What's New

Integrating with Google's Secure LDAP Service

You can now integrate Jamf Pro with Google's secure LDAP service that is a part of G Suite Enterprise and Cloud Identity Premium. This allows you to use the secure Google LDAP service for authenticating users and group syncing without the need to add external components (such as Stunnel) in your environment.

To access this setting in Jamf Pro, navigate to Settings > System Settings > Cloud Identity Providers.

Saving an LDAP server connection triggers automatic verification of the hostname, port, and domain. The verification process must succeed before the connection is ready to use.

Jamf Pro 10.17.0 uses default mappings configuration that can be viewed and modified using the Jamf Pro API. For more information, see the Configuring Cloud Identity Provider Attribute Mappings Using Jamf Pro API Knowledge Base article.

The configured LDAP connection is enabled by default. Use the switch to disable the connection. This allows you to add and test a different secure LDAP server connection without deleting the current configuration.

For information about how to configure Google's Secure LDAP service instance in Jamf Pro, see the Integrating with Cloud Identity Providers section of the Jamf Pro Administrator's Guide.

Important: When upgrading Jamf Pro, your previous custom Google LDAP server configurations will not be migrated or deprecated.

Enrollment Customization Enhancements

The following features and enhancements have been added to the Enrollment Customization settings:

  • Support for Jamf Connect If your environment uses Jamf Connect, you can enable Jamf Pro to pass user information to Jamf Connect. This allows Jamf Pro to pass the Account Name (the username that was used to authenticate with your Identity Provider) and the Account Full Name (the full name of the user) to Jamf Connect, enabling users to only have to enter the username one time during device setup. This creates the local account on the computer with the user's Account Full Name. The user can log in to their computer with the Account Name.

  • Support for Markdown—You can now use Markdown in the Body Text of a Text PreStage Pane to customize the text displayed to the user during enrollment. There are some exceptions to the Markdown syntax that can be used in this pane. For information, see the Using Markdown to Format Text Knowledge Base article.

  • LDAP Authentication—If you have an LDAP server set up in Jamf Pro, you can enable users to authenticate using their LDAP credentials during enrollment. This automatically assigns the user to their device in Jamf Pro.

    Note: To add an LDAP Authentication PreStage Pane, you must have an LDAP server set up in Jamf Pro. For more information, see the Integrating with LDAP Directory Services section in the Jamf Pro Administrator's Guide.

  • Enrollment Access for Identity Providers—You can now choose to allow access to any Identity Provider (IdP) user or to restrict access to only a select group of users in your IdP when you configure a Single Sign-On Authentication PreStage Pane.

    Note: You can only restrict access to one group.

  • Prevent Disabling Single Sign-On—Jamf Pro now prevents you from disabling Single Sign-On if you added a Single Sign-On Authentication PreStage Pane to an Enrollment Customization configuration. To disable SSO, you must update the Enrollment Customization configuration that is dependent on SSO.

  • Security Enhancements—Jamf Pro now has security checks to ensure that only devices in the scope of the PreStage enrollment can view the text entered in a Text PreStage Pane. Previously, any text you entered in a Text PreStage Pane could have been publicly available.

Updates to Apple Deployment Programs Language in Jamf Pro

The following changes to Apple Deployment Programs language have been made in the interface, documentation, and workflows within the product:

  • Device Enrollment Program (DEP) is now Automated Device Enrollment.

  • Volume Purchase Program (VPP) is now Volume Purchasing.

To ensure a smooth transition from earlier versions, some instances in the Jamf Pro interface are not changing. Here are some examples of what's not changing:

  • Smart and static group criteria based on Device Enrollment Program or Volume Purchase Program criteria

  • Advanced search criteria based on Device Enrollment Program and Volume Purchase Program criteria

  • Inventory information based on Device Enrollment Program and Volume Purchase Program values

Computer Management Capabilities

Configuration Profiles Redesign Project—Passcode Payload for Computers

Jamf Pro 10.17.0 introduces the next iteration of the Configuration Profiles Redesign Project. The Passcode payload is the first payload for computers that you can configure using the redesigned user interface.

Note: For information about the project objectives, see the Mobile Device Management Capabilities section in Jamf Pro 10.13.0 Release Notes. For information about configuration profiles, see Apple's Using Configuration Profiles.

To enable and further configure the settings, use the switches. Only the specifically enabled settings are sent to computers in scope. To remove the Passcode payload from a configuration profile, use the Clear All button that disables all settings.

images/download/attachments/79185382/passcode_macOS_%283%29.png

Important: When upgrading Jamf Pro, any previously created configuration profiles that include Passcode payload settings are automatically migrated. Use the Jamf Pro user interface to review the settings. The migrated configuration profiles are not redistributed to computers.

The following table provides an overview of Apple's Passcode payload settings that are unique in Jamf Pro or are renamed in Jamf Pro 10.17.0:

Setting in Jamf Pro 10.16.0 or Earlier

Setting in Jamf Pro 10.17.0 or Later

Key

Notes

(This setting was not explicitly displayed in the user interface.)

Require Passcode

 

forcePIN

This setting is automatically enabled in Jamf Pro 10.17.0 or later and deployed to computers if any other Passcode payload setting is enabled.

Allow simple value

Complex Passcode

 

allowSimple

Select the Require complex passcode checkbox to ensure the passcode cannot contain repeating, ascending, and descending character sequences.
If you do not select the checkbox, setting a simple passcode will be allowed on a computer.

Require alphanumeric value

Alphanumeric Value

 

requireAlphanumeric

Select the Require alphanumeric value checkbox if the passcode must contain at least one letter and one number.

If you do not select the checkbox, the use of alphabetic characters ("abcd") along with numbers will not be required on a computer.

Force password reset on next user authentication (macOS 10.13 or later)

Change at Next Authentication (macOS 10.13 or later)

changeAtNextAuth

When this setting is enabled, the profile forces a password reset the next time the user authenticates. In addition, if the profile containing this payload is modified and re-saved, the setting is enforced the next time the user authenticates.

This setting applies to the Jamf Management Account and all local accounts including the administrator on target computers. Authentications may fail until the password is reset.

For detailed information about each Passcode payload setting, see Apple’s Documentation at https://developer.apple.com/documentation/devicemanagement/passcode.

Microsoft Intune Integration Enhancements

The JamfAAD (Azure Active Directory) integrates Jamf Pro with Microsoft Azure to grant conditional access. The following enhancements have been made to the JamfAAD:

  • Configure JamfAAD Check-In—You can now configure how often the JamfAAD checks for a valid Azure AD token on when an Azure Active Directory computer is not connected to the network at check-in by using the tokenRetryCount and tokenRetryWaitTime preferences. By default, the tokenRetryCount is set to zero retries and the tokenRetryWaitTime is set to five seconds. For example, you can execute the following command to configure the JamfAAD to retry three times with 42 seconds between each retry:

    defaults write com.jamf.management.jamfAAD tokenRetryWaitTime -float 42
    defaults write com.jamf.management.jamfAAD tokenRetryCount -int 3

  • JamfAAD Logging— You can use the new logPII preferences key to log additional personally identifiable information from the Azure login process. To enable logging, execute the following command:

    defaults write com.jamf.management.jamfAAD logPII -bool true

    If you enable logging and decide you want to disable it, execute the following command:

    defaults delete com.jamf.management.jamfAAD logPII

For more information on how to troubleshoot Microsoft Intune using the JamfAAD, see the Troubleshooting Microsoft Intune with the JamfAAD Knowledge Base article.

Computer Configuration Profile Enhancements

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

OS Requirements

Notes

Privacy Preferences Policy Control (Enhancements)

Documents Folder

SystemPolicyDocumentsFolder

macOS 10.15 or later

You can now allow applications to access files in the user's Documents folder.

Mobile Device Management Capabilities

User Enrollment Enhancement

Administrators can now use all mobile device management and reporting capabilities allowed on devices enrolled using User Enrollment. Devices enrolled using User Enrollment now count towards your device license count in Jamf Pro. For more information on User Enrollment, see the Building a BYOD Program with User Enrollment and Jamf Pro technical paper.

Additional Reporting Capabilities for Mobile Devices

Jamf Pro now displays the following attributes in a mobile device's inventory information and allows you to create a smart device group or an advanced mobile device search:

Inventory Attribute

Requirement

Value Returned in Inventory Information

Smart Group/Advanced Search Value

Managed Apple ID

iOS 13.1 or later, iPadOS 13.1 or later

Displays the user's Managed Apple ID.

 

Model

N/A

The following values can now be returned for "Model" in a mobile device's inventory information:

  • iPhone 11

  • iPhone 11 Pro

  • iPhone 11 Pro Max

  • iPad (7th generation, Wi-Fi)

  • iPad (7th generation, Wi-Fi + Cellular)

You can now create a smart group or advanced search using the following values for "Model" criteria:

  • iPhone 11

  • iPhone 11 Pro

  • iPhone 11 Pro Max

  • iPad (7th generation, Wi-Fi)

  • iPad (7th generation, Wi-Fi + Cellular)

Model Identifier

N/A

The following values can now be returned for "Model Identifier" in a mobile device's inventory information:

  • iPhone12,1

  • iPhone12,3

  • iPhone12,5

  • iPad7,11

  • iPad7,12

You can now create a smart group or advanced search using the following values for "Model Identifier" criteria:

  • iPhone12,1

  • iPhone12,3

  • iPhone12,5

  • iPad7,11

  • iPad7,12

Additional Mobile Device Remote Commands

Remote Command

Requirement

Notes

Available as a Mass Action

Refresh Cellular Plans

Note: This command was previously available as a single remote command only.

 

 

iOS 13 or later

You can now mass send this command to refresh the cellular plan on multiple devices by querying a carrier URL for active eSIM cellular plan profiles.

Note: The device and carrier must support eSIM. For more information, see the following article from Apple's support website:
https://support.apple.com/HT209096

images/download/thumbnails/79185382/checkmark.png

Jamf Self Service for iOS Enhancements

Jamf Self Service 10.10.1 includes the following enhancements:

  • Support for Dark Mode—Self Service now supports Dark Mode on devices with iOS 13 or later.

  • Localization Support—Self Service can now be viewed in Spanish.

  • Change to Default Installation Method in Jamf Pro—The default method for installing Self Service has been changed to manual installation. This change only applies to fresh installations of Jamf Pro 10.17.0 or later.

  • Support for Personally Owned Devices—You can install the Self Service app on personally owned devices enrolled using User Enrollment. For instructions, see Installing Jamf Self Service on Mobile Devices in the Jamf Pro Administrator's Guide.

Correction: A previous version of the Jamf Pro Release Notes incorrectly noted that Self Service 10.10.0 was scheduled to be made available in the App Store.
Jamf Self Service for iOS 10.10.1 is the latest version of the Self Service app. It will be available in the App Store when it is approved by Apple.

Advanced User Search Export Functionality for Roster Data

Roster data from Apple School Manager can now be exported from advanced user searches. To export roster data, click on the Display tab in the target advanced user search. Then, click the Export Only pane, select the criteria to be exported, click Save or View or Search, click Export, and follow the on-screen instructions.

“App Version” and “Short Version” Changes

As part of the fix for a known issue (PI-002063), the following changes have been made:

  • A new Short Version criteria has been added for advanced mobile device searches and smart mobile device groups, which references the version number for apps installed on mobile devices.

  • The App Version field of App Store mobile device app records has been renamed to Short Version so as to accurately reflect the data it reports.

Also note that the following functionalities remain unchanged:

  • The App Version field of in-house mobile device apps retains its name and continues to report on the build version of the app.

  • The App Version criteria for advanced mobile device searches and smart mobile device groups retains its name and continues to reference the build number for App Store apps installed on mobile devices.

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /uapi. To access the Jamf Pro API documentation, append "/uapi/doc" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/uapi/doc

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

The following endpoints were added:

  • GET /preview/cloud-ldaps/{id}/history

  • POST /preview/cloud-ldaps/{id}/history

  • GET /preview/inventory-information

  • GET /preview/jamf-pro-information

  • GET /settings/sso/v1/dependencies

  • POST /v1/enrollment-customization/parse-markdown

  • POST /v1/enrollment-customization/{id}/ldap

  • GET /v1/enrollment-customization/{id}/ldap/{panel-id}

  • PUT /v1/enrollment-customization/{id}/ldap/{panel-id}

  • DELETE /v1/enrollment-customization/{id}/ldap/{panel-id}

  • POST /v1/enrollment-customization/{id}/sso

  • GET /v1/enrollment-customization/{id}/sso/{panel-id}

  • PUT /v1/enrollment-customization/{id}/sso/{panel-id}

  • DELETE /v1/enrollment-customization/{id}/sso/{panel-id}

  • GET /v1/enrollment-customization/{id}/text/{panel-id}/markdown

The following endpoints are marked as deprecated:

  • GET /preview/system/info

  • POST /v1/enrollment-customization/{id}/auth

  • GET /v1/enrollment-customization/{id}/auth/{panel-id}

  • PUT /v1/enrollment-customization/{id}/auth/{panel-id}

  • DELETE /v1/enrollment-customization/{id}/auth/{panel-id}

For more information, see the Jamf Pro API documentation and the Jamf Pro Developer Portal.

Other Changes and Enhancements

  • The -startlaunchd and the -kill flags in the Jamf Helper have been removed.

  • The new "Flush MDM Commands" privilege is now required to cancel pending or failed commands on the Management tab of a device record or by using the / commandflush endpoint in the CAPI. Only Jamf Pro users with the Administrator privilege set are automatically granted this privilege, but other Jamf Pro users can be granted this privilege by using the Jamf Pro Server Actions payload in Settings > System Settings > Jamf Pro User Accounts & Groups.

  • You can now use smart user group membership changes as a webhook trigger.

  • The performance of email notifications for smart user group membership changes has been improved.

Further Considerations

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.