What's New

Updated 15 October 2020

The following updates have been made since the original publishing of these release notes:

  • Added a note to the Provider Bundle Identifier computer configuration profile setting

  • Clarified the enhancement description for the new JamfAAD prompts in the "Other Changes and Enhancements" section

Updated 28 September 2020

The “Computer Configuration Profiles” section has been updated since the original publishing of these release notes to clarify the requirements for the following settings in the VPN payload:

  • DNS Server Address

  • Domain Name

  • DNS Search Domains

  • DNS Supplemental Domains

  • Include supplemental domains in the resolver's list of search domains

Compatibility with iOS, iPadOS, and tvOS

Jamf Pro 10.24.1 provides compatibility for the following:

  • iOS 14

  • iPadOS 14

  • tvOS 14

This includes compatibility for the following management workflows:

  • Enrollment and inventory reporting

  • Configuration profiles

  • App distribution

  • Self Service installation

  • Self Service launches and connections

  • App distribution via Self Service

Compatibility and new feature support are based on testing with the latest Apple beta releases.

PreStage Enrollment Enhancements

Account Settings Enhancement for Computers

You can now enable MDM for the local administrator account when enrolling a computer using a PreStage enrollment. To enable MDM for the local administrator account, navigate to Computers > PreStage Enrollments > Account Settings and select the Make the local administrator account MDM-enabled checkbox. This setting prevents the local user created during Setup Assistant from being MDM-enabled and installing user-level configuration profiles.

For more information about how to create a Computer PreStage enrollment, see Computer PreStage Enrollments in the Jamf Pro Administrator's Guide.

Additional Skip Steps

You can now select the following skip steps for Computer and Mobile Device PreStage enrollments:

  • Accessibility (macOS)

  • Software Update Completed (iOS)

  • Restore Completed (iOS)

Computer Configuration Profiles

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirement

Notes

Calendar (Enhancements)

VPN Connection

VPNUUID

macOS 10.7 or later

You can now configure the VPN connection for the Calendar app.

Contacts (Enhancements)

VPN Connection

VPNUUID

macOS 10.7 or later

You can now configure the VPN connection for the Contacts app.

LDAP (Enhancements)

VPN Connection

VPNUUID

macOS 10.7 or later

You can now configure the VPN connection for LDAP.

Single Sign-On Extensions (Enhancements)

The Single Sign-On Extensions payload is now available for user-level configuration profiles.

All configured settings and associated keys are included in the payload when the profile is distributed to computers. For more information about the keys included in the payload, see "Computer Management Capabilities" in Jamf Pro 10.15.0 Release Notes.

VPN (Enhancements)

 

 

 

Safelisted Domains

AssociatedDomains

macOS 10.9 or later

List of domains that can use the Per-App VPN connection.

Blocklisted Domains

ExcludedDomains

List of domains that cannot use the Per-App VPN connection.

Idle Timer

DisconnectOnIdleTimer

macOS 10.7 or later

You can now configure the length of time to wait before disconnecting a VPN connection.

DisconnectOnIdle

When the Idle Timer setting is configured to "Do not disconnect", DisconnectOnIdle prevents computers from disconnecting from the VPN connection when idle. By default, "Never" is configured for the Idle Timer setting.

Provider Bundle Identifier

ProviderBundleIdentifier

The bundle identifier when "Custom SSL" is selected for the VPN provider.

Note: This field must be configured on all pre-existing and new configuration profiles with "Custom SSL" selected as the VPN provider.

DNS Server Address

ServerAddresses

  • macOS 10.7 or later

  • User level profile

  • IKEv2 selected for the Connection Type

List of DNS server IPv4 and IPv6 addresses.

Domain Name

DomainName

You can now specify the primary domain name of the tunnel.

DNS Search Domains

SearchDomains

List of domain strings used to fully qualify single-label host names.

DNS Supplemental Domains

SupplementalMatchDomains

List of domain strings used to determine which DNS queries will use the DNS resolver settings in the DNS server addresses list.

Include supplemental domains in the resolver's list of search domains

SupplementalMatchDomainsNoSearch

Appends the domains in the DNS Supplemental Domains field to the resolver's list of search domains.

Mobile Device Configuration Profiles

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirement

Notes

Calendar (Enhancements)

VPN Connection

VPNUUID

iOS 4 or later

You can now configure the VPN connection for the Calendar app.

Contacts (Enhancements)

VPN Connection

VPNUUID

iOS 4 or later

You can now configure the VPN connection for the Contacts app.

DNS Settings (New Payload)

You can now configure encrypted DNS settings.

DNS protocol

DNSProtocol

iOS 14 or later

 

The encrypted transport protocol used to communicate with the DNS server.

Server Name

ServerName

The hostname of a DNS-over-TLS server used to validate the server certificate. If no server addresses are provided, the hostname is used to determine the server addresses.

Server URL

ServerURL

The URI template of a DNS-over-HTTPS server. This URL must use the "https://" scheme, and the hostname or address in the URL will be used to validate the server certificate. If no server addresses are provided, the hostname or address in the URL is used to determine the server addresses.

Server addresses

ServerAddresses

DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

DNS query domains

SupplementalMatchDomains

A list of domain strings used to determine which DNS queries will use the DNS server. If not provided, all domains will use the DNS server.
A single wildcard * prefix is supported. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com, but do not match against mydomain-example.com.

Disabling DNS settings by the user

ProhibitDisablement

If restricted, prohibits users from disabling DNS settings. Supervised only.

On-demand rules

OnDemandRules

An array of rules defining the DNS settings. These rules are identical to the On Demand Rules configuration in the VPN payload.

Exchange ActiveSync (Enhancements)

VPN Connection

VPNUUID

iOS 14 or later

You can now configure the VPN connection for Exchange ActiveSync.

Override Current Password

OverridePreviousPassword

iOS 14 or later

You can now override the user's current password with the password entered in the payload.

Google Account (Enhancements)

VPN Connection

VPNUUID

iOS 9.3 or later

You can now configure the VPN connection for the Google Account app.

LDAP (Enhancements)

VPN Connection

VPNUUID

iOS 4 or later

You can now configure the VPN connection for LDAP.

Mail (Enhancements)

VPN Connection

VPNUUID

iOS 14 or later

You can now configure the VPN connection for the Mail app.

Notifications (Enhancements)

Show Preview

PreviewType

iOS 14 or later

You can now configure the display of notification previews. Administrators can choose "Always", "When Unlocked", or "Never".

Restrictions—Functionality tab (Enhancements)

App clips

allowAppClips

iOS 14 or later

Jamf Pro now allows you to hide app clips from a user. This prevents the user from adding app clips to their device and removes existing app clips from the device.

SCEP (Enhancements)

Key Size (Enhancement)

 

iOS 14 or later

Jamf Pro now provides "4096" as an option for the key size in bits when configuring the SCEP payload.

Skip Setup Items (New Payload)

You can now configure items to skip during the device setup. Settings for this payload are grouped under the SkipSetupItems key in the configuration profile deployed to devices.

Skip Android

Android

iOS 10.14 or later

If the Restore pane is not skipped, removes the Move from Android option in the Restore pane.

Skip appearance

Appearance

Skips the Choose Your Look screen.

Skip Apple ID

AppleID

Skips Apple ID setup.

Skip biometric setup

Biometric

Skips biometric setup.

Skip device to device migration

DeviceToDeviceMigration

Skips Device to Device Migration pane.

Skip diagnostics

Diagnostics

Skips the App Analytics pane.

Skip Display Tone

DisplayTone

Skips the Display Tone setup.

Skip Home button sensitivity

HomeButtonSensitivity

Skips the Meet the New Home Button screen on iPhone 7, iPhone 7 Plus, iPhone 8, iPhone 8 Plus and iPhone SE.

Skip iMessage and FaceTime

iMessageAndFaceTime

Skips the iMessage and FaceTime screen.

Skip Location Services

Location

Disables Location Services.

Skip messaging activation using phone number

MessagingActivationUsingPhoneNumber

Skips the iMessage pane.

Skip on-boarding screens

OnBoarding

Skips on-boarding informational screens for user education (e.g., Go Home and Cover Sheet).

Skip Passcode

Passcode

Hides and disables the passcode pane.

Skip payment

Payment

Skips Apple Pay setup.

Skip Privacy

Privacy

Skips the privacy pane.

Skip Restore

Restore

Disables restoring from backup.

Skip Restore Completed

RestoreCompleted

Skips the Restore Completed pane.

Skip Screen Time

ScreenTime

Skips the Screen Time pane.

Skip SIM Setup

SIMSetup

Skips the add cellular plan pane.

Skip Siri

Siri

Disables Siri.

Skip software update

SoftwareUpdate

Skips the mandatory software update screen.

Skip TOS

TOS

Skips Terms and Conditions.

Skip Software Update Completed

UpdateCompleted

Skips the Software Update Complete pane.

Skip Watch migration

WatchMigration

Skips the screen for watch migration.

Skip Get Started

Welcome

Skips the Get Started pane.

Skip zoom

Zoom

Skips zoom setup.

Subscribed Calendars (Enhancements)

VPN Connection

VPNUUID

iOS 4 or later

You can now configure the VPN connection for calendar subscriptions .

VPN (Enhancements)

Safelisted Domains

AssociatedDomains

iOS 7 or later

List of domains that can use the Per-App VPN connection.

Blocklisted Domains

ExcludedDomains

List of domains that cannot use the Per-App VPN connection.

Prohibit users from disabling on-demand VPN settings

OnDemandUserOverrideDisabled

iOS 4 or later

You can now prevent users from disabling DNS settings on their mobile devices.

MTU

MTU

You can now specify the maximum transmission units (MTU) for the IKEv2 VPN connection.

DNS Server Address

ServerAddresses

List of DNS server IPv4 and IPv6 addresses.

Domain Name

DomainName

The primary domain name of the tunnel.

DNS Search Domains

SearchDomains

List of the domain strings used to fully qualify single-label host names.

DNS Supplemental Domains

SupplementalMatchDomains

List of the domain strings used to determine which DNS queries will use the DNS resolver settings in the DNS server addresses list.

Include supplemental domains in the resolver's list of search domains

SupplementalMatchDomainsNoSearch

Appends the domains in the DNS Supplemental Domains field to the resolver's list of search domains.

Wi-Fi (Enhancements)

Disable MAC Address Randomization

DisableAssociationMACRandomization

iOS 14 or later

You can now disable MAC Address randomization for wireless networks. When this setting is enabled, a privacy warning is displayed in the device's settings indicating that the configured network has reduced privacy protections.

User-Level Configuration Profiles for iPads Enabled as Shared iPad

You can now apply mobile device configuration profiles at the user level for iPads enrolled with Jamf Pro with Shared iPad enabled. This feature enhances Shared iPad workflows in your environment by enabling you to distribute configuration profiles directly to a user that logs in to the iPad. For example, you can create a configuration profile with a Web Clip payload that enables users to access a specific webpage. When each user logs in to the iPad, the profile is installed on the device for that user allowing the user to access the webpage directly from their Home Screen.

iPads must be enrolled with Jamf Pro and have Shared iPad enabled. You can use a Mobile Device PreStage enrollment to enable Shared iPad during enrollment. For more information, see Mobile Device PreStage Enrollments in the Jamf Pro Administrator's Guide.

To create a user-level configuration profile, specify "User Level" when creating the profile in Jamf Pro. The payloads are dynamically displayed and available for configuring based on the level. You can access the profile level in the General payload of the profile.

Note: The following payloads are available to apply at the user level at this time:

  • Single Sign-On Extensions

  • Web Clip

After the profile is installed on the iPad, you can view the Managed Apple ID for each user that the profile was installed for. This information is available in the Profile category in the mobile device inventory information.

Keep the following in mind when creating and distributing a user-level mobile device configuration profile:

  • Scope Configuration —To configure the scope of the profile, ensure you add iPads to the scope that have Shared iPad enabled. This allows the profile to be installed on the device for each potential user of that device. When each user logs in, the profile is then installed on the device.

    Note: If a user is logged in to an iPad prior to a profile being saved in Jamf Pro, the user must log out and log back in to the iPad for the profile to be installed on the device.

  • Profile Distribution—To apply profiles at the user level, profiles must be distributed using the “Install Automatically” method. User-level profiles made available in Self Service do not install on devices.

  • Profile Removal—You can remove the profile from the iPad for each user by removing the device from the scope of the profile or deleting the profile from Jamf Pro. Each user must log in to the iPad for the profile to be removed for that user. Deleting the profile from Jamf Pro queues the RemoveProfile command. This command displays as pending in the device's inventory information until the user logs in to the device.

  • ProfileList Command The ProfileList command is displayed in Management History and can display more than once to represent the following:

    • The EDU Profile for iPads that are part of Classroom workflows

    • The standard configuration profile workflows

Additional Remote Commands for Mobile Devices

The following remote commands for mobile devices have been added to Jamf Pro:

Remote Command

Requirement

Notes

Available as Mass Action

Remove restrictions set by Jamf Teacher

  • iOS 10.11 or later

  • Supervised

Allows you to remove restrictions set by Jamf Teacher on students' school-issued devices. This option is only displayed if Jamf Teacher is enabled in the Jamf Teacher settings. To remove Jamf Teacher restrictions on student devices, you need a Jamf Pro user account with the "Remove restrictions set by Jamf Teacher" privilege.

images/download/thumbnails/79178469/checkmark.png

Set Time Zone

  • iOS 14 or later

  • tvOS 14 or later

You can now set the time zone on a device even if Location Services are turned off.

images/docs.jamf.com/10.20.0/jamf-pro/release-notes/images/download/thumbnails/80747720/checkmark.png

Additional Reporting Capabilities for Mobile Devices

  • Jamf Pro now displays Time Zone in the mobile device's inventory information for devices with iOS 14 or later, or tvOS 14 or later.

  • Jamf Pro now displays the status of each user account in addition to the Managed Apple ID of each user for Shared iPad in the device’s inventory information. The status can be reported as the following:

    • Logged In

    • Logged Out

    • Logged Out with a sync pending

Allow Users to Remove Managed Apps

You can now prevent or allow a user to remove a managed app from their mobile device, giving you more control over the managed apps in your environment. If a user removes the app from their device, the app is still accessible in the App Catalog in Jamf Pro. This feature applies to App Store apps and in-house apps installed on mobile devices with iOS 14 or later.

To access this feature, navigate to a managed mobile device app and select Allow users to remove app.

Integration with the Jamf Teacher App

Jamf Teacher is a free mobile device app that allows teachers to have limited management of school-issued student devices. After integrating with Jamf Pro, teachers can do the following with Jamf Teacher:

  • Manage classes by locking students into specific apps and websites

  • Create and start lessons by allowing students to only access apps and websites for the lesson

Administrators can limit the management capabilities of Jamf Teacher by doing the following:

  • Configure how long Jamf Teacher restrictions can be set on student devices

  • Configure the time at which restrictions applied by Jamf Teacher end

  • Remove restrictions set by Jamf Teacher using a mass action or remote command

For additional information on integrating Jamf Teacher with Jamf Pro, see Integrating Jamf Teacher with Jamf Pro in the Jamf Pro Administrator's Guide.

Introducing Jamf Reset

Jamf Reset can now use the OAuth authentication protocol with the Jamf Pro server. This integration occurs automatically when Jamf Reset 2.0.0 is added to Jamf Pro 10.23.0 or later.

Switching to OAuth authentication—If an earlier version of Jamf Reset was used in your organization, you must also update Jamf Reset's managed app configuration before distributing the app update to mobile devices. If a dedicated Jamf Pro user account was previously used to make API calls for Jamf Reset, this account can be deleted after you have switched to OAuth authentication.

Continuing to use basic authentication—To allow administrators time to transition to OAuth authentication, Jamf Reset 2.0.0 will continue to use basic authentication by default. If you have deployed an earlier version of Jamf Reset, you can upgrade to Jamf Reset 2.0.0 and continue to use your current managed app configuration and dedicated Jamf Pro user account for Jamf Reset API calls.

Important: A future release of Jamf Reset will discontinue basic authentication compatibility. Upgrading to Jamf Pro 10.23.0 or later and switching to OAuth authentication before basic authentication is discontinued is recommended.

Jamf Reset 2.0.0 will be available in the App Store when it is approved by Apple.

Apple Push Notification Service (APNs) HTTP/2 Communication Protocol

The HTTP/2 protocol for default communication with the Apple Push Notification service will be gradually enabled on all Jamf Pro cloud-hosted instances automatically . To verify the protocol that is currently used in your environment, in Jamf Pro navigate to Settings > Global Management > Push Certificates > MDM Push Notification Certificate.

For related information, see the following documentation from Apple:

Push Certificate Enhancements

You can now store the Apple ID used to generate the push certificate in the Apple Push Certificates Portal. This allows you to keep track of this Apple ID and have it available when the certificate renewal is required. To use this feature, navigate to Settings > Global Management > Push Certificate.

Support for UPN Added to Venafi Certificate Payloads

A field for User Principal Names (UPN) has been added to Certificate payloads for Venafi integrations. This feature requires Jamf PKI Proxy 1.1.0 or later.

Self Service for macOS Improvements

The following changes have been made to the Self Service user interface to increase usability:

  • The Activity tab has been renamed to History and no longer displays available software updates. The History tab now only displays a list of items that have previously been installed via Self Service.

  • Item-specific notifications, patch policies, and other software updates now display on the Notifications tab in the Self Service toolbar.

Limitations for QuickAdd Package Enrollment

Enrolling computers with Jamf Pro using a QuickAdd package will be limited in an upcoming release. This enrollment method is not recommended due to upcoming security changes in macOS.

It is recommended to use an MDM-first enrollment workflow. This includes Automated Device Enrollment or user-initiated enrollment. In these workflows, an MDM profile is installed first, and later Jamf Pro automatically installs the Jamf Management Framework using an MDM command.

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /api. You can now access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

The following endpoints were added:

  • GET /v1/teacher-app

  • PUT /v1/teacher-app

The following changes were made:

  • The following fields were added to the DeviceEnrollmentPrestageV2 model used in the /v2/computer-prestages and /v2/mobile-device-prestages endpoints:

    • autoAdvanceSetup (required)

    • language

    • region

  • The timeZone field is now included in the response of GET /v2/mobile-devices/{id}/detail.

  • The following error codes have been updated:

    • CHILD_NODE_STARTUP_ERROR was renamed to SECONDARY_NODE_STARTUP_ERROR

    • MASTER_NODE_NOT_SET_ERROR was renamed to PRIMARY_NODE_NOT_SET_ERROR

For more information on these changes, see the Jamf Pro API documentation.

Other Changes and Enhancements

  • Upgraded the Microsoft authentication library for JamfAAD communication and added JamfAAD prompts to help users log in with Microsoft Intune using the new authentication process for computers with macOS 10.15 or later.

  • Jamf Pro now supports the distribution of apps that developers offer as a Universal Purchase. This allows you to distribute the app across all supported platforms.

Further Considerations


Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.