What's New

Updated 18 February 2021

The “Cloud Identity Provider Integration with Azure AD” section has been updated with the following:

  • Added requirement to configure single sign-on (SSO) with Azure in environments that use SSO workflows (e.g., user-initiated enrollment or logging in to Jamf Pro).

  • Added a note that groups can only be mapped by the identifier (OID) value.

Cloud Identity Provider Integration with Azure AD

You can now integrate Jamf Pro with Azure AD as a cloud identity provider. This integration allows you to do the following:

  • Look up and populate user information from Azure for inventory purposes.

  • Add Jamf Pro user accounts or groups from Azure.

    Note: You can only map groups by the identifier (OID) value. The name of the group in Jamf Pro must be the same as the group OID value in Azure.

  • Require users to log in to Self Service or the enrollment portal using their Azure accounts.

  • Require users to log in during mobile device setup using their Azure accounts.

  • Base the scope of remote management tasks on users or groups from Azure.

  • Obtain user data, including group membership, from Azure AD and use them to map privileges to relevant accounts in Jamf Pro.

Important: Do not integrate Jamf Pro with Azure AD as a cloud identity provider if your environment already includes Active Directory Federation Services (ADFS) and Microsoft’s Active Directory LDAP configurations. A migration workflow will be available in a future release of Jamf Pro.

To integrate Jamf Pro with Azure AD as a cloud identity provider, you need the following:

  • A Jamf Pro instance hosted in Jamf Cloud

  • Azure AD account privileges (e.g., Global Administrator) that allow you to manage the consent requested by the Jamf Pro Azure AD Connector application

To access this feature, navigate to Settings > System Settings > Cloud Identity Providers and click New. Choose Azure and click Next. Consider the following:

  • Ensure the display name for the configuration is unique.

  • The Tenant ID value is configured for you based on data obtained from Microsoft.

  • The Azure verification code is valid for about 10 minutes. You must save your configuration before the code expires.

Note: When adding scope limitations and exclusions, Azure AD cloud identity users and groups are listed under the LDAP headings.

Single sign-on (SSO) with Azure must be configured in Jamf Pro to use SSO workflows (e.g., user-initiated enrollment or logging in to Jamf Pro). For information on how to configure SSO in Jamf Pro, see Single Sign-On in the Jamf Pro Administrator's Guide.

Note: When Azure AD with multi-factor authentication enabled is added as the cloud identity provider, authentication workflows in Jamf Pro (e.g., Self Service and user-initiated enrollment) do not work for Azure AD user groups and accounts.

Jamf Protect Deployment Integration

If you have a Jamf Protect subscription, you can now deploy Jamf Protect directly from Jamf Pro.

When you register your Jamf Protect tenant with Jamf Pro, you can do the following:

  • Download the latest Jamf Protect package.

  • Sync Jamf Protect plans and deploy them as computer configuration profiles by configuring scope.

  • Receive notifications in Jamf Pro when a new Jamf Protect version is available.

To set up this integration, you need the following:

  • A Jamf Protect subscription and Jamf Nation account

  • Cloud Services Connection enabled in Jamf Pro

  • An API client configuration in Jamf Protect

  • The following Jamf Pro user account privileges:

    Category

    Privilege

    Jamf Pro Server Settings

    Jamf Protect (Read and Update)

    Cloud Services Connection (Read)

    Jamf Pro Server Actions

    Read and Download Jamf Application Assets

To register your Jamf Protect tenant and access this feature in Jamf Pro, go to Settings > Jamf Applications > Jamf Protect.

For more information about deploying Jamf Protect with Jamf Pro, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.

Jamf Pro Server Tools 2.7.7 or Later Required to Back Up Jamf Pro 10.27.0 or Later

You must use Jamf Pro Server Tools 2.7.7 or later to perform database backups with Jamf Pro 10.27.0 or later. Using an earlier version of Jamf Pro Server Tools to back up your database will result in an unrestorable backup.

Jamf Pro Server Tools 2.7.7 is included in the Jamf Pro 10.27.0 installers. After installing or upgrading to Jamf Pro 10.27.0 or later, confirm which version of Jamf Pro Server Tools you have installed by doing one of the following:

  • CLI: Execute the following command: jamf-pro --version

  • GUI: Verify the installed versions of the GUI and CLI displayed on the Preferences pane.

If you do not have Jamf Pro Server Tools 2.7.7 or later installed, see the installation instructions in the following Knowledge Base articles to obtain Jamf Pro Server Tools 2.7.7 or later:

Computer Configuration Profiles

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirement

Notes

Application & Custom Settings (Enhancements)

  • Improved error validation.

  • Custom Schema now displays as a pop-up dialog when adding the External Applications payload.

Notifications (New Payload)

You can now configure the notification settings for computers.

Critical Alerts

CriticalAlertEnabled

macOS 10.15 or later

You can now select whether an app can send critical alerts, and ignore Do Not Disturb and sound settings.

Notifications

NotificationsEnabled

You can now allow or disallow notifications on computers in your environment.

Banner alert type

AlertType

You can now configure the banner alert type. Banner alert type options include Temporary (clears automatically) and Persistent (requires the end user to take action).

Notifications on Lock screen

ShowInLockScreen

You can now enable or disable alerts on Lock Screen.

Notifications in Notification Center

ShowInNotificationCenter

You can now enable or disable alerts in Notification Center.

Badge app icon

BadgesEnabled

You can now select whether an app displays a notification badge.

Play sound for notification

SoundsEnabled

You can now select whether an app plays a notification sound.

Changes to History Details for Computer Configuration Profiles

The Details information in the history of a computer configuration profile now displays "System" for profiles that were applied at the computer level. Previously, this information displayed "computer".

This change does not apply to profiles created in Jamf Pro 10.26.x or earlier. The change is applied after the profile is edited and saved using Jamf Pro 10.27.0 or later.

Additional Remote Commands for Mobile Devices

The following remote commands for mobile devices have been added to Jamf Pro:

Remote Command

Requirements

Notes

Available as a Mass Action

Set Shared iPad User Space (Enhancement)

  • iPadOS 13.4 or later

  • Supervised

  • Enrolled via a PreStage enrollment with Shared iPad enabled

Remote command was previously called "Set Storage Quota Size" and only allowed you to set the storage quota size for devices.

As an alternative to configuring the storage quota size for users, you can now configure the maximum number of users that can be stored locally for each iPad using the Number of Users option. You can specify up to 99 users.

images/download/thumbnails/81939515/checkmark.png

MDM Command Information in Jamf Pro API

You can now control access to information about MDM commands in the Jamf Pro API for Jamf Pro user accounts using a new privilege in the Jamf Pro User Accounts & Groups settings. This allows you to control read privileges for each account. This privilege is enabled by default.

To access this setting, navigate to Settings > Jamf Pro User Accounts & Groups > Privileges tab of a user account > Jamf Pro Server Actions > View MDM command information in Jamf Pro API.

Ongoing Support for New Hardware Inventory Information

Starting with Jamf Pro 10.27.0, instances hosted in Jamf Cloud use a remote service maintained and updated by Jamf to gather hardware model names that can be displayed in computer and mobile device inventory records. This allows Jamf Pro to accurately report the model names of new Apple hardware as it is released without the need to upgrade Jamf Pro.

Composer Package Building Enhancements for Mac Computers with Apple Silicon

Composer now allows you to configure when prompts about installing Rosetta on Mac computers with Apple silicon are displayed based on the types of executables (Intel-based or Universal) in packages.

The Executable Types in PKGs pop-up menu in Composer's packaging preferences allows you to choose from the following settings:

Setting

Description

Automatically detect executable types

(Recommended) Composer automatically detects if your package contains any Intel-based executables. If Intel-based executables are found and Rosetta is not installed, Mac computers with Apple silicon prompt users that install the package to also install Rosetta.

This setting is used by default and should be used if you are unsure of the executable types in your package source.

One or more executables require Rosetta

Composer builds packages that contain Intel-based executables. If Rosetta is not installed, Mac computers with Apple silicon always prompt users that install the package to install Rosetta.

This setting should only be used if you are certain that your package source contains Intel-based executables.

All executables are Universal

Composer builds packages that only contain Universal executables. Mac computers with Apple silicon will not prompt users that install the package to install Rosetta.

This setting should only be used if you are certain that your package source does not contain any Intel-based executables.

For more information about Rosetta prompts on Mac computers with Apple silicon, see If you need to install Rosetta on your Mac from Apple's support website.

For more information about Composer, see the Composer User Guide.

JSON Web Token for Securing Package Downloads

You can now secure package downloads, including packages installed during a PreStage enrollment, from an external distribution server using a JSON Web Token (JWT) in Jamf Pro. This ensures that packages are downloaded securely to users' computers. For more information, see JSON Web Token for Securing In-House Content in the Jamf Pro Administrator's Guide.

Cloud Distribution Point as a Failover for the File Share Distribution Point

You can now set the failover cloud distribution point for your locally hosted file share distribution point in Jamf Pro. This will limit the number of failed attempts for users when downloading hosted content (e.g., when using an external network). For information about file share distribution points, see About Distribution Points in the Jamf Pro Administrator's Guide.

SCEP Protocol for Venafi Integrations

You can now use the SCEP protocol to manage certificates distributed using Venafi Trust Protection Platform (TPP). The SCEP protocol is available as a payload within a computer or mobile device configuration profile. Previously, only the Certificate (API) protocol was available to manage Venafi TPP certificates.

You can also enable automatic certificate revocation based on scope change as well as redistribute certificates that are approaching the expiration date, which will issue a new certificate to computers or mobile devices.

For additional information on using the SCEP protocol with Venafi integrations, see the Integrating with Venafi Using Jamf Pro technical paper.

Jamf Self Service for macOS Navigation Redesign

The Jamf Self Service for macOS navigation bar has been redesigned to provide users with an updated interface and improved user experience.

The left navigation bar now includes the Browse, Notifications, and History tabs, as well as the Account button and Search field. Categories configured to display in Self Service are nested under the Browse tab.

Jamf Self Service for macOS Branding Changes

The Jamf Self Service for macOS Branding settings have been moved and are now located under the Branding object in Jamf Pro. To access this feature in Jamf Pro, navigate to Settings > Self Service > Branding.

Note: It is recommended that you check your existing Self Service for macOS branding configuration after upgrading to Jamf Pro 10.27.0 as some image displays may have changed.

For more information, see Jamf Self Service for macOS Branding Settings in the Jamf Pro Administrator's Guide.

Jamf Self Service for macOS URL Schemes

You can configure URL schemes to do the following in Self Service for macOS:

  • Automatically install an item made available in Self Service.

  • Direct users to the description of an item made available in Self Service.

  • Direct users to specific Self Service categories.

  • Direct users to the History or Notifications tabs.

  • Direct users to the Compliance Remediation page.

For more information on how to configure URL schemes, see Jamf Self Service for macOS URL Schemes in the Jamf Pro Administrator's Guide.

Session Expiration Improvements

  • Jamf Pro now takes additional page actions into account before displaying a session expiration warning. This allows you to work on a single page for as long as you need without being interrupted.

  • The session expiration warning now appears three minutes before ending the session, allowing for more time to respond and continue the current session if needed.

Refreshing a Jamf Infrastructure Manager Instance

You can now refresh your Infrastructure Manager instance to ensure that changes in the related configurations (e.g., LDAP servers) are propagated. To access this feature, navigate to Settings > Server Infrastructure > Infrastructure Managers and choose the name of your instance. Click Refresh.

Hidden macOS Accounts Enhancements

Jamf Pro no longer modifies the com.apple.loginwindow.plist file to hide accounts on managed computers. Instead, the jamf binary will use a default method from Apple. For detailed information, see Hide a user account in macOS from Apple's support website.

Computer Device Certificate Automatic Renewal

Device certificates for computers will now be renewed automatically at 180 days from their expiration date. The expiration date of a certificate is generated at the time of enrollment when the certificate is first issued. Device certificates are stored in jamf.keychain that is used by the Jamf management framework to secure communication between Jamf Pro and the managed computer.

Note: Device certificates are valid for two years by default.

Third-party Signing Certificates Removed from MDM Profiles

Third-party signing certificates are no longer included in MDM profiles during user-initiated enrollment. Previously, third-party signing certificates were included in the MDM profile when the User-initiated Enrollment setting for Use third-party signing certificate was enabled. If you use the Certificate payload on the MDM profile for any workflows in your environment, it is recommended that you deploy certificates in a separate computer or mobile device configuration profile. For more information about how to configure and distribute configuration profiles, see Computer Configuration Profiles and Mobile Device Configuration Profiles in the Jamf Pro Administrator's Guide.

Other Changes and Enhancements

  • The ID column has been added to the Scripts page. It is not displayed by default. Navigate to Settings > Computer Management > Scripts and click Settings to manage the columns. You can also filter Scripts based on values in ID, Name, and Category.

  • A message about the expired push certificate now displays in Jamf Pro server logs and in Jamf Pro Notifications.

  • You can now choose to have the History or Notifications tab display on the landing page when Self Service for macOS is launched.

  • The "Apple Books" key has been renamed to "Book Store and Audiobooks in the Books app" in the mobile device Restrictions payload.

  • Spell check is now disabled on the username and password fields of the Jamf Pro login page.

  • The Departments settings page has been updated with new button designs, different button placement, improved export functionality, and an improved history view. More pages in Jamf Pro will be redesigned in a similar way in future releases.

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

The following endpoints were added:

  • GET /preview/account-preferences

  • PUT /preview/account-preferences

  • PATCH /preview/account-preferences

  • POST /preview/check-in/history/export

  • POST /preview/departments/export

  • POST /preview/departments/{id}/history/export

  • POST /preview/device-communication-settings/history/export

  • POST /preview/engage/history/export

  • GET /preview/enrollment/access-groups

  • POST /preview/enrollment/access-groups

  • GET /preview/enrollment/access-groups/{id}

  • PUT /preview/enrollment/access-groups/{id}

  • DELETE /preview/enrollment/access-groups/{id}

  • PUT /preview/intune-device-compliance/settings

  • POST /preview/intune-device-compliance/setup-connection

  • GET /preview/intune-device-compliance/sovereign-clouds

  • GET /preview/intune-device-compliance/status

  • POST /preview/mdm/commands

  • POST /preview/scripts/export

  • POST /v1/api-integrations

  • GET /v1/api-integrations/{id}

  • PUT /v1/api-integrations/{id}

  • DELETE /v1/api-integrations/{id}

  • POST /v1/api-integrations/{id}/client-credentials

  • DELETE /v1/api-integrations/{id}/client-credentials

  • GET /v1/azure-ad-feature-toggle

  • POST /v1/azure-ad-integration-state

  • GET /v1/azure-ad-integration-state/{actionIdentifier}

  • DELETE /v1/azure-ad-integration-state/{actionIdentifier}

  • GET /v1/classrooms

  • GET /v1/classrooms/{id}/membership

  • GET /v1/cloud-idp/{id}

  • GET /v1/csa/token

  • PUT /v1/csa/token

  • POST /v1/csa/token

  • DELETE /v1/csa/token

  • GET /v1/device-communication-settings

  • PUT /v1/device-communication-settings

  • GET /v1/device-communication-settings/history

  • POST /v1/device-communication-settings/history

  • GET /v1/engage/account-configuration

  • POST /v1/enrollment-dep-custom/generate-profile

  • GET /v1/ics/presigned-url

  • GET /v1/jamf-connect

  • GET /v1/jamf-package

  • GET /v1/jamf-protect

  • DELETE /v1/jamf-protect

  • GET /v1/jamf-protect/history

  • POST /v1/jamf-protect/history

  • GET /v1/jamf-protect/plans

  • POST /v1/jamf-protect/plans/sync

  • POST /v1/jamf-protect/register

  • POST /v1/jamf-reset/clear-passcode/{id}

  • POST /v1/jamf-reset/restart-device/{id}

  • POST /v1/jamf-reset/wipe-device/{id}

  • GET /v1/mdm/commands

  • POST /v1/mdm/renew-profile

  • POST /v1/mobile-device-apps/reinstall-app-config

  • GET /v1/parent-app/features

  • GET /v1/parent-app/profile

  • PUT /v1/parent-app/profile

  • PATCH /v1/parent-app/profile

  • POST /v1/settings/knobs/reload

  • GET /v1/student-apps

  • GET /v1/student-apps/managed

  • POST /v1/system/initialize

  • POST /v1/system/initialize-database-connection

  • POST /v1/teacher-app/clear-passcode

  • GET /v1/teacher-app/profiles

  • PUT /v1/teacher-app/profiles

  • POST /v1/teacher-app/profiles/delete-multiple

  • GET /v1/user/preferences/{keyId}

  • PUT /v1/user/preferences/{keyId}

  • DELETE /v1/user/preferences/{keyId}

The following endpoints were deprecated:

  • POST /system/initialize

  • POST /system/initialize-database-connection

  • GET /user/obj/preference/{key}

  • PUT /user/obj/preference/{key}

  • DELETE /user/obj/preference/{key}

The following endpoints were removed:

  • GET /preview/device-communication-settings

  • PUT /preview/device-communication-settings

  • GET /preview/device-communication-settings/history

  • POST /preview/device-communication-settings/history

  • POST /preview/mdm/renew-profile

The following change was made:

“Verbose” was added as a new query parameter for the POST /v1/deploy-package endpoint.

For more information on these changes, see the Jamf Pro API documentation.

Further Considerations

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.