What's New

Updated 26 March 2019

Important Notice—Jamf Infrastructure Manager hosting the LDAP Proxy

Due to a security enhancement, when upgrading from Jamf Pro 10.9.x or earlier to Jamf Pro 10.11.0, you must first do the following before upgrading to Jamf Pro 10.11.0:

  1. Perform an incremental upgrade to Jamf Pro 10.10.x.

  2. Re-enroll your Jamf Infrastructure Manager if it hosts the LDAP proxy.

After you have met these two requirements, you can upgrade to Jamf Pro 10.11.0.

Compatibility with macOS, iOS, and tvOS

Jamf Pro 10.11.0 provides compatibility with macOS 10.14.4, iOS 12.2, and tvOS 12.2. This includes compatibility for the following management workflows:

  • Enrollment and inventory reporting

  • Configuration profiles

  • App distribution

  • Self Service installation

  • Self Service launches and connections

  • App distribution via Self Service

  • Policies

  • Restricted software

Computer Management Capabilities

Configuration Profile Enhancements

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

OS Requirement

Notes

Restrictions Payload—Functionality tab

Allow screen shots and screen recording

allowScreenShot

macOS 10.14.4 or later

You can now allow a user to save screen shots or screen recordings.

Allow AirPlay, View Screen by Classroom, and Screen Sharing

allowRemoteScreenObservation

macOS 10.14.4 or later, enrolled via a PreStage enrollment

You can now allow teachers to use AirPlay, View Screen, and Screen Sharing on student devices . To enable this setting, Allow screen shots and screen recording must be enabled.

Allow Classroom to perform AirPlay and View Screen without prompting

forceClassroomUnpromptedScreenObservation

macOS 10.14.4 or later, enrolled via a PreStage enrollment

You can now allow teachers to use AirPlay or View Screen on student devices in managed classes without prompting students . To enable this setting, Allow AirPlay, View Screen by Classroom, and Screen Sharing must be enabled.

Allow Classroom to lock the device without prompting

forceClassroomUnpromptedAppAndDeviceLock

macOS 10.14.4 or later, enrolled via a PreStage enrollment

You can now allow teachers to lock student devices in managed classes without prompting students.

Automatically join Classroom classes without prompting

forceClassroomAutomaticallyJoinClasses

macOS 10.14.4 or later, enrolled via a PreStage enrollment

You can now enable students to join a class without prompting the teacher.

Require teacher permission to leave Classroom unmanaged classes

forceClassroomRequestPermissionToLeaveClasses

macOS 10.14.4 or later, enrolled via a PreStage enrollment

You can now prevent students from leaving the unmanaged classes that were created in the Classroom app. When this is selected, students enrolled in an unmanaged Classroom course need to request permission if they attempt to leave the course.

Configuration Profile Changes

The Restrict App Store to Software updates only setting has been renamed to Restrict App Store to MDM installed apps and software updates.

Remote Command Enhancements

You can now send the Enable/Disable Remote Desktop command for computers with macOS 10.14.4 or later. This command can be sent as a remote command or as a mass action. This functionality is also available via the Classic API.

In addition, "Remote Desktop Enabled" is now a collected inventory attribute, and is displayed in computer inventory information with a returned value of "Yes" or "No".

Mobile Device Management Capabilities

Configuration Profile Enhancements

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

OS Requirement

Notes

Restrictions Payload—Functionality tab

Allow managed apps to write contacts to unmanaged contacts accounts

allowManagedToWriteUnmanagedContacts

iOS 12 or later

 

Allow unmanaged apps to read contacts from managed contacts accounts

allowUnmanagedToReadManagedContacts

iOS 12 or later

 

Allow modifying eSIM settings

allowESIMModification

Supervised devices with iOS 12.1 or later

You can now allow a cellular plan to be added in settings.

Allow modifying Personal Hotspot settings

allowPersonalHotspotModification

Supervised devices with iOS 12.2 or later

You can now allow a user to enable or disable a Personal Hotspot.

Allow server-side logging of Siri commands

allowSiriServerLogging

iOS 12.2 or later

 

Force automatic date and time

forceAutomaticDateAndTime

Supervised devices with iOS 12 or later, tvOS 12.2 or later

This setting was previously available for iOS devices only.

Defer Software Updates

forceDelayedSoftwareUpdates 

Supervised devices with iOS 11.3 or later, tvOS 12.2 or later

This setting was previously available for iOS devices only.

Configuration Profile Changes

The following changes have been made to the iOS Functionality tab of the Restrictions payload:

  • The Allow screen observation by Classroom app (Apple Education Support enabled, supervised only) setting has been renamed to Allow AirPlay, View Screen by Classroom, and Screen Sharing (supervised only). In addition, enabling Apple Education Support in Jamf Pro is no longer required.

  • The Allow modifying the AirPlay and View Screen permission for managed classes (supervised only) setting has been renamed to Allow Classroom to perform AirPlay and View Screen without prompting (supervised only).

  • The Allow Classroom app to lock student devices to an app and lock device screens without prompting (iOS 11 or later, supervised only) setting has been renamed to Allow Classroom to lock the device without prompting (iOS 11 or later, supervised only).

  • The following restrictions have been moved from the iOS and tvOS Functionality tab to the iOS Functionality tab of the Restrictions payload:

    • Enable Siri profanity filter (supervised only)

    • Allow iBooks Store (supervised only)

    • Allow In-App Purchases

Mobile Device PreStage Enrollment Enhancement

You can now configure the language and region when auto advancing through the Setup Assistant in a mobile device PreStage enrollment. This enables tvOS devices to automatically have the local language configured during enrollment with Jamf Pro. Applies to tvOS devices with 11.3 or later.

Changes to User-Initiated Enrollment Experience

When a user enrolls a device with iOS 12.2 or later, they are prompted to complete the installation of both the MDM profile and CA certificate installation in the Settings app on the device. A message is displayed notifying users, "Complete installation of this profile in the Settings app." The user must tap Close, and then navigate to the Settings app to complete the installation.

Improvements to Computer and Mobile Device PreStage Enrollments

Significant improvements have been made to computer and mobile device PreStage enrollments. This includes automatically refreshing information, improved handling of settings and the scope of a PreStage enrollment, and improved syncing with Apple. As a result of the improvements, the following changes have been made in Jamf Pro:

  • Jamf Pro automatically refreshes information about the computers and mobile devices in PreStage enrollments and Device Enrollment (formerly DEP). If there is updated information about the devices, this information is displayed in Jamf Pro. This information is automatically refreshed every five minutes. As a result, the Refresh button has been removed from the Jamf Pro user interface in computer and mobile device PreStage enrollments.
    Note: Depending on when information was updated, there could be up to a five minute delay on the information refresh. This delay can result in outdated information in Jamf Pro. In addition, environmental factors could affect the information refresh.

  • The Jamf Pro user interface now displays the last attempted sync with Apple for a Device Enrollment instance and a PreStage enrollment.

  • Jamf Pro now alerts you to simultaneous editing of computer and mobile device PreStage enrollment settings. This can prevent the possibility of overwriting changes made to the settings.

  • You can now enter a custom email address in PreStage enrollment settings.

  • The Department and Phone Number settings are no longer required in a PreStage enrollment.

Jamf Self Service for iOS Branding

You can now customize how Self Service for iOS displays to end users.

The Branding settings allow you to change the following aspects of Self Service:

  • Icon—The icon displays in the header in the Self Service app. It is recommended that you use a file with the GIF or PNG format that is 180x180 pixels.

  • Branding Name—The branding name displays in the header in the Self Service app. By default, "Self Service" is displayed as the branding name.

  • Status Bar Color—The status bar appears above the header in the Self Service app and displays information about the device's current state (e.g., the time, cellular carrier, battery level). You can choose to display the status bar as either light or dark.

  • The following can be customized by entering a six digit hexadecimal color code or by using the color picker:

    • Branding Name Color

    • Header Background Color—The header displays across the top of the Self Service app.

    • Menu Icon Color—The menu icon displays in the header in the Self Service app.

Note: Customizing the icon or branding name does not change the app icon or name as it displays on the Home Screen of a device. The default Self Service icon and name cannot be changed outside of the app.

The preview field in the Branding settings allows you to view changes to your branding configuration in real time so that you can finalize the configuration before distributing it to your end users. Once you save the branding configuration, the changes are applied the next time mobile devices check in with Jamf Pro.

To access this setting in Jamf Pro, navigate to Settings > Self Service > Branding.

Self Service for iOS branding requires Self Service 10.8.0 or later.

macOS Intune Integration Enhancements

When the macOS Intune Integration is enabled, users are now redirected to one of the following pages if their computer is not registered with Azure AD or not enrolled with Jamf Pro:

  • The Access Denied page

  • The Default Jamf Pro Device Registration page
    Note
    : Depending on the state of the device, this option redirects users to either the Jamf Pro device enrollment portal (to enroll with Jamf Pro) or the Company Portal app (to register with Azure AD). This option is selected by default.

  • A custom URL

To access this feature in Jamf Pro, navigate to Settings > Global Management > Conditional Access > macOS Intune Integration.

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /uapi. To access the Jamf Pro API documentation, append "/uapi/doc" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/uapi/doc

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

  • In this release, several endpoints have been changed to ensure future consistency. This means they have been replaced with the new endpoints. The updated endpoints start with /v1/ and have the /obj part removed from the path, among other changes. The original endpoints were marked as deprecated and will be removed in a future release of Jamf Pro. For more information, see the Jamf Pro API documentation and the Jamf Pro Developer Portal.

    The following tags have been updated and marked as deprecated:

    • /advanced-mobile-device-searches

    • /buildings

    • /cache-settings

    • /categories

    • /smart-computer-groups

    • /device-enrollment

    • /ebooks

  • The following endpoints have been added:

    • GET /patch/{id}

    • PUT /patch/{id}

    • GET /patch/{id}/versions

    • POST /patch/svc/retryPolicy

  • The following endpoints now support paging with the page, size, and sort parameters:

    • GET /history

    • GET /settings/obj/department/{id}/history

  • In the /patch endpoint, policyId is replaced with id.

  • Other changes:

    • POST /patch/svc/disclaimerAgree now returns the 200 code instead of 202

    • POST /history/notes now to returns the 503 code if a note cannot be saved

  • The GET /self-service/branding/images/{id} endpoint is removed.

Jamf Pro Server Tools 2.3.0

The following enhancements were made in Jamf Pro Server Tools 2.3.0, which is included in the Jamf Pro installers:

  • The performance of backing up and restoring the MySQL database has been improved. Depending on your environment, you may experience a significant speed improvement when backing up and restoring the database.

  • Jamf Pro Server Tools no longer requires the MySQL binaries for backing up and restoring the database. You can now back up and restore the database from a remote server without MySQL.

  • The GUI and CLI version numbers now appear in the GUI Preferences pane.

  • Added support to MySQL configuration paths for all MySQL 8.0 locations.

  • The GUI now automatically loads any manually installed CLI updates found in the PATH environment variable.

For more information, see the following Knowledge Base articles:

App Notarization

On macOS 10.14 or later, Apple allows app notarization, which indicates the application was uploaded to Apple and passed their security check before distribution. The following applications are now notarized by Apple:

  • Jamf application bundle

  • Jamf Helper

  • Jamf Management Action

  • Jamf Self Service for macOS

Other Changes and Enhancements

  • Computers that have been re-enrolled with Jamf Pro must be re-registered with Azure AD in order to enforce compliance.

  • The JamfAAD default recurring check-in time with Azure has been changed to ensure that at least one check-in occurs between 10:00 a.m. and 4:00 p.m. local time on the computer.

  • The LDAP Server Assistant now includes the option to upload a CA certificate when configuring Jamf Pro to use LDAP over SSL. Previously, this option was only available when manually configuring an LDAP server.

  • Self Service now communicates with the Jamf management framework via XPC, which is the interprocess communication technology that is recommended by Apple. This will improve the security and stability of Self Service. For more information about XPC, see Apple's documentation: https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html

  • You can now remove firmware passwords via policy. Select Remove Password, and then enter and verify the current password to remove it.

  • Policies run through Self Service are now executed by the Jamf application bundle instead of by the jamf agent. For custom Privacy Preferences Policy Control payloads, the Jamf.app must be whitelisted instead of the jamfAgent.

  • To upgrade computers to a minor or major macOS release, you can use the newly published Deploying macOS Upgrades with Jamf Pro technical paper. This paper provides instructions on how to deploy a macOS upgrade to computers and either retain or erase the computer's data.

Further Considerations

  • Privileges associated with new features in Jamf Pro are disabled by default.

  • It is recommended that you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.