What's New

Retry Policies

You can now configure a policy with the execution frequency of "Once per computer" to automatically re-run if it fails. The failed policy will attempt to reinstall until successful for the number of retries specified in the settings. To enable this feature in Jamf Pro, navigate to Computers > Policies > General category and select the Automatically re-run policy on failure checkbox. In addition, you can also configure the following settings:

  • Retry Event—Configure if Jamf Pro re-runs the policy on the next recurring check-in or on the next selected trigger occurrence.

  • Retry Attempts—Configure how many times Jamf Pro attempts to re-run the policy after it fails.

  • Send notifications for each failed policy retry—Enable email notifications for each failed policy retry. Email notifications are sent to Jamf Pro user accounts with the "Error occurs when policy runs" notification event type enabled.

You can view how many retry attempts the policy has and the status of each attempt on the Jamf Pro Dashboard. You can also view this information in the policy log and computer history (Policy Logs category).

For more information about how to create a policy, see Policy Management in the Jamf Pro Administrator's Guide.

Venafi Integration

Jamf Pro now integrates with Venafi Trust Protection Platform (TPP). A Venafi certificate authority (CA) can be added in Jamf Pro PKI Certificates global management settings. This integration requires setup and configuration of the Jamf PKI Proxy, a command-line application that manages communication between Jamf Pro and Venafi TPP.

After Venafi has been added as a CA and the Jamf PKI has been configured, certificates can be distributed to computers and mobile devices via a configuration profile with the Certificate payload.

For more information about integrating with Venafi using Jamf Pro, see the following:

Cloud Services Connection and Icon Service

You can now enable the Cloud Services Connection to connect your Jamf Pro instance with Jamf-hosted services.

The Icon Service is currently the only available Jamf-hosted service that can be connected to via the Cloud Services Connection. Additional services will be made available in future releases.

When you enable the Cloud Services Connection, your Jamf Pro instance is automatically connected to the Icon Service. After enabling the connection, new icons uploaded to Jamf Pro are stored in the Icon Service rather than in the Jamf Pro database. This removes the work of storing, moving, and displaying icons for items made available in Self Service and helps you save on database storage and memory usage.

The Icon Service uses the following hosted data regions:

  • us-east-1

  • us-west-2

The next planned iteration of the Icon Service will focus on migrating existing icons stored in the Jamf Pro database to the Icon Service. Future iterations of the Icon Service will continue to improve icon management and resolve issues around icon duplication.

To access this feature, navigate to Settings > Global Management > Cloud Services Connection. A Jamf Nation account with a valid Jamf Pro subscription is required to enable the Cloud Services Connection.

Apple Push Notification Service (APNs) HTTP/2 Communication Protocol

Due to the deprecation of the binary Apple Push Notification service (APNs) communication protocol, Jamf Pro will now support the HTTP/2 protocol.

On-Premise Environments

Jamf Pro on-premise customers can decide on which APNs protocol they use until Jamf Pro deprecates the binary protocol or Apple no longer supports it.

To enable the HTTP/2 protocol and test the communication, navigate to Settings > Global Management > Push Certificates > MDM Push Notification Certificate.

Important: Jamf Pro may experience performance issues when the HTTP/2 protocol is enabled in large environments. This will be resolved in an upcoming release.

You can choose a TCP port available to use for communication:

  • TCP port 443 (default)

  • TCP port 2197 to allow APNs traffic through the firewall but to block other HTTPS traffic

Note: You must restart Tomcat for the changes to take effect. For information about how to restart Tomcat, see the Starting and Stopping Tomcat Knowledge Base article.

Cloud-Hosted Environments

The APNs HTTP/2 protocol is disabled by default for environments hosted in Jamf Cloud. To verify that the binary protocol is currently used in your environment, navigate to Settings > Global Management > Push Certificates > MDM Push Notification Certificate. All Jamf Pro cloud-hosted instances will have the HTTP/2 protocol enabled by default in a future release.

Jamf Pro JSS Built-in Certificate Authority (CA) Renewal

You can now renew an expiring or expired Jamf Pro JSS Built-in Certificate Authority (CA) to ensure critical Jamf Pro communications continue to work. For example, enrolling a computer when the CA is expired prevents the computer from being managed.

It is recommended to renew the built-in CA before the expiration date to ensure Jamf Pro communicates with computers and mobile devices:

  1. In Jamf Pro, navigate to Settings > Global Management > PKI Certificates.

  2. Click the number in the Expiring or All column.

  3. Click the subject that includes "Jamf Pro" or "JSS", and "Built-in Certificate Authority".

  4. Click Renew and confirm the renewal.

  5. (Optional) Verify the new expiration date.

  6. Refresh the page. The renewal status is displayed in Jamf Pro Notifications. Additionally, an email with the renewal process status is sent if email notifications are configured for your account.

When the built-in CA is renewed, its expiration date is extended by 10 years. All signing certificates issued by the built-in CA are automatically renewed.

Important: If the built-in CA renewal fails, do not trigger the process again. If the expiration date is not extended or you notice issues with the renewed CA, e.g., Jamf Pro cannot communicate with managed computers or mobile devices, contact Jamf Support.


  • Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a CSR that was signed by the CA. These certificates may need to be re-issued.
    The affected integrations may include:

    • HTTPS file share distribution point configuration

    • Signing custom configuration profiles

    • SCCM (System Center Configuration Manager) plug-in

  • When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing EDU profiles to be redistributed. This may increase network traffic.

"Renew MDM Profile" Remote Command

You can use the new Renew MDM Profile remote command to manually renew the MDM profiles for the computers or mobile devices in your fleet. Renewing the MDM profile also renews the device identity certificate. Previously, the only way to manually renew the MDM profile was to re-enroll the computer or mobile device. You can also issue the Renew MDM Profile command as a mass action to a group of computers or mobile devices.

The MDM profile can only be renewed on a computer or mobile device when the URL of the Jamf Pro server matches the URL of the Jamf Pro server when the computer or mobile device was initially enrolled.

In addition, the following new fields have been added to assist you with determining the status of the MDM profile for computers or mobile devices:

  • MDM Profile Expiration Date—This new field displays in the General category of inventory information for computers and mobile devices . It displays the expiration date of the device identity certificate in the MDM profile. You can also add this field as a search criteria when creating computer or mobile device smart groups or advanced searches.

  • MDM Profile Renewal Needed—This is a new search criteria that you can use when creating computer or mobile device smart groups. The field options are "Yes" and "No". The field option will be marked "Yes" after the built-in CA has been renewed for devices using the built-in CA.

Automatic Renewal of MDM Profiles

The MDM profile for computers and mobile devices will now be automatically renewed after the built-in certificate authority (CA) is renewed. When the built-in CA is renewed, the status of the MDM Profile Renewal Needed search criteria will change to “Yes”. The next time computers and mobile devices check in to Jamf Pro, the MDM profile will be renewed, and the MDM Profile Expiration Date field value will show the new expiration date. The device identity certificates for the computers or mobile devices with renewed MDM profiles will expire in two years instead of five years.

To monitor which MDM profiles are renewed, you can create a smart computer or mobile device group and set the MDM Profile Renewal Needed search criteria value to "Yes".

Improved Performance for Device Enrollment

Jamf Pro now includes the following device enrollment enhancements:

  • Newly enrolled computers now use “00000000-0000-0000-A000-4A414D460003” for their MDM profile identifier. This does not affect currently enrolled devices, unless those devices are re-enrolled.

  • The SCEP payload Subject field is now identical on both computers and mobile devices. This does not affect currently enrolled devices.

  • CA certificate installation is now skipped by default for user-initiated enrollment. This does not affect existing Jamf Pro instances.

  • Jamf Pro user accounts or groups that have a Custom privilege set that includes the "Jamf Pro Server Objects" > "Computers" > "Update" privilege now also have the "Jamf Pro Server Actions" > "Assign Users to Computers" privilege granted automatically. You can remove the privilege at any time. If removed, Jamf Pro users are no longer be able to assign users to computers during user-initiated enrollment.

Additional Reporting Capabilities for Mobile Devices

The attributes below are now displayed in a mobile device's inventory information in Jamf Pro, organized by category of information:

Inventory Attribute


Value Returned in Inventory Information

Smart Group/Advanced Search Criteria

General category (Enhancements)

Number of Users

Collected for mobile devices with iOS 13.4 or later that have been enabled as Shared iPad

Number of users that have been allocated to the iPad

Number of Users

Storage Quota Size

Amount of storage capacity in MB allocated for each user

Storage Quota Size

Additional Remote Commands for Mobile Devices

The following remote commands for mobile devices have been added to Jamf Pro:

Remote Command



Available as a Mass Action

Set Storage Quota Size

iPadOS 13.4 or later

Shared iPad only

All users must be logged out and removed from the device before this command can be sent.

You can now set the storage quota size (MB) for each user. This sets the amount of storage that is allocated for each user.


Additional Functionality for Shared iPad

You can now specify the maximum amount of storage (MB) allocated for each user on devices with iPadOS 13.4 or later when configuring a Mobile Device PreStage enrollment. This overrides the maximum number of users. If the scope of the PreStage contains devices with iPadOS 13.3 or earlier, the device defaults to the maximum number of users.

Configuration Profiles Redesign Project

The following enhancements have been introduced:

  • The "Send" label for switches has been renamed to "Include". Jamf Pro continues to deploy only specifically included optional settings to computers and mobile devices in scope.

  • The Server-side logging of Siri commands setting in the mobile devices Restrictions payload has been marked as deprecated. Jamf Pro continues to deploy this key to mobile devices in scope if the setting is included in the configuration.

Jamf Pro Interface Restyling

Based on user feedback, some buttons in the Jamf Pro interface have been restyled. Labels for these buttons are now permanently visible underneath the icons, and overall size has been increased to improve ease of use. In addition, you can now hover over the button to see its keyboard shortcut.


Changes to the Jamf Pro Interface for Cloud-Hosted Environments

For cloud-hosted environments, the following settings are managed by Jamf Cloud and have been removed from the Settings page:

  • Clustering

  • Limited Access

  • Apache Tomcat Settings

  • Jamf Pro URL

  • Memory Usage

The functionality of these settings remains the same. This change does not affect on-premise environments.

Terminology Changes

  • "iTunes" has been updated to "App Store".

  • "Whitelist" has been updated to "safelist".

  • "Blacklist" has been updated to "blocklist".

  • "Master distribution point" has been updated to "principal distribution point".

  • "Child node" has been updated to "secondary node".

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /api. You can now access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

The following endpoints were added:

  • GET /preview/computers-inventory/{id}

  • GET /v1/locales

  • POST /v1/pki/venafi

  • GET /v1/pki/venafi/{id}

  • PATCH /v1/pki/venafi/{id}

  • GET /v1/pki/venafi/{id}/connection-status

  • GET /v1/pki/venafi/{id}/jamf-public-key

  • POST /v1/pki/venafi/{id}/jamf-public-key/regenerate

  • GET /v1/pki/venafi/{id}/proxy-trust-store

  • POST /v1/pki/venafi/{id}/proxy-trust-store

  • DELETE /v1/pki/venafi/{id}/proxy-trust-store

  • GET /v2/inventory-preload/csv-template

  • POST /v2/inventory-preload/csv-validate

  • GET /v2/inventory-preload/history

  • POST /v2/inventory-preload/history

  • GET /v2/inventory-preload/records

  • POST /v2/inventory-preload/records

  • POST /v2/inventory-preload/records/delete-all

  • GET /v2/inventory-preload/records/{id}

  • PUT /v2/inventory-preload/records/{id}

  • DELETE /v2/inventory-preload/records/{id}

  • GET /v2/mobile-device-prestages

  • POST /v2/mobile-device-prestages

  • GET /v2/mobile-device-prestages/scope

  • GET /v2/mobile-device-prestages/syncs

  • GET /v2/mobile-device-prestages/{id}

  • PUT /v2/mobile-device-prestages/{id}

  • DELETE /v2/mobile-device-prestages/{id}

  • GET /v2/mobile-device-prestages/{id}/attachments

  • POST /v2/mobile-device-prestages/{id}/attachments

  • POST /v2/mobile-device-prestages/{id}/attachments/delete-multiple

  • GET /v2/mobile-device-prestages/{id}/history

  • POST /v2/mobile-device-prestages/{id}/history

  • GET /v2/mobile-device-prestages/{id}/scope

  • PUT /v2/mobile-device-prestages/{id}/scope

  • POST /v2/mobile-device-prestages/{id}/scope

  • POST /v2/mobile-device-prestages/{id}/scope/delete-multiple

  • GET /v2/mobile-device-prestages/{id}/syncs

  • GET /v2/mobile-device-prestages/{id}/syncs/latest

  • GET /v2/mobile-devices

  • GET /v2/mobile-devices/{id}

  • PATCH /v2/mobile-devices/{id}

  • GET /v2/mobile-devices/{id}/detail

  • GET /v2/inventory-preload/csv

The following endpoints were deprecated:

  • GET /v1/inventory-preload

  • DELETE /v1/inventory-preload

  • GET /v1/inventory-preload/csv-template

  • GET /v1/inventory-preload/history

  • POST /v1/inventory-preload/history

  • POST /v1/inventory-preload/validate-csv

  • GET /v1/inventory-preload/{id}

  • PUT /v1/inventory-preload/{id}

  • DELETE /v1/inventory-preload/{id}

  • GET /v1/mobile-device-prestages

  • POST /v1/mobile-device-prestages

  • GET /v1/mobile-device-prestages/scope

  • GET /v1/mobile-device-prestages/sync

  • GET /v1/mobile-device-prestages/sync/{id}

  • GET /v1/mobile-device-prestages/sync/{id}/latest

  • GET /v1/mobile-device-prestages/{id}

  • PUT /v1/mobile-device-prestages/{id}

  • DELETE /v1/mobile-device-prestages/{id}

  • GET /v1/mobile-device-prestages/{id}/attachments

  • POST /v1/mobile-device-prestages/{id}/attachments

  • DELETE /v1/mobile-device-prestages/{id}/attachments

  • GET /v1/mobile-device-prestages/{id}/history

  • POST /v1/mobile-device-prestages/{id}/history

  • GET /v1/mobile-device-prestages/{id}/scope

  • PUT /v1/mobile-device-prestages/{id}/scope

  • POST /v1/mobile-device-prestages/{id}/scope

  • DELETE /v1/mobile-device-prestages/{id}/scope

  • GET /v1/mobile-devices

  • GET /v1/mobile-devices/{id}

  • PATCH /v1/mobile-devices/{id}

  • GET /v1/mobile-devices/{id}/detail

  • POST /v1/search-mobile-devices

The following endpoint was removed:

POST /v2/inventory-preload

The following endpoints were updated to provide a more consistent user experience and may not work with existing scripts:

  • POST /inventory-preload

  • POST /inventory-preload/validate-csv

  • GET /v1/inventory-preload

  • POST /v1/inventory-preload

  • DELETE /v1/inventory-preload

  • GET /v1/inventory-preload/csv-template

  • GET /v1/inventory-preload/history

  • POST /v1/inventory-preload/history

  • POST /v1/inventory-preload/validate-csv

  • GET /v1/inventory-preload/{id}

  • PUT /v1/inventory-preload/{id}

  • DELETE /v1/inventory-preload/{id}

  • GET /v1/mobile-device-enrollment-profile/{id}/download-profile

  • GET /v1/mobile-device-prestages

  • POST /v1/mobile-device-prestages

  • GET /v1/mobile-device-prestages/scope

  • GET /v1/mobile-device-prestages/sync

  • GET /v1/mobile-device-prestages/sync/{id}

  • GET /v1/mobile-device-prestages/sync/{id}/latest

  • GET /v1/mobile-device-prestages/{id}

  • PUT /v1/mobile-device-prestages/{id}

  • DELETE /v1/mobile-device-prestages/{id}

  • GET /v1/mobile-device-prestages/{id}/attachments

  • POST /v1/mobile-device-prestages/{id}/attachments

  • DELETE /v1/mobile-device-prestages/{id}/attachments

  • GET /v1/mobile-device-prestages/{id}/history

  • POST /v1/mobile-device-prestages/{id}/history

  • GET /v1/mobile-device-prestages/{id}/scope

  • PUT /v1/mobile-device-prestages/{id}/scope

  • POST /v1/mobile-device-prestages/{id}/scope

  • DELETE /v1/mobile-device-prestages/{id}/scope

  • GET /v1/mobile-devices

  • GET /v1/mobile-devices/{id}

  • PATCH /v1/mobile-devices/{id}

  • GET /v1/mobile-devices/{id}/detail

  • POST /v1/search-mobile-devices

  • GET /v1/sso

  • PUT /v1/sso

  • GET /v1/sso/cert

  • PUT /v1/sso/cert

  • POST /v1/sso/cert

  • POST /v1/sso/cert/parse

  • GET /v1/sso/history

  • POST /v1/sso/history

  • POST /v2/inventory-preload/csv

For more information on these changes, see the Jamf Pro API documentation.

Other Changes and Enhancements

  • Users are now prompted to allow Composer full disk access only if it has not already been granted. This check occurs each time Composer is launched.

  • The Jamf Pro version number is no longer displayed in the webpage title before authentication when viewing Jamf Pro with a browser.

  • The Jamf Pro version number is no longer accessible through the API without authentication.

  • Smart group performance has been improved for environments with smart groups of more than approximately 1,000 computers, mobile devices, or users.

  • Jamf Pro now has improved messaging when an Apple School Manager sync fails.

  • When configuring the management account password settings in a policy or the User-initiated Enrollment settings, it is recommended that you choose the "Randomly generate passwords" option for maximum security. By default, all new policies and newly configured User-initiated Enrollment settings will have the "Randomly generate passwords" setting configured for the management account. Administrators will be alerted when a policy or the User-initiated Enrollment settings have the "Specify password" setting configured for the management account.

Further Considerations

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.