Compatibility with macOS, iOS, iPadOS, and tvOS

Jamf Pro now provides compatibility for the following:

• macOS 11.3

• iOS 14.5

• iPadOS 14.5

• tvOS 14.5

This includes compatibility for the following management workflows:

• Enrollment and inventory reporting

• Configuration profiles

• App distribution

• Self Service installation

• Self Service launches and connections

• App distribution via Self Service

• Policies

• Restricted software

Compatibility and new feature support are based on testing with the latest Apple beta releases.

Apple Push Notification Service (APNs) HTTP/2 Communication Protocol

As announced in the Apple Push Notification Service Update, Apple will no longer support the legacy binary protocol for Apple Push Notification service (APNs) connections. To address this change, beginning with Jamf Pro 10.28.0, HTTP/2 is the default protocol for connections to APNs.

For related information, see the following documentation from Apple:

• Updated APNs provider API deadline

• Use Apple products on enterprise networks

• If your macOS and iOS clients aren't getting Apple push notifications

Jamf Protect Deployment Enhancement

You can now automatically deploy the Jamf Protect package to computers in the scope of a plan configuration profile. This allows you to skip the manual process of downloading and uploading the Jamf Protect package and using a policy to deploy it.

To use this deployment method, you need the following:

• A Jamf Protect subscription

• One or more plans in Jamf Protect

• Registration of your Jamf Protect tenant in Jamf Pro

To enable this feature, navigate to Settings > Jamf Applications > Jamf Protect and select the Automatically deploy the Jamf Protect PKG with plans checkbox.

For more information, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.

Additional Reporting Capabilities for Computers

You can create a smart computer group or an advanced search based on the following criteria:

Availability of the RestartDevice MDM Command via the Jamf Pro API

You can now use the RestartDevice MDM command to immediately restart computers in your environment. This command is available using the Jamf Pro API.

When combined with configuration profiles in Jamf Pro, this command includes the functionality to manage required legacy kernel extensions in macOS 11. You can also enable a macOS notification that requests users to restart the computer at their convenience.

For more information, see the Manage Legacy Kernel Extensions in macOS 11 Using Jamf Pro Knowledge Base article.

Mobile Device Configuration Profiles

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Additional Remote Commands for Mobile Devices

The following remote commands for mobile devices have been added to Jamf Pro:

Additional Reporting Capabilities for Mobile Devices

You can create a smart mobile device group or an advanced search based on the following criteria:

Transitive Groups for Azure Single Sign-On and Cloud Identity Provider

When single sign-on (SSO) with Azure is configured in Jamf Pro, you can now enforce transitive membership in the user and group directory lookups when Azure is added as a cloud identity provider. This ensures that all Azure groups that a group is a member of are included in a directory lookup. There is no need to run recursive queries to list groups for which a user is a member.

The term "transitive" is used by Microsoft to describe relationships in Active Directory. For more information, see Glossary in the Active Directory Technical Specification from Microsoft.

To access this feature, navigate to Settings > System Settings > Cloud Identity Providers and click the Azure instance you want to edit. Click Edit and select the Transitive groups for SSO checkbox.

Server Name for LDAP Users or Groups

When adding a new LDAP user or group in Jamf Pro, you can now see which directory server configured in Jamf Pro the user or group originates from. The new Server column now displays in the Add LDAP User or Group table in the Add LDAP Account and Add LDAP Group assistants.

Active Directory Certificate Services (AD CS) Enhancements

Jamf Pro 10.28.0 includes performance enhancements that allow for a larger volume of certificate requests. In addition, the default frequency for the renewal monitor has been changed from 24 hours to 6 hours.

Deleting a DigiCert Certificate Authority

You can now delete DigiCert certificate authorities (CA) from Jamf Pro. To access this feature, navigate to Settings > Global Management > PKI Certificates, click View on the DigiCert CA that you want to delete, and then click Delete at the bottom of the page.

For more information, see the Integrating with DigiCert Using Jamf Pro technical paper.

Self Service for macOS Branding Enhancement

The main header space in the Self Service for macOS navigation bar has been increased and now adjusts to two lines to support longer organization names. This change was made in response to community feedback and is part of a larger redesign project. Future releases will continue to iterate on the redesign of Self Service for macOS.

New URL Scheme for Self Service for iOS

If you have the Microsoft Endpoint Manager integration enabled, you can now direct your users to the Register with Microsoft item in Self Service 10.10.5 or later using the following URL scheme:

selfserviceios://registerdc

Volume Purchasing Debug Mode

You can now enable debug mode logging for Volume Purchasing in Jamf Pro. This allows you to view the debug logs specific to Volume Purchasing directly in the Jamf Pro user interface. In addition, you can enable the Volume Purchasing traffic logs to view the communication logs between Jamf Pro and Apple's servers.

To access this feature, navigate to Settings > Jamf Pro Information > Jamf Pro Server Logs > Volume Purchasing tab.

Changes to the Jamf Pro Server Actions Privileges

The following changes and updates have been made to the privileges in the Jamf Pro Server Actions category of a Jamf Pro user account. These changes only impact functionality in the Jamf Pro API:

• The Send Mobile Device Shared Device Command privilege has been added and replaces the functionality associated with the Send Mobile Device Quota Size Command, including the functionality with the MaximumResidentUsers MDM command. As a result, the Send Mobile Device Quota Size Command privilege has been removed.

  Note: When upgrading to Jamf Pro 10.28.0 or later, the Send Mobile Device Shared Device Command privilege will automatically be enabled if the Send Mobile Device Quota Size Command privilege was enabled prior to upgrading.

• The following privileges have been added:

  • Send Disable Bootstrap Token Command

  • Send Enable Bootstrap Token Command

  • Send Application Attributes Command

  • Send Application Configuration Command

  • Send Set Timezone Command

Session Expiration Improvements

• Jamf Pro now uses a shared user session token for all browser tabs. For example, logging in or out on one tab of Jamf Pro will do the same in all other open tabs of Jamf Pro as well. When presented with a session expiration warning, clicking Continue Session will extend the session for all tabs.

• Jamf Pro now displays session expiration warnings by dynamically updating the title of the browser tab and animating the favicon. This provides a convenient way to be notified that the session is about to expire even when you are not focused on the tab.

  Note: The favicon animation is not supported in Internet Explorer 11 and Safari.

Other Changes and Enhancements

• When the default Enforce value for the Kerberos User setup delay setting is included in the computer Single Sign-On Extensions payload, the value for the delayUserSetup key in the configuration profile is now set to false. This better reflects the expected behavior of the User setup delay setting when it is sent to a computer in scope.

• The Send Update button was removed from the Conditional Access settings. You can still send an update from a computer's inventory information by navigating to History > macOS Intune Logs > Send Update.

• "Mappings" has been removed from the column titles in the Test table for cloud identity providers.

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

The following endpoints were added:

• GET /v1/notifications

• DELETE /v1/notifications/{type}/{id}

• PUT /v1/jamf-protect

• DELETE /v1/pki/venafi/{id}

The following endpoints were deprecated:

• GET /notifications/alerts

• DELETE /notifications/alerts/{type}/{id}

For more information on these changes, see the Jamf Pro API documentation.

Further Considerations

• Feature requests implemented in this release can be viewed at: https://www.jamf.com/jamf-nation/feature-requests/versions/318/jamf-pro-10-28-0

• See Product Documentation for a list of new and recently updated Jamf Pro guides and technical papers.

• Privileges associated with new features in Jamf Pro are disabled by default.

• It is recommended that you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.