What's New

Compatibility with macOS, iOS, iPadOS, and tvOS

Jamf Pro 10.15.0 provides compatibility for the following:

  • macOS Catalina 10.15

  • iOS 13

  • iPadOS 13

  • tvOS 13

This includes compatibility for the following management workflows:

  • Enrollment and inventory reporting

  • Configuration profiles

  • App distribution

  • Self Service installation

  • Self Service launches and connections

  • App distribution via Self Service

  • Policies

  • Restricted Software

Compatibility and new feature support are based on testing with the latest Apple beta releases.

Computer Management Capabilities

Configuration Profile Enhancements

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

OS Requirement

Notes

Extensions (new payload)

You can now configure app extensions allowed to run on the computer.

Allowed Extensions

AllowedExtensions

macOS 10.13 or later

 

 

Extension Points

DeniedExtensionPoints

Extension Points options include:

  • Deny all public extension points.

  • Deny extension points and extensions.

When the "Deny all public extensions points" option is selected, the key value is automatically set to AllPublicExtensionPoints. This dynamically fills the list of all public extension points that may change from release to release. For a list of extension identifiers, see this developer documentation from Apple.

To selectively deny extension points, use the predefined list.

DeniedExtensions

Add bundle identifiers of the extensions that are not allowed to run on the system.

Associated Domains (new payload)

You can now configure associated domains. Associated domains can be used with features such as shared web credentials, universal links, and Handoff.

App Identifier

ApplicationIdentifier

macOS 10.15 or later

User Approved MDM required

 

Associated Domain

AssociatedDomains

The value must match the service:domain syntax. Domains should be fully qualified hostnames, for example, www.example.com

Single Sign-On Extensions (new payload)

You can now configure app extensions that perform single sign-on.

The Single Sign-On Extensions payload is only available for computer level configuration profiles.

Extension Identifier

ExtensionIdentifier

macOS 10.15 or later

User Approved MDM required

 

Team Identifier

TeamIdentifier

 

Single Sign-On Type

Type

Single Sign-On Type options include Credential or Redirect.

Realm

Realm

Realm name must be properly capitalized.

Hosts

Hosts

Hostnames must be unique for all configured Single Sign-On Extensions payloads.

URLs

URLs

The URLs must begin with "http://" or "https://" and be unique for all configured Single Sign-On Extensions payloads. Query parameters and URL fragments are not allowed.

VPN Payload (Enhancements)

Certificate Type

CertificateType

macOS 10.15 or later

You can now specify the type of certificate used for IKEv2 machine authentication.

Enable Fallback

EnableFallback

You can now enable VPN over cellular data as a fallback option if supported by your VPN environment.

Encryption Algorithm (Enhancement)

 

Jamf Pro now provides "ChaCha20Poly1305" as a new encryption algorithm to use when configuring the IKE SA Params in an "IKEv2" Connection Type.

Diffie-Helman Group (Enhancement)

 

Jamf Pro now provides "31" as a new Diffie-Hellman group number to use when configuring the IKE SA Params in an "IKEv2" Connection Type.

Include All Networks

IncludeAllNetworks

You can now route all local network traffic through the VPN.

Exclude Local Networks

ExcludeLocalNetworks

You can now route all local network traffic outside the VPN.

Provider Designated Requirement

ProviderDesignatedRequirement

You can now enter the designated requirement of your VPN provider.

Provider Type (Enhancement)

 

 

"Packet-tunnel" is now the default option for Provider Type.

Restrictions payload—Functionality tab (Enhancements)

Allow Handoff

allowActivityContinuation

macOS 10.15 or later

You can now disable activity continuation for a user.

Certificate payload (Enhancements)

Allow export from keychain

KeyIsExtractable

macOS 10.15 or later

You can now allow the private key to be exported from the keychain.

Network payload (Enhancements)

Security Type (Enhancement)

 

macOS 10.15 or later

Jamf Pro now provides the following new wireless network encryption options to use when connecting:

  • WPA3 Enterprise

  • WPA3 Personal

Privacy Preferences Policy Control payload (Enhancements)

App or Service (Ehhancement)

 

macOS 10.15 or later

Jamf Pro now allows you to deny or allow access for the following apps or services:

  • FileProviderPresence

  • ListenEvent

  • MediaLibrary

  • ScreenCapture

  • SpeechRecognition

  • SystemPolicyDesktopFolder

  • SystemPolicyDownloadsFolder

  • SystemPolicyNetworkVolumes

  • SystemPolicyRemovableVolumes

Restrictions payload—Preferences tab (Enhancements)

Password

com.apple.preferences.password

macOS 10.15 or later

Jamf Pro now allows you to restrict these items in the user's System Preferences.

Apple ID Preference Pane

com.apple.preferences.AppleIDPrefPane

Screentime

com.apple.preference.screentime

Wallet & Apple Pay

com.apple.preferences.wallet

Sidecar

com.apple.preference.sidecar

Classroom

com.apple.ClassroomSettings

Family Sharing

com.apple.preferences.FamilySharingPrefPane

Additional Reporting Capabilities

  • Jamf Pro now displays whether or not a computer is Supervised in the computer's inventory information. The inventory attribute is "Supervised" with a value of "Yes" or "No". In addition, you can now create a smart computer group and an advanced computer search with "Supervised" as the criteria. Applies to computers with macOS 10.15 or later enrolled with Jamf Pro via a PreStage enrollment.

  • You can now create a smart computer group and an advanced computer search for computers with "MacBook Air (Retina, 13-inch, 2019)” and “MacBook Pro (13-inch, 2019, Two Thunderbolt 3 ports)” as the value for "Model" criteria.

Mobile Device Management Capabilities

Configuration Profile Enhancements

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

OS Requirement

Notes

Single Sign-On Extensions (new payload)

You can now configure app extensions that perform single sign-on.

Extension Identifier

ExtensionIdentifier

iOS 13 or later

Add the bundle identifier of the app extension that performs single sign-on.

Team Identifier

TeamIdentifier

 

Single Sign-On Type

Type

Single Sign-On Type options include Credential or Redirect.

Realm

Realm

Realm name must be properly capitalized.

Hosts

Hosts

Hostnames must be unique for all configured Single Sign-On Extensions payloads.

URLs

URLs

The URLs must begin with "http://" or "https://" and be unique for all configured Single Sign-On Extensions payloads. Query parameters and URL fragments are not allowed.

Notifications payload (Enhancements)

Allow Critical Alert

CriticalAlertEnabled

iOS 12 or later

Supervised

This setting determines whether the app can mark a notification as a critical notification that will ignore Do Not Disturb and ringer settings.

Show in CarPlay

ShowInCarPlay

iOS 12 or later

Supervised

You can enable notifications in CarPlay for the app.

Notification Grouping

GroupingType

iOS 12 or later

Supervised

This setting allows you to choose how notifications are grouped for each app. You can choose the following:

  • Automatic

  • By App

  • Off

Restrictions payload—Functionality tab (Enhancements)

Allow continuous path keyboard (iOS 13 or later, supervised only)

allowContinuousPathKeyboard

iOS 13 or later

Supervised

You can now disable continuous path keyboard.

Allow Find My Devices (iOS 13 or later, supervised only)

allowFindMyDevice

You can now disable Find My Device in the Find My app.

Allow Find My Friends (iOS 13 or later, supervised only)

allowFindMyFriends

You can now disable Find My Friends in the Find My app.

Allow USB drive access in Files app (iOS 13 or later, supervised only)

allowFilesUSBDriveAccess

You can now enable or disable USB drive access in the Files app.

Allow network drive access in Files app (iOS 13 or later, supervised only)

allowFilesNetworkDriveAccess

You can now enable or disable network drive access in the Files app.

Force Wi-Fi power on (iOS 13 or later, supervised only)

forceWiFiPowerOn

You can now prevent a user from modifying Wi-Fi.

Allow device sleep (tvOS 13 or later, supervised only)

allowDeviceSleep

tvOS 13 or later

Supervised

You can now prevent the device from sleeping.

VPN Payload (Enhancements)

Certificate Type

CertificateType

iOS 13 or later

You can now specify the type of certificate used for IKEv2 machine authentication.

Enable Fallback

EnableFallback

You can now enable VPN over cellular data as a fallback option if supported by your VPN environment.

Encryption Algorithm (Enhancement)

 

Jamf Pro now provides "ChaCha20Poly1305" as a new encryption algorithm to use when configuring the IKE SA Params in an "IKEv2" Connection Type.

Diffie-Helman Group (Enhancement)

 

Jamf Pro now provides "31" as a new Diffie-Hellman group number to use when configuring the IKE SA Params in an "IKEv2" Connection Type.

Include All Networks

IncludeAllNetworks

You can now route all local network traffic through the VPN.

Exclude Local Networks

ExcludeLocalNetworks

You can now route all local network traffic outside the VPN.

Provider Designated Requirement

ProviderDesignatedRequirement

You can now enter the designated requirement of your VPN provider.

Provider Type (Enhancement)

 

 

"Packet-tunnel" is now the default option for Provider Type.

Wi-Fi payload (Enhancements)

Security Type (Enhancement)

 

iOS 13 or later

tvOS 13 or later

Jamf Pro now provides the following new wireless network encryption options to use when connecting:

  • WPA3 Enterprise

  • WPA3 Personal

User Enrollment (Preview Feature)

This release of Jamf Pro supports Apple’s new User Enrollment framework, a feature introduced in Apple’s beta program for iOS 13 and iPadOS 13. It is designed to keep corporate data safe on mobile devices while protecting users' privacy. User Enrollment will be replacing Personal Device Profiles, which will be deprecated in a future release, as the Apple-preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program.

User Enrollment keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited management of devices using a set of configurations that associate management with the user, not the entire device. The user can access their corporate data without the administrator erasing, modifying, or viewing personal data. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf Pro, while the corporate data is deleted.

Because User Enrollment is a preview feature, some of the following functionality may not be available at the time of this release. The following is a list of the capabilities User Enrollment will have when it is released as a full feature, not a comprehensive list of what is currently supported in this preview.

User Enrollment allows administrators to:

  • Configure accounts

  • Configure per-app VPN

  • Install and configure apps

  • Require a passcode

  • Enforce certain restrictions

  • Issue an MDM command or query gathering information about apps, accounts and configuration provided by the MDM solution

  • Unenroll the device and cause all organizationally provided data, apps, and accounts to be deleted

User Enrollment prevents administrators from:

  • Obtaining any persistent device identities (like Serial Number, UDID or IMEI) and instead uses a unique value to identify the device for the duration of the enrollment

  • Setting the complex alphanumeric passcode restriction

  • Clearing the device passcode or lowering the security of the device

  • Enforcing certain restrictions

  • Taking over management of an app that a user installed themselves

  • Issuing an MDM command or query gathering information about apps downloaded with the user’s personal Apple ID

  • Remotely wiping the entire device

  • Accessing any cellular features

  • Adding payloads that collect logs on the device

  • Adding any supervised restrictions to the user’s device

Setup and Requirements:

  • Personally owned mobile devices with iOS 13 or later, or iPadOS 13 or later

  • Managed Apple IDs in Apple School Manager or Apple Business Manager

  • A push certificate in Jamf Pro

Known Issues:

  • When installing managed apps, the app will fail to install if the user currently has that app installed on their device.

  • The default device management description for personally owned devices included in user-initiated enrollment is inaccurate for User Enrollment.

For more information on enrolling mobile devices using User Enrollment, see User-Initiated Enrollment for Mobile Devices in the Jamf Pro Administrator's Guide.

PreStage Enrollment Enhancements

Enrollment Customization for PreStage Enrollments

You can use the Enrollment Customization settings in Jamf Pro to further customize the enrollment experience for a user when they enroll their computer or mobile device with Jamf Pro via a PreStage enrollment. To do this, you configure a group of settings that allow you to customize the screens that are displayed to the user as they advance through the Setup Assistant. For example, you can display an End User License Agreement (EULA) during enrollment or other custom messaging.

The Enrollment Customization settings apply to the following:

  • Mobile devices with iOS 13 or later, or iPadOS 13 or later

  • Computers with macOS 10.15 or later

You can configure the following screens in an Enrollment Customization configuration:

  • Single Sign-On Authentication—If you have Single Sign-On enabled in Jamf Pro, you can enable the user to authenticate to your Identity Provider (Idp) using SSO during enrollment.

    Note: To add a Single Sign-On Authentication PreStage Pane, you must have Single Sign-on enabled in Jamf Pro.

  • Custom Text—You can present a custom message to your users during enrollment such as presenting them with a EULA or other messaging that fits your environment. You can also apply a name to buttons that allow the user to navigate through the screens.

For more information, see Enrollment Customization Settings in the Jamf Pro Administrator's Guide.

Additional Mobile Device Skip Steps

You can now select the Transfer Data (iOS only) skip step in a PreStage enrollment.

Additional Mobile Device Naming Method

You can now apply a single name to all mobile devices enrolled using a PreStage enrollment. This is a new option using the Naming Method.

Proxy LDAP Server Over SSL Connection Validation

Creating or editing a proxy connection to an LDAP server over SSL now triggers automatic validation of the hostname and port. The validation process must succeed before the connection is enabled and available for testing. The verification status is displayed in Jamf Pro Notifications. For more information on LDAP server connections, see the LDAP Server Connections in Jamf Pro KB article.

Important: When upgrading Jamf Pro, the previously created proxy LDAP server over SSL connections are not validated by default. To trigger the validation process, you must edit the server settings and save the new configuration.

Global Service Exchange (GSX) Changes

Beginning with Jamf Pro 10.15.0, a GSX connection created in Jamf Pro communicates with a new API required by Apple. The new API requires a new API Token that you must obtain from Apple.

If you are upgrading to Jamf Pro 10.15.0, you must reconfigure any existing GSX connection. This includes obtaining a new certificate and the new API Token from Apple.

For instructions on obtaining a new certificate, see the Integrating with Apple's Global Service Exchange (GSX) Knowledge Base article. For instructions on configuring the GSX connection in Jamf Pro, see Integrating with GSX in the Jamf Pro Administrator's Guide.

In addition, the following changes were made:

  • The Region field is no longer required and was removed from the GSX Connection page.

  • The AppleCare ID (warranty reference number) is no longer provided by Apple, and it is no longer displayed when you perform a "Look up Purchasing Information from GSX" mass action search.

Jamf Self Service for macOS Accessibility Enhancements

Self Service allows you to use keyboard shortcuts to perform common functions in the application.

The following shortcuts are now available in Self Service:

Shortcut

Action

Command-R

Reload Self Service

Command-F

Activate the Search Field

Control-Command-F

Enter/Exit Full Screen

Command-Shift-[

Previous Category

Command-Shift-]

Next Category

In addition, Self Service now includes support for VoiceOver. To enable VoiceOver, navigate to System Preferences > Accessibility > VoiceOver > Enable VoiceOver.

For more information about VoiceOver, see the following website from Apple:

https://www.apple.com/accessibility/mac/vision/

Note: VoiceOver support will continue to be enhanced in future versions of Self Service.

Jamf Self Service for iOS Enhancements

Self Service 10.10.0 requires devices with iOS 11 or later. Self Service 10.10.0 will be available in the App Store once it is approved by Apple.

Limiting or Disabling Crash Reporting and Data Collection for Self Service

After upgrading to Self Service 10.10.0, end users are presented with the option to disable crash reporting and data collection when they launch the app for the first time. Users can also disable crash reporting and data collection at any time by navigating to Settings > Self Service > Analytics and Crash Reports, and toggling the settings.

In addition, if you manually deployed the Self Service app, you can also limit or fully disable crash reporting and data collection on all mobile devices in your environment by using the Managed App Configuration settings in Jamf Pro. For more information, see the Limiting or Disabling Crash Reporting and Data Collection for Jamf Self Service for iOS Knowledge Base article.

Support for Dark Mode

Self Service 10.10.0 includes support for Dark Mode on devices with iOS 13 or later. To enable Dark Mode, navigate to Settings > Display & Brightness > Appearance.

Reset Transparency Consent and Control Permissions for Composer

You can now reset Transparency Consent and Control (TCC) permissions for Composer with the Reset TCC Permissions setting. Resetting TCC permissions will cause macOS to re-prompt users for permission to access protected files and app data, which allows users to change their previously set permissions if needed. To access this feature, open Composer and navigate to Preferences > Advanced.

For more information, see the Resetting Transparency Consent and Control Prompts on macOS Knowledge Base article.

Federated Authentication for Managed Apple ID

You can now view whether or not a user's Managed Apple ID uses federated authentication in the Roster category of user inventory information.

For more information about federated authentication, see the following Apple documentation:
https://support.apple.com/guide/apple-school-manager/intro-to-federated-authentication-apdb19317543/web

Active Directory Certificate Services (AD CS) Certificate Distribution Enhancements

You can now distribute certificates to Apple TV devices with Active Directory Certificate Services (AD CS) as the Certificate Authority (CA) using configuration profiles.

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /uapi. To access the Jamf Pro API documentation, append "/uapi/doc" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/uapi/doc

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

  • The following endpoints were added:

    • GET /preview/computers

    • POST /preview/ldap-keystore/verify

    • GET /preview/cloud-ldaps

    • POST /preview/cloud-ldaps

    • GET /preview/cloud-ldaps/{id}

    • PUT /preview/cloud-ldaps/{id}

    • DELETE /preview/cloud-ldaps/{id}

    • POST /preview/cloud-ldaps/{id}/disable

    • GET /preview/cloud-ldaps/{id}/mappings

    • PUT /preview/cloud-ldaps/{id}/mappings

    • GET /v1/enrollment-customization

    • POST /v1/enrollment-customization

    • GET /v1/enrollment-customization/{id}

    • PUT /v1/enrollment-customization/{id}

    • DELETE /v1/enrollment-customization/{id}

    • GET /v1/enrollment-customization/{id}/prestages

    • GET /v1/enrollment-customization/{id}/all

    • GET /v1/enrollment-customization/{id}/all/{panel-id}

    • DELETE /v1/enrollment-customization/{id}/all/{panel-id}

    • POST /v1/enrollment-customization/{id}/text

    • GET /v1/enrollment-customization/{id}/text/{panel-id}

    • PUT /v1/enrollment-customization/{id}/text/{panel-id}

    • DELETE /v1/enrollment-customization/{id}/text/{panel-id}

    • POST /v1/enrollment-customization/{id}/auth

    • GET /v1/enrollment-customization/{id}/auth/{panel-id}

    • PUT /v1/enrollment-customization/{id}/auth/{panel-id}

    • DELETE /v1/enrollment-customization/{id}/auth/{panel-id}

For more information, see the Jamf Pro API documentation and the Jamf Pro Developer Portal.

Other Changes and Enhancements

  • The PPPC Utility was updated with the new macOS 10.15 Privacy Preferences Policy Control keys and minor user interface updates.

  • Administrators can now re-enroll computers with an expired device certificate signed by Apple using the command line. You can execute the sudo profiles renew -type enrollment command to re-enroll the computers via Automated Device Enrollment.

  • Users are not prompted to log in to Microsoft Azure if the Intune Company Portal app fails.

  • The jamf binary no longer replaces the MDM profile when sudo jamf mdm executes on a computer with an MDM profile.

  • The FileVault individual recovery key is now located on the Disk Encryption payload in the Inventory tab of the computer inventory information.

  • iBeacon monitoring is now performed by the Jamf Daemon, improving security.

  • On FileVault encrypted computers with macOS 10.15 or later, you must enter the password or the recovery key of the FileVault enabled user to access the recovery partition.

  • The Disk Encryption payload in the computer inventory information only shows information about the boot partition Jamf Pro is installed on.

Further Considerations

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.