What's New

Microsoft Endpoint Manager Integration for Mobile Devices

Microsoft Endpoint Manager (via Device Compliance) allows you to ensure that only trusted users from compliant iOS or iPadOS devices, using approved applications, are accessing company resources. You can now integrate Jamf Pro with Microsoft Endpoint Manager and Azure Active Directory to do the following:

  • Send the compliance status of mobile devices from Jamf Pro to Azure AD.

  • Enforce Conditional Access policies defined in Azure AD on mobile devices managed by Jamf Pro.

  • Feature items for users in the Device Compliance category in Jamf Self Service for iOS.

This integration uses the Cloud Connector, which allows you to connect multiple Jamf Pro instances to a single Azure AD tenant.

For step-by-step instructions on how to integrate with Microsoft Endpoint Manager, see the Integrating with Microsoft Endpoint Manager to Enforce Compliance on Mobile Devices Managed by Jamf Pro technical paper.

Requirements

To configure the Microsoft Endpoint Manager integration for mobile devices, you need:

  • A Jamf Pro instance hosted in Jamf Cloud

  • A Jamf Pro user account with Conditional Access privileges

  • Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)

Devices you want to monitor for compliance must have the following:

  • iOS 11 or later, or iPadOS 13 or later

  • The Microsoft Authenticator app installed. Microsoft Authenticator is available from the App Store.

  • Jamf Self Service for iOS 10.10.3 or later

    Note: Jamf Self Service for iOS 10.10.3 will be available from the App Store once it is approved by Apple.

Automatically Update Apps Made Available in Self Service

You can now automatically update all apps that were installed via Self Service for computers and mobile devices. This enables you to have more control over your managed apps and requires no user interaction. When this setting is enabled, apps that were made available in Self Service are automatically updated on the device.

This feature applies to the following types of apps:

  • Computer App Store apps

  • Mobile device App Store apps

  • Mobile device in-house apps

To access this feature for mobile device apps, navigate to Settings > App Maintenance and do one of the following:

  • For App Store apps, select Automatically Force App Updates on the App Updates tab. Then, select Automatically update apps installed via Self Service.

  • For in-house apps, click the In-House Apps tab and select Automatically update apps installed via Self Service.

To access this feature for computer App Store apps, navigate to Settings > App Updates > Select Automatically Force App Updates > Select Automatically update apps installed via Self Service.

Note: The Automatically update apps installed via Self Service option is disabled by default when upgrading to Jamf Pro 10.25.0 or later.

PreStage Enrollment Enhancements

Automatically Advance through Setup Assistant for Computers

You can now allow users to automatically advance through the Setup Assistant when enrolling computers with macOS 11 or later*. This option prevents any of the Setup Assistant screens from being displayed to the user during enrollment. If you automatically advance through the Setup Assistant, you can configure the language and region so the locale on the computer is automatically configured. These settings are designated by the International Organization for Standardization (ISO). For more information, see the following websites:

To access this feature, navigate to Computers > PreStage Enrollments.

*Feature support is based on testing with the latest Apple beta releases.

Set the Time Zone on Mobile Devices

Using a Mobile Device PreStage enrollment, you can now set the time zone on mobile devices during enrollment with Jamf Pro. This allows all devices with iOS 14 or later in the scope of the PreStage to have the time zone automatically configured for the user. After a device is enrolled with Jamf Pro, the user can reset the time zone on their device.

Limitations for QuickAdd Package Enrollment

Enrolling computers with macOS 11 in Jamf Pro using a QuickAdd package will be limited. This enrollment method is not recommended due to upcoming security changes in macOS. Be aware of the following:

  • macOS 11 will not permit installation of an MDM profile by a script or remote commands as previously initiated by the Jamf Management Framework or QuickAdd package.

  • Running a QuickAdd package on computers with macOS 11 will attempt to install the Jamf Management Framework. This will allow for policy communication but will not enable MDM communication, preventing configuration profiles and remote commands from working.

  • A CA certificate is no longer downloaded and installed when performing enrollment using a QuickAdd package.

It is recommended to use an MDM-first enrollment workflow. This includes Automated Device Enrollment or user-initiated enrollment. In these workflows, an MDM profile is installed first, and later Jamf Pro automatically installs the Jamf Management Framework using an MDM command.

Computer Configuration Profiles

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirement

Notes

Associated Domains (Enhancements)

Enable Direct Downloads

EnableDirectDownloads

macOS 11 or later*

You can now enable direct downloads for each app identifier specified in the payload. This allows data to be directly downloaded from the associated domain.

DNS Settings (New Payload)

You can now configure encrypted DNS settings.

DNS protocol

DNSProtocol

macOS 11 or later*

 

Server Name

ServerName

The hostname of a DNS-over-TLS server used to validate the server certificate. If no server addresses are provided, the hostname is used to determine the server addresses.

Server URL

ServerURL

The URI template of a DNS-over-HTTPS server. This URL must use the "https://" scheme, and the hostname or address in the URL will be used to validate the server certificate. If no server addresses are provided, the hostname or address in the URL is used to determine the server addresses.

Server addresses

ServerAddresses

DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

DNS query domains

SupplementalMatchDomains

A list of domain strings used to determine which DNS queries will use the DNS server. If none are provided, all domains will use the DNS server.
A single wildcard * prefix is supported. For example, both *.example.com and example.com match against mydomain.example.com and your.domain.example.com, but do not match against mydomain-example.com.

Disabling DNS settings by the user

ProhibitDisablement

If restricted, prohibits users from disabling DNS settings.

On-demand rules

OnDemandRules

An array of rules defining the DNS settings. These rules are identical to the On Demand Rules configuration in the VPN payload.

Restrictions (Enhancements)

Allow file provider to access the path of the requesting process

AllowManagedFileProvidersToRequestAttribution

macOS 11 or later*

You can now allow file providers to access the path of the requesting process.

Restrictions—Functionality tab (Enhancements)

Defer updates of Applications

forceDelayedAppSoftwareUpdates

macOS 11 or later*

In addition to deferring Software Updates, you can now defer updates of applications. This enables you to delay the visibility of non-OS software updates for a specified number of days.

SCEP (Enhancements)

Key Size (Enhancement)

 

macOS 11 or later*

Jamf Pro now provides "4096" as an option for the key size in bits when configuring the SCEP payload.

Single Sign-On Extensions (Enhancements)

You can now configure Kerberos type single sign-on extensions. To use this feature, navigate to Computers > Configuration Profiles > Single Sign-On Extensions and choose Kerberos as the payload type. For a list of properties used by the Apple built-in Kerberos extension, see this documentation from the Apple Developer website.

Extension Identifier

ExtensionIdentifier

macOS 10.15 or later

 

The com.apple.AppSSOKerberos.KerberosExtension value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Team Identifier

TeamIdentifier

The apple value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Sign-on Type

Type

The Credential value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Cache name

cacheName

 

Certificate UUID

certificateUUID

 

Credential bundle IDACL

credentialBundleIDACL

 

Domain-realm mapping

domainRealmMapping

A custom domain-realm mapping for Kerberos. This is used when the DNS name of hosts do not match the realm name.

Mark as default realm when more than one Kerberos extension configuration exists.

isDefaultRealm

This property specifies it is the default realm if there is more than one Kerberos extension configuration.

Request credential on the next matching Kerberos challenge or network state change.

monitorCredentialsCache

macOS 11 or later*

 

Automatically use LDAP and DNS to determine the Kerberos extension's AD site name.

useSiteAutoDiscovery

macOS 10.15 or later

 

Site code

siteCode

The name of the Active Directory site the Kerberos extension should use. The Kerberos extension can normally find the site automatically.

Automatic login

allowAutomaticLogin

 

User setup delay

delayUserSetup

macOS 11 or later*

If enforced, does not prompt the user to set up the Kerberos extension until either the administrator enables it with the app-sso tool or a Kerberos challenge is received.

Custom Username label

customUsernameLabel

The custom user name label used in the Kerberos extension instead of “Username”. For example, “Company ID”.

Login window helper text

helpText

The text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text.

Password change

allowPasswordChange

macOS 10.15 or later

If ignored, disables password changes.

Passwords to meet Active Directory's definition of complexity

pwReqComplexity

If required, passwords must meet Active Directory's definition of complexity.

The principal (aka username) to use

principalName

 

User presence to access the keychain entry

requireUserPresence

If required, users must provide Touch ID or their passcode to access the keychain entry.

Local password sync

syncLocalPassword

This will not work if the user is logged in with a mobile account.

Password change URL

pwChangeURL

 

Password expiration notification

pwNotificationDays

 

Password expiration

pwExpireOverride

The number of days that passwords can be used on this domain. For most domains, this can be calculated automatically.

Blocked prior passwords

pwReqHistory

 

Required minimum password length

pwReqLength

 

Required minimum password age

pwReqMinAge

 

Required text

pwReqText

The text version of the domain's password requirements. Only for use if Passwords to meet Active Directory's definition of complexit y or Required minimum password length are not configured.

Replication time

replicationTime

macOS 11 or later*

The time, in seconds, required to replicate changes in the Active Directory domain. The Kerberos extension will use this when checking the password age after a change.

Credential use mode

credentialUseMode

 

TLS for LDAP

requireTLSForLDAP

 

*Feature support is based on testing with the latest Apple beta releases.

Additional Reporting Capabilities for Computers

The attributes below are now displayed in a computer's inventory information in Jamf Pro, organized by category of information:

Inventory Attribute

Requirements

Values Returned in Inventory Information

Smart Group/Advanced Search Values

Bootstrap Token Allowed

Collected for macOS 11 or later only*

Jamf Pro displays the following values for the "Bootstrap Token Allowed" inventory attribute:

  • Yes

  • No

You can use the following values when creating a smart group or advanced search based on the "Bootstrap Token Allowed" criteria:

  • Yes

  • No

*Feature support is based on testing with the latest Apple beta releases.

Mobile Device Configuration Profiles

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirement

Notes

Single Sign-On Extensions (Enhancements)

You can now configure Kerberos type single sign-on extensions. To use this feature, navigate to Devices > Configuration Profiles > Single Sign-On Extensions and choose Kerberos as the payload type. For a list of properties used by the Apple built-in Kerberos extension, see this documentation from the Apple Developer website.

Extension Identifier

ExtensionIdentifier

iOS 13 or later

 

The com.apple.AppSSOKerberos.KerberosExtension value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Team Identifier

TeamIdentifier

The apple value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Sign-on Type

Type

The Credential value is automatically set for the Kerberos type. Displays in the user interface only when SSO is configured as the payload type.

Cache name

cacheName

 

Certificate UUID

certificateUUID

 

Credential bundle IDACL

credentialBundleIDACL

 

Only managed applications to access and use the credential

includeManagedAppsInBundleIdACL

iOS 14 or later

If allowed, only managed apps can access and use the credential. This is in addition to the Credential bundle IDACL setting if it is specified.

Domain-realm mapping

domainRealmMapping

iOS 13 or later

A custom domain-realm mapping for Kerberos. This is used when the DNS name of hosts do not match the realm name.

Mark as default realm when more than one Kerberos extension configuration exists.

isDefaultRealm

This property specifies it is the default realm if there is more than one Kerberos extension configuration.

Automatically use LDAP and DNS to determine the Kerberos extension's AD site name.

useSiteAutoDiscovery

 

Site code

siteCode

The name of the Active Directory site the Kerberos extension should use. The Kerberos extension can normally find the site automatically.

Automatic login

allowAutomaticLogin

If ignored, passwords are not allowed to be saved to the keychain.

Login window helper text

helpText

iOS 14 or later

The text to be displayed to the user at the bottom of the Kerberos login window. It can be used to display help information or disclaimer text.

The principal (aka username) to use

principalName

iOS 13 or later

 

User presence to access the keychain entry

requireUserPresence

If required, users must provide Touch ID, Face ID, or their passcode to access the keychain entry.

User-Level Mobile Device Configuration Profiles Enhancements

The following enhancements were made to user-level mobile device configuration profiles:

  • Distribution Method—Jamf Pro now only allows user-level mobile device configuration profiles to be installed automatically. The Jamf Pro interface prevents you from choosing to make a profile available in Self Service.

  • Event Logs—Improved the Event Logs to ensure all information for user-level configuration profiles is displayed.

  • ProfileList Command—The ProfileList command displayed in Management History is now more efficiently reported.

Additional Reporting Capabilities for Mobile Devices

  • You can now create smart groups and advanced searches based on a device's time zone. For example, you can choose "America/Chicago" for criteria to return all devices with that time zone. Applies to devices with iOS 14 or later.

  • Jamf Pro no longer displays the Maximum Resident Users attribute in inventory information for iPads enabled as Shared iPad with iPadOS 13.4 or later.

Shared iPad User Removal

You can now use Jamf Pro to remove individual users or all users from an iPad enabled as Shared iPad. Users must be logged out of the device to remove them using Jamf Pro. You can use the Log Out User remote command to log out a currently logged in user. For more information about the Log Out User remote command, see Remote Commands for Mobile Devices in the Jamf Pro Administrator's Guide.

If a user is logged out of the device but has a pending sync, you can use a force remove option. This action immediately removes the user from the device.

To access this feature, navigate to the Shared iPad Users category in the device's inventory information and use the removal options to remove users from the device.

Computer Extension Attributes Templates for Jamf Applications Enhancements

Templates for computer extension attributes now include the "Jamf Applications" category with templates that allow you to easily track Jamf applications specific data in the inventory for computers when your environment integrates with Jamf Connect and Jamf Protect.

Important: The currently available templates are compatible with Jamf Protect 1.1.5 or later and Jamf Connect 2.0 or later.

The following extension attributes have been added:

  • Jamf Connect - ADCustomAttribute

  • Jamf Connect - ADExpiration

  • Jamf Connect - ComputedPasswordExpireDate

  • Jamf Connect - Connect Login Plugin Version

  • Jamf Connect - Connect Version

  • Jamf Connect - CustomShortName

  • Jamf Connect - DisplayName

  • Jamf Connect - ExpirationWarningLast

  • Jamf Connect - FirstRunDone

  • Jamf Connect - LastCertificateExpiration

  • Jamf Connect - LastSignIn

  • Jamf Connect - PasswordCurrent

  • Jamf Connect - PasswordLength

  • Jamf Connect - UserCN

  • Jamf Connect - UserEmail

  • Jamf Connect - UserFirstName

  • Jamf Connect - UserFullName

  • Jamf Connect - UserGroups

  • Jamf Connect - UserHomeDirectory

  • Jamf Connect - UserLastName

  • Jamf Connect - UserLoginName

  • Jamf Connect - UserPasswordSet

  • Jamf Connect - UserPrincipal

  • Jamf Connect - UserShortName

  • Jamf Connect - UserUPN

  • Jamf Protect - Binary Version

  • Jamf Protect - Last Check-in

  • Jamf Protect - Last Insights Check-in

  • Jamf Protect - Plan Hash

  • Jamf Protect - Plan ID

  • Jamf Protect - Threat Prevention Version

Note: The "Jamf Protect - Smart Groups" template has been updated and moved from the "Jamf" category to the "Jamf Applications" category.

Automatically Install the Privacy Preferences Policy Control Profile for Jamf Applications

When your environment is integrated with Jamf Connect and Jamf Protect, you must allow the application to access the target computer's system files and processes by installing the Privacy Preferences Policy Control profile to ensure Jamf applications can perform management tasks on user approved MDM computers.

You can now automatically install the Privacy Preferences Policy Control profile for Jamf applications. To access this feature, navigate to Settings > Computer Management > Security and select the relevant option for Jamf Connect and Jamf Protect in the Automatically install a Privacy Preferences Policy Control profile setting. These options are not selected by default.

To remove the Privacy Preferences Policy Control profile for Jamf applications, deselect the relevant option in the Automatically install a Privacy Preferences Policy Control profile setting. The next time computers submit inventory, the profile will be removed.

Automatically Install the Jamf Notifications Profile for Jamf Connect

You can now automatically install a Jamf Notifications profile that allows notifications from Jamf Connect on user approved MDM computers with macOS 10.15 or later. This enables notifications to be automatically allowed on compatible computers. To access this feature, navigate to Settings > Computer Management - Management Framework > Security and select the option for Jamf Connect in the Automatically install a Jamf Notifications profile setting. This option is not selected by default.

To remove the Jamf Notifications profile for Jamf Connect, deselect the relevant option in the Automatically install a Jamf Notifications profile setting. The next time computers submit inventory, the profile will be removed.

MDM Profile Settings

The new MDM Profile Settings feature allows you to configure renewal options for the MDM profile on computers and mobile devices. You can choose to renew the MDM profile when Jamf Pro's built-in certificate authority is renewed or select the number of days before the MDM profile expires to renew it.

To access this feature, navigate to Settings > Global Management > MDM Profile Settings.

For more information, see MDM Profile Settings in the Jamf Pro Administrator's Guide.

Apple Silicon Compatibility for Jamf Applications

The following Jamf applications now natively support Macs with Apple silicon*:

  • Composer

  • Jamf Self Service for macOS

Note: Apple silicon uses Rosetta translation to provide backward compatibility with older app binary technology in Jamf Admin, Jamf Remote, and Recon. Rosetta runs in the background by macOS when these apps are opened, and no additional steps are required.

*Hardware support is based on testing with the Mac Developer Transition Kit.

Alerts for Unsaved Changes

Jamf Pro now displays an alert when navigating away from a page with unsaved changes. If presented with an alert, you can disable future alerts by selecting Do not ask me again and then clicking Leave.

Time Zone Set Automatically for New Jamf Pro Users

Jamf Pro now automatically sets the time zone for new users by defaulting to the closest match to the Jamf Pro server's system setting. To change your time zone, click Account Preferences, and then select an option from the Time Zone pop-up menu.

Note: Users who did not have their time zone set before upgrading to Jamf Pro 10.25.0 will also have their time zone automatically set.

Jamf Pro API Changes and Enhancements

The Jamf Pro API beta is open for user testing. The base URL for the Jamf Pro API is /api. You can now access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

Note: As the Jamf Pro API continues to be developed, changes will be made in future releases that may impact or break functionality. We strongly encourage that you test existing workflows using the Jamf Pro API before upgrading your production environment.

The following endpoints were added:

  • GET /preview/device-communication-settings

  • PUT /preview/device-communication-settings

  • POST /preview/mdm/renew-profile/{udid}

  • GET /v1/auth

  • POST /v1/auth/invalidate-token

  • POST /v1/auth/keep-alive

  • POST /v1/auth/token

  • GET /v1/computers-inventory

  • GET /v1/computers-inventory-detail/{id}

  • PATCH /v1/computers-inventory-detail/{id}

  • GET /v1/computers-inventory/{id}

  • DELETE /v1/computers-inventory/{id}

  • POST /v1/computers-inventory/{id}/attachments

  • GET /v1/computers-inventory/{id}/attachments/{attachmentId}

  • DELETE /v1/computers-inventory/{id}/attachments/{attachmentId}

  • POST /v1/sso/validate

  • GET /v1/teacher-app/history

  • POST /v1/teacher-app/history

  • GET /v2/check-in

  • PUT /v2/check-in

  • GET /v2/check-in/history

  • POST /v2/check-in/history

  • GET /v2/enrollment

  • PUT /v2/enrollment

  • GET /v2/enrollment-customizations

  • POST /v2/enrollment-customizations

  • POST /v2/enrollment-customizations/images

  • GET /v2/enrollment-customizations/{id}

  • PUT /v2/enrollment-customizations/{id}

  • DELETE /v2/enrollment-customizations/{id}

  • GET /v2/enrollment-customizations/{id}/history

  • POST /v2/enrollment-customizations/{id}/history

  • GET /v2/enrollment-customizations/{id}/prestages

  • GET /v2/enrollment/access-groups

  • GET /v2/enrollment/access-groups/{serverId}/{groupId}

  • PUT /v2/enrollment/access-groups/{serverId}/{groupId}

  • DELETE /v2/enrollment/access-groups/{serverId}/{groupId}

  • GET /v2/enrollment/filtered-language-codes

  • GET /v2/enrollment/history

  • POST /v2/enrollment/history

  • GET /v2/enrollment/language-codes

  • GET /v2/enrollment/languages

  • GET /v2/enrollment/languages/{languageId}

  • PUT /v2/enrollment/languages/{languageId}

  • DELETE /v2/enrollment/languages/{languageId}

  • GET /v2/sso/cert

  • PUT /v2/sso/cert

  • POST /v2/sso/cert

  • DELETE /v2/sso/cert

  • GET /v2/sso/cert/download

  • POST /v2/sso/cert/parse

The following endpoints were deprecated:

  • GET /auth

  • POST /auth/current

  • POST /auth/invalidateToken

  • POST /auth/keepAlive

  • POST /auth/tokens

  • GET /v1/check-in

  • PUT /v1/check-in

  • GET /v1/check-in/history

  • POST /v1/check-in/history

  • GET /v1/enrollment

  • PUT /v1/enrollment

  • GET /v1/enrollment-customization

  • POST /v1/enrollment-customization

  • POST /v1/enrollment-customization/images

  • GET /v1/enrollment-customization/{id}

  • PUT /v1/enrollment-customization/{id}

  • DELETE /v1/enrollment-customization/{id}

  • GET /v1/enrollment-customization/{id}/history

  • POST /v1/enrollment-customization/{id}/history

  • GET /v1/enrollment-customization/{id}/prestages

  • GET /v1/enrollment/access-groups

  • GET /v1/enrollment/access-groups/{group-key}

  • PUT /v1/enrollment/access-groups/{group-key}

  • DELETE /v1/enrollment/access-groups/{group-key}

  • GET /v1/enrollment/filtered-language-codes

  • GET /v1/enrollment/history

  • POST /v1/enrollment/history

  • GET /v1/enrollment/language-codes

  • GET /v1/enrollment/languages

  • GET /v1/enrollment/languages/{language}

  • PUT /v1/enrollment/languages/{language}

  • DELETE /v1/enrollment/languages/{language}

The following endpoint was removed:

GET /preview/computers-inventory/{id}

The following changes were made:

  • Added the ability to filter to the following endpoints:

    • GET /v1/engage/history

    • GET /v1/scripts

  • Added the ability to sort to the following endpoints:

    • GET /v1/scripts

    • GET /v1/scripts/{id}/history

    • GET /v1/buildings

    • GET /v1/buildings/{id}/history

    • GET /v1/categories

    • GET /v1/categories/{id}/history

    • GET /v1/departments

    • GET /v1/departments/{id}/history

    • GET /v1/device-enrollments

    • GET /v1/engage/history

For more information on these changes, see the Jamf Pro API documentation.

Further Considerations


Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.