What's New

Jamf Connect Deployment Integration

If you have a Jamf Connect subscription, you can now deploy Jamf Connect directly from Jamf Pro. This eliminates the need to manually upload the installer package and use a policy to deploy Jamf Connect to computers.

You can view and configure the following:

  • View all computer configuration profiles with Jamf Connect settings in a single location. Jamf Pro automatically detects and displays any configuration profile with settings written to a preference domain starting with "com.jamf.connect".

  • Deploy a specific version of Jamf Connect to computers in the scope of a configuration profile. This allows you to complete an initial deployment of Jamf Connect to target computers or to manage subsequent updates without enabling automatic updates.

  • Configure automatic updates for computers in the scope of a Jamf Connect configuration profile. You can configure Jamf Pro to automatically deploy minor updates (e.g., 1.0.0 to 1.1.0), maintenance updates (e.g., 1.0.0 to 1.0.1), or both.

  • Receive notifications in Jamf Pro when a new Jamf Connect version is available.

To set up this integration, you need the following:

  • A Jamf Connect subscription and Jamf Nation account

  • Cloud Services Connection enabled in Jamf Pro

  • The following Jamf Pro user account privileges:

    Category

    Privilege

    Jamf Pro Server Settings

    Jamf Connect (Read)

    Cloud Services Connection (Read)

    Jamf Pro Server Actions

    Read and Download Jamf Application Assets

To use this feature in Jamf Pro, go to Settings > Jamf Applications > Jamf Connect.

Deploy iOS Apps to Computers with Apple silicon

Jamf Pro now supports adding iOS App Store apps manually to the Mac App Store catalog, permitting administrators to deploy supported iOS apps to Mac computers with Apple silicon (i.e., M1 chip).

Configuration Profiles Redesign Project

Notifications Payload for iOS

The Notifications payload for mobile devices has been redesigned with a revamped user interface that includes toggles and action buttons.

Important: When upgrading to Jamf Pro 10.30.0, any previously created configuration profiles that include the Notifications payload are automatically migrated. Use the Jamf Pro user interface to review the settings. The migrated configuration profiles are not automatically redistributed to the deployment targets after the migration.

Security and Privacy Payload for Computers

You can now configure firewall, FileVault, and general security settings for computers with an improved workflow and more informative validation messages, using the redesigned Security and Privacy payload.

The following groups of settings are now accessible directly from the sidebar under the Security and Privacy payload:

  • General —Configure general security settings, including unlocking options, and Gatekeeper.

  • FileVault—Configure settings for FileVault.

  • Firewall—Configure settings for firewall, including stealth mode.

Important: When configuring the redesigned Security and Privacy payload, consider the following:

  • When editing or uploading a configuration profile that includes the Security and Privacy payload created in Jamf Pro 10.29.0 or earlier, it is recommended to verify the Stealth Mode setting in Firewall to reflect your environment's needs.

  • The Recovery Key Redirection payload is now part of the FileVault settings. This payload is deprecated by Apple.

  • The Send diagnostic and usage data to Apple, and sharing crash data and statistics with app developers setting is now part of General settings.

  • The Escrow Personal Recovery Key and Recovery Key Redirection settings should not be included in the same profile.

The following table provides an overview of the Security and Privacy payload settings in Jamf Pro 10.30.0 and Apple's corresponding payload type:

Setting in Jamf Pro 10.30.0

Key

Payload Type

Notes

General Settings

Password Change

dontAllowPasswordResetUI

com.apple.preference.security

 

Set Lock Message

dontAllowLockMessageUI

 

Send diagnostic and usage data to Apple, and sharing crash data and statistics with app developers

AutoSubmit

com.apple.SubmitDiagInfo

 

Unlock macOS computer using an Apple Watch with watchOS 3 or later

allowAutoUnlock

com.apple.applicationaccess

 

Require Passcode to Unlock Screen

askForPassword

askForPasswordDelay

 

com.apple.screensaver

Jamf Pro sends the askForPasswordDelay key when the askForPassoword value is set to true.

Gatekeeper

EnableAssessment

AllowIdentifiedDevelopers

 

 

com.apple.systempolicy.control

Jamf Pro sends the AllowIdentifiedDeveloper key when any of the Mac App Store options is configured.

Temporarily overriding the Gatekeeper setting by control-clicking to install any app

DisableOverride

com.apple.systempolicy.managed

 

FileVault Settings

Enable FileVault

Enable

com.apple.MCX.FileVault2

 

Event to prompt FileVault enablement

Defer

DeferDontAskAtUserLogout

 

When "At Login" is selected, Jamf Pro sends the Defer and DeferDontAskAtUserLogout keys automatically. Ensure the setting is configured as desired.

 

Allow users to bypass FileVault prompts at login

DeferForceAtUserLoginMaxBypassAttempts

 

Recovery keys

UseRecoveryKey

PayloadCertificateUUID

 

The UseRecoveryKey value is set to true for Personal Recovery Key.

The PayloadCertificateUUID key requires a certificate to be configured in the Certificate payload in the same profile.

Display personal recovery key to user

ShowRecoveryKey

 

User adjustment of FileVault options

dontAllowFDEDisable

dontAllowFDEEnable

 

com.apple.MCX

Use this setting to prevent end user from enabling or disabling FileVault.

When "Enable FileVault" is included in the profile, the "Prevent Filevault from being disabled" option is also included by default and cannot be changed.

Jamf Pro sends only one key for this setting based on the options in the configuration.

Require user to unlock FileVault after hibernation

DestroyFVKeyOnStandby

 

Escrow Personal Recovery Key

EncryptCertPayloadUUID

Location

DeviceKey

 

com.apple.security.FDERecoveryKeyEscrow

The value for the EncryptCertPayloadUUID key is automatically added by Jamf Pro or must be configured manually based on the Certificates payload.

Recovery Key Redirection

RedirectURL

EncryptCertPayloadUUID

 

com.apple.security.FDERecoveryRedirect

The value for the EncryptCertPayloadUUID key is automatically added by Jamf Pro or must be configured manually based on the Certificates payload.

This payload is deprecated by Apple.

Firewall Settings

Firewall settings change

dontAllowFireWallUI

com.apple.preference.security

This key is added in Jamf Pro 10.30.0 and allows you to restrict users from changing firewall settings.

Firewall

enableFirewall

com.apple.security.firewall

 

Block all incoming connections

BlockAllIncoming

 

Control incoming connections for specific apps

Applications

Allowed

BundleID

 

When application bundle IDs are added, Jamf Pro sends them together with the Allowed key.

Stealth Mode

EnableStealthMode

You can use stealth mode to secure a Mac computer against malicious attacks. When stealth mode is enabled, the “ping” requests or connection attempts from a closed TCP or UDP network are ignored.

Firewall must be enabled to include this setting.

For information on settings for configuring the Security and Privacy payload, see the Profile-Specific Payload Keys documentation from Apple.

Important: When upgrading to Jamf Pro 10.30.0, any previously created configuration profiles that include the Security and Privacy payloads are automatically migrated. Use the Jamf Pro user interface to review the settings. The migrated configuration profiles are not automatically redistributed to the deployment targets.

Mobile Device Configuration Profile Enhancements

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

Setting

Key Included in Payload

Requirements

Notes

Restrictions (Enhancements)

Connections to Siri servers to help improve Siri and Dictation

forceOnDeviceOnlyDictation

iOS 14.5 or later

You can now disable connections to Siri servers for dictation-related purposes.

Booting into recovery by an unpaired device

allowUnpairedExternalBootToRecovery

iOS 14.5 or later

Supervised

You can now allow devices to be booted into recovery by an unpaired device.

For more information, see Manage USB pairing for iOS and iPadOS devices from Apple's support website.

Connection to unmanaged Wi-Fi networks

forceWiFiToAllowedNetworksOnly

iOS 14.5 or later

During Jamf Pro upgrade, this key replaces forceWiFiWhitelisting.

To ensure iOS 14.4 or earlier compatibility, forceWiFiToAllowedNetworksOnly and forceWiFiWhitelisting keys are sent to devices in scope.

Note: The operating system manages settings on the device level. Some settings enforced by the profile that do not change default values will not be visible on the device. For more information on the default settings, see the Restrictions documentation from Apple.

Azure Cloud Identity Provider Configuration Enhancements

The following enhancements have been added for Azure Cloud Identity Provider (IdP) configuration:

  • Transitive Groups for Single Sign-On (SSO) User Mapping— When Azures AD is added as a cloud IdP, you can now configure a specific user mapping for single sign-on transitive groups. This allows you to adjust username mapping during transitive membership requests to match the user identifier in the SAML single sign-on settings in the Azure configuration. To access this feature, navigate to your Azure as a cloud IdP instance and click Edit. The "User Mapping from the SAML Assertion" setting is nested under "Transitive groups for SSO".

    Note: The User Mapping from the SAML Assertion value must be the same for all Azure AD cloud identity provider server configurations.

  • The Group Id Mapping— You can no longer edit the default “id” value for the Group Id mapping in the Azure cloud IdP configuration. This ensures your configuration will work as expected. If your environment already integrates with Azure as a cloud IdP and the “Group Id” mapping value does not match “id”, contact Jamf Support.

Conditional Access Enhancement

You can now specify the number of days after a computer's last check-in with Jamf Pro before a deactivation state is sent and the device is marked as "Non-Compliant" in Microsoft Intune. To access this feature in Jamf Pro, navigate to Settings > Global Management > Conditional Access.

Note: By default, the allowed number of days is 120.

Ongoing Jamf Pro Interface Improvements Project

The following enhancements are currently limited to certain pages of Jamf Pro (e.g., Settings > Departments), but will become the standard across the product over time:

  • You can now choose how Jamf Pro displays information in table format (where supported). The Paginated option separates items by page, while the Continuous Scroll option loads results dynamically as you scroll. To select an option, navigate to Account Preferences > Interface Preferences. While viewing tables in paginated format, click the settings icon in the top-right corner of the pane to choose how many items are shown on a page.
    images/download/attachments/82683355/Page_Settings.png

  • A new search bar has been added to certain tables in Jamf Pro which allows you to search all filterable columns at once. This allows you to quickly find information you are looking for without configuring a filter.

  • You can now export or delete objects directly from certain tables in Jamf Pro, including selections of multiple objects. To do so, select a checkbox next to an object or select the checkbox at the top of the pane to select all objects, and then click Export selected items or Delete selected items at the top of the pane.

  • You can now use select dates directly from a calendar pop-up when configuring date based filters for certain tables in Jamf Pro.

Self Service for macOS Enhancements

As part of an ongoing redesign project, the following enhancements were made to Self Service for macOS:

  • Home Page —Self Service for macOS now includes a Home page which includes quick links to featured items, categories, and bookmarks.

  • Improved Content Tiles —The Bookmarks and Browse pages have been updated and now display content in modernized borderless tiles. In addition, the Bookmarks description character limit has been increased.

  • Improved Branding Header —The branding header image now scales with the Self Service window. In addition, the branding header image now only displays on the Home page. You can use the following template to ensure the most important part of your branding header image remains visible on the screen:
    images/download/attachments/82683355/Template_Area.png

images/download/attachments/82683355/Screen_Shot_2021-05-03_at_1.47.56_PM.png

New Self Service for macOS URL Scheme

You can now direct users to specific search term results in Self Service for macOS using the following URL scheme, replacing SEARCHTERM with the search term you want to direct users to:
selfservice://content?action=search&term=SEARCHTERM

Automatic Renewal for DigiCert and Venafi Certificates

Jamf Pro now automatically redistributes DigiCert and Venafi certificates via a configuration profile 10 days before the certificate is scheduled to expire. This functionality already exists for AD CS certificates. If the 10-day default setting does not meet your needs, contact Jamf Support.

Deleting a Venafi Certificate Authority

You can now delete Venafi certificate authorities (CA) from Jamf Pro. To access this feature, navigate to Settings > Global Management > PKI Certificates, click View on the Venafi CA that you want to delete, and then click Delete images/docs.jamf.com/10.28.0/jamf-pro/release-notes/images/download/thumbnails/80748262/trash.png at the bottom of the page.

For more information, see the Integrating with Venafi Using Jamf Pro technical paper.

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

The following endpoints were added:

  • POST /v1/icon

  • GET /v1/icon/{id}

  • GET /v1/jamf-connect

  • GET /v1/jamf-connect/config-profiles

  • PUT /v1/jamf-connect/config-profiles/{id}

  • GET /v1/jamf-connect/history

  • POST /v1/jamf-connect/history

  • GET /v1/pki/certificate-authority/active

  • GET /v1/pki/certificate-authority/active/der

  • GET /v1/pki/certificate-authority/active/pem

  • GET /v1/pki/certificate-authority/{id}

  • GET /v1/pki/certificate-authority/{id}/der

  • GET /v1/pki/certificate-authority/{id}/pem

  • GET /v1/pki/venafi/{id}/dependent-profiles

For more information on these changes, see the Jamf Pro API documentation.

Further Considerations

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.