
      To access this feature in the JSS, view mobile device group memberships or view simple or advanced search results, navigate to Action > Send Remote Commands > Shut Down Device.

  • Passcode Lock Grace Period remote command for Shared iPad (iOS 10.3 or later):

    • You can now remotely update the passcode lock grace period for Shared iPad.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

    • You can now use mass actions to remotely update the passcode lock grace period for Shared iPad.
      To access this feature in the JSS, view mobile device group memberships or view simple or advanced search results, navigate to Action > Send Remote Commands > Update Passcode Lock Grace Period.

  • Restart Device remote command for mobile devices (iOS 10.3 or later):

    • You can now restart supervised devices.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

    • You can now use mass actions to remotely restart devices.
      To access this feature in the JSS, view mobile device group memberships or view simple or advanced search results, navigate to Action > Send Remote Commands > Restart Device.

  • Play Lost Mode Sound when configuring the Lost Mode remote command for a mobile device (iOS 10.3 or later):

    • You can now play a sound on a supervised device when Lost Mode is enabled.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

iOS PreStage Enrollments

  • The "Cloud Storage" skip step has been added to a mobile device PreStage enrollment.

  • The Disallow MDM Profile Removal checkbox has been renamed to Prevent unenrollment.

  • The Require Authentication checkbox has been renamed to Require credentials for enrollment.
    To access these features in the JSS, navigate to Mobile Devices > PreStage Enrollments.

iOS Configuration Profiles

  • You can now issue Symantec certificates to mobile devices—either one certificate for each device in the scope, or one certificate for all devices in the scope.
    To access this feature in the JSS, navigate to Mobile Devices > Configuration Profiles > Certificate.

  • The following Restrictions payload settings are now available for supervised devices with iOS 10.3 or later:

    • Allow modifying the AirPlay and View Screen permissions for managed classes
      Selecting this restriction prevents students from blocking screen observation and from changing AirPlay settings on their device.

    • Allow dictation
      Selecting Allow dictation prevents users from dictating text.

    • Allow connection to unmanaged Wi-Fi networks
      Selecting this restriction prevents users from connecting to any Wi-Fi networks not deployed through the JSS.
      Warning: If left unchecked, and if at least one Wi-Fi payload is not configured on scoped devices through a configuration profile, devices may lose all network connectivity.

macOS Management Capabilities

macOS Configuration Profiles

  • The following new restrictions have been added to the Functionality tab of the Restrictions payload in macOS configuration profiles:

    • Allow Touch ID to unlock device

    • Allow iCloud Desktop & Documents

      To access these features in the JSS, navigate to Computers > Configuration Profiles > Restrictions.

  • The SmartCard payload has been added for macOS configuration profiles. The SmartCard payload controls restrictions and settings for SmartCard pairing.
    To access this feature in the JSS, navigate to Computers > Configuration Profiles > SmartCard.

  • You can now issue Symantec certificates to computers in macOS configuration profiles—either one certificate for each device in the scope, or one certificate for all devices in the scope.
    To access this feature in the JSS, navigate to Computers > Configuration Profiles > Certificate.

tvOS Management Capabilities

tvOS Remote Commands

  • Restart Device remote command for Apple TV devices (tvOS 10.2 or later):

    • You can now restart supervised devices.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

    • You can now use mass actions to remotely restart tvOS devices.
      To access this feature in the JSS, view mobile device group memberships or view simple or advanced search results, navigate to Action > Send Remote Commands > Restart Device.

  • Wipe Device remote command for Apple TV devices:

    • You can now remotely wipe tvOS devices.
      To access this feature in the JSS, navigate to the Management tab of mobile device inventory information.

    • You can now use mass actions to remotely wipe tvOS devices.
      To access this feature in the JSS, view mobile device group memberships or view simple or advanced search results, navigate to Action > Send Remote Commands > Wipe Device.

tvOS PreStage Enrollments

You can now enroll Apple TV devices with tvOS 10.2 or later via a PreStage enrollment.

PreStage enrollment options for tvOS include:

  • Make MDM Profile Mandatory
    Selecting Make MDM Profile Mandatory will require users to apply the MDM profile for enrollment.
    Note: This payload is not required for Auto Advance to work, but will temporarily show onscreen before automatically advancing past it.

  • Auto Advance through Setup Assistant
    Selecting this option automatically sets up all available steps in the Setup Assistant for tvOS devices.
    Note: Ethernet connection required.
    When using automatic setup, do not use the Siri Remote, as it will disrupt enrollment.
    Your Siri Remote is not automatically paired with your Apple TV when using Auto Advance.

  • Skip Setup Assistant Options
    Selected items are not deployed in the Setup Assistant during enrollment.

To access this feature in the JSS, navigate to Mobile Devices > PreStage Enrollments.

tvOS Configuration Profiles

The following configuration profile payloads are compatible with tvOS 10.2 or later:

  • General

  • Restrictions

  • Wi-Fi

  • Certificate

  • SCEP

  • Single App Mode

  • Global HTTP Proxy

  • Conference Room Display

Note: A configuration profile will deploy containing both the iOS and tvOS selected options to all devices in scope. Devices will ignore the restrictions that do not pertain to their device type.

To access this feature in the JSS, navigate to Mobile Devices > Configuration Profiles.

Single App Mode payload settings for Apple TV devices

You can now set supervised tvOS devices to Single App Mode. Single App Mode locks scoped devices to a selected app. Apple TV devices in Single App Mode can still use AirPlay, unless restricted via the Restrictions payload.

Note: Attempting to lock Apple TV devices to an in-house or third-party app that does not yet exist on the devices will cause an error. To avoid this issue, ensure the app is installed on scoped devices before configuring Single App Mode.

The following settings can be enforced when in Single App Mode:

  • Touch
    When enforced, all touch input is disabled on the device including Siri Remote and any paired iOS devices.

  • Auto-Lock
    When enforced, Auto-Lock is disabled, preventing the tvOS screen saver from appearing.

The following settings can be enforced or set to allow users to change when in Single App Mode:
Note: When enforced, these settings are disabled.

  • VoiceOver

  • Zoom

  • Invert Colors

Restrictions payload settings for Apple TV devices

Added tvOS restrictions available through configuration profiles include:

  • Disable AirPlay (supervised devices only)
    Selecting Disable AirPlay prevents AirPlay on scoped tvOS devices. Scoped tvOS devices will not appear in a list of available devices when attempting to AirPlay on Apple TV.

  • Require passcode on first AirPlay pairing
    You can now select Require passcode on first AirPlay pairing for tvOS devices to require devices to provide the AirPlay password.
    Note: Does not require tvOS 10.2 or later.

  • Disable control using Remote app
    Selecting Disable control using Remote app prevents iOS devices from using the Remote app, and instead requires the use of the remote provided by Apple.
    Note: This restriction does not prevent the use of the Siri Remote.

  • Allow keyboard continuation
    Selecting Allow keyboard continuation prevents iOS keyboards from inputting text on Apple TV.

Conference Room Display payload settings for Apple TV devices

You can now set supervised tvOS devices to Conference Room Display mode from the JSS. Conference Room Display locks scoped Apple TV devices to a black wallpaper screen, downloads a default screen saver, and displays a message if configured.

Note: If a tvOS device is running Single App Mode, or if Single App Mode is deployed with Conference Room Display, Conference Room Display will override Single App Mode.

Apple Education Support

  • You can now configure a class naming format in the JSS when importing classes from Apple School Manager. This prevents editing of a class display name after the class has been imported to the JSS.

  • Improved deployment of EDU profiles.

  • The JSS now includes the following user information in the Roster category of user inventory information for users imported from Apple School Manager:

    • Last Sync

    • Status

    • User Number

    • First Name

    • Middle Name

    • Last Name

    • Grade

In addition, if you import a user from Apple School Manager, you can no longer edit the Passcode Requirement field in the user's inventory information.

To access this feature in the JSS, navigate to Settings > Mobile Device Management > Apple Education Support > click the Apple School Manager tab.

AirPlay Permissions

  • You can now map AirPlay Permissions to any User and Location inventory field or extension attribute.

  • AirPlay Permissions information is now included in inventory information for mobile devices.

  • The JSS now displays an error for a mobile device extension attribute if the attribute is used to map to AirPlay and is being edited in the device's inventory information.

To access this feature in the JSS, navigate to Settings > Global Management > AirPlay Permissions.

Public Key Infrastructure

  • You can now integrate with Symantec, as a third-party certificate authority (CA).

  • Using the PKI Certificates settings, you can now do the following:

    • View a list of certificates in your environment (Active, Expiring, Inactive, All)

    • Add a PKI certificate authority to the JSS dashboard

    • View all certificates issued by a CA

    • Choose a custom name for each managed certificate

    • View details of a specific certificate that was issued

    • Export a certificate list for a CA

To access this feature in the JSS, navigate to Settings > System Settings > PKI Certificates.

Self Service Mobile for iOS

Self Service Mobile for iOS now displays a default app icon while the assigned icon loads to improve performance.

Self Service Mobile v9.98 will be available from the App Store when it is approved by Apple.

Single Sign-On

You can now configure enrollment access for any group or identity provider user when enabling Single Sign-On for user-initiated enrollment.

To access this feature in the JSS, navigate to Settings > System Settings > Single Sign-On.

SSL Certificate Verification

The Enable SSL certificate verification checkbox located in the Security settings in the JSS has been changed to the SSL Certificate Verification pop-up menu with the options: "Always", "Always except during enrollment", and "Never".

If you are performing a fresh install of the Casper Suite v9.98 or later, the SSL Certificate Verification setting is set to "Always except during enrollment" by default.

If you are upgrading from the Casper Suite v9.97 or earlier to the Casper Suite v9.98 or later and you previously enabled SSL certificate verification, the setting is set to "Always" by default. If you did not enable SSL certificate verification before upgrading, the setting is set to "Always except during enrollment" by default.

For more information on this change and instructions on how to safely configure SSL certificate verification in the JSS, see the following Knowledge Base articles:

Jamf Infrastructure Manager

  • You can now delete an Infrastructure Manager instance from the JSS.

  • Improved the usability of the API for the Infrastructure Manager.

To access this feature in the JSS, navigate to Settings > Server Infrastructure > Infrastructure Manager Instances.

For instructions on how to install and configure the Infrastructure Manager, see the Jamf Infrastructure Manager Installation Guide.

Healthcare Listener

  • You can now specify IP addresses or a range of IP addresses to accept incoming ADT messages from.

  • You can now view the history of a Healthcare Listener.

  • You can now track the changes that happen in the JSS via the Change Management logs for the Healthcare Listener.

  • The JSS now clears the Activation Lock before sending a Wipe Device remote command to a mobile device via the Healthcare Listener.

  • You can now configure email notifications to be sent to specified users when a remote command sent via the Healthcare Listener fails to send or is in a pending state.

  • The JSS now displays an error for a mobile device extension attribute if the attribute is used to map to the Healthcare Listener and is being edited in the device's inventory information.

  • Improved the usability of the API for the Healthcare Listener.

  • Improved the communication with the Healthcare Listener and the JSS.

To access this feature in the JSS, navigate to Settings > Server Infrastructure > Infrastructure Manager Instances > Click the Infrastructure Manager instance that is hosting a Healthcare Listener.

Note: To take full advantage of the features and enhancements available in the Healthcare Listener, you must install the latest version of the Jamf Infrastructure Manager that hosts a Healthcare Listener.

File Extension Whitelist

  • The file extension whitelist has been added to increase and enhance security for files uploaded to the web interface.

  • The feature is enabled by default. You can interact with the file extension whitelist using the JSS API.

For more information on how to use the file extension whitelist, see the following Knowledge Base article:

Managing the File Extension Whitelist

Other Enhancements

  • You can now change or reset the management account password when administering the management account using a policy.

  • Renamed "LDAP Proxy Server" to "LDAP Proxy" in the JSS.

  • Renamed "PKI" to "PKI Certificates" in the JSS.

  • You can now issue Symantec certificates to personal devices—either one certificate for each device in the scope, or one certificate for all devices in the scope.

  • The JSS now contains a "Server Infrastructure" settings section.

  • You can now add a description to classes in the JSS.

  • The Exchange Device ID is now collected in mobile device inventory information.

  • All configuration profiles now appear in a device's inventory report, regardless of the device's installation method.

  • You can now create smart groups and advanced searches using configuration profile names and identifiers.

Memcached Future Requirement for Clustered Environments

In the Casper Suite v9.98, Memcached is recommended, but not yet required. In future versions of the Casper Suite, Memcached will be required for clustered environments. To prepare for this change, it is recommended that you review the following information:

For a complete list of deprecations, removals, bug fixes, and enhancements, see the Deprecations and Removals and the Bug Fixes and Enhancements sections.

To view a complete list of the feature requests implemented in v9.98, go to:

https://www.jamf.com/jamf-nation/feature-requests/versions/168/casper-suite-9-98

Note: New privileges associated with new features in the Casper Suite are disabled by default.

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.