New Features and Enhancements

Compatibility with macOS, iOS, iPadOS, and tvOS

Compatibility and new feature support are based on testing with the latest Apple beta releases of the following:

  • macOS Monterey 12

  • iOS 15

  • iPadOS 15

  • tvOS 15

This includes compatibility for the following management workflows:

  • Enrollment and inventory reporting

  • Configuration profiles

  • App distribution

  • Self Service installation

  • Self Service launches and connections

  • App distribution via Self Service

  • Policies

  • Restricted software

Configuration Profiles

Computer Configuration Profiles

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

SettingKey Included in PayloadRequirementsNotes
DNS Proxy (New Payload)
You can now configure DNS proxies for computers. To use this feature, navigate to Computers > Configuration Profiles > DNS Proxy.
App Bundle IDAppBundleIdentifier

macOS 10.15 or later

You can now configure the bundle identifier of the application that contains the DNS proxy network extension.

Provider Bundle IDProviderBundleIdentifier

You can now configure the bundle identifier of the DNS proxy network extension to use. Only include the bundle identifier for applications that contain more than one DNS proxy extension.

Provider Configuration XMLProviderConfiguration

You can now configure the dictionary of vendor-specific configuration items. To add the configuration, upload the XML or use the input field.

Restrictions (Enhancements)

You can now have more granular control over deferral options for software updates. Depending on the options selected in the interface, Jamf Pro will send a different set of keys to the computer. It is recommended to review the configured settings before scoping the profile.

For more information, see this documentation from the Apple Developer website.

Allow Erase All Content and SettingsallowEraseContentAndSettings

macOS 12 or later*

Supervised

This setting displays in the Restrictions–Functionality tab.

If selected, this enables Erase All Content And Settings in the computer's Reset options.

Include major software updatesforceDelayedMajorSoftwareUpdates

macOS 11.3 or later

You can now configure the delay of a major software upgrade on the computer. When selected, the upgrade displays to users after the specified number of days of the release. The value for this key is controlled by the Set different delay for major software updates setting and the enforcedSoftwareUpdateMajorOSDeferredInstallDelay key.
Set different delay for major software updatesenforcedSoftwareUpdateMajorOSDeferredInstallDelayYou can now configure the delay of a major OS software upgrade on the computer. When selected, the upgrade displays to users after the specified number of days of the release. The value for this key controls the delay for the Include major software updates setting and the forceDelayedMajorSoftwareUpdate key.
Set different delay for minor software updatesenforcedSoftwareUpdateMinorOSDeferredInstallDelayYou can now configure the delay of a minor OS software update on a computer. When selected, the update displays to users after the specified number of days of the release. This value controls the delay for the Defer Software updates of All software updates, Application, and non-OS updates setting and the forceDelayedSoftwareUpdates key.
Set different delay for non-OS updatesenforcedSoftwareUpdateNonOSDeferredInstallDelayYou can now configure the delay of an application software update on the device. When selected, the non-OS update displays to users after the specified number of days of the release. This value controls the delay for the Defer Software updates of All software updates, Application, and non-OS updates setting and the forceDelayedAppSoftwareUpdates key.
Single Sign-On Extensions (Enhancements)
Kerberos apps in bundle IDACLincludeKerberosAppsInBundleIdACLmacOS 12 or later*

If enforced, the Kerberos extension allows the standard Kerberos utilities (e.g., TicketViewer) to access and use the credential.

Managed apps in bundle IDACLincludeManagedAppsInBundleIdACL

If enforced, the Kerberos extension allows only managed applications to access and use the credential. Include this with the Credential bundle IDACL setting if it is specified.

Preferred KDCspreferredKDCs

macOS 10.15 or later

You can now configure the ordered list of preferred Key Distribution Centers (KDCs) for Kerberos traffic if the servers are not discoverable via DNS. If the servers are specified, then they are used for connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, then the computer falls back to DNS discovery.

Format the values as in the krb5.conf file (e.g., adserver1.example.com).

System Extensions (Enhancement)
Removable System ExtensionsRemovableSystemExtensionsmacOS 10.15 or laterYou can now specify system extensions that can be removed from target computers.

*Feature support is based on testing with the latest Apple beta releases.

Mobile Device Configuration Profiles

The following table provides an overview of the mobile device configuration profile enhancements in this release, organized by payload:

SettingKey Included in PayloadRequirementsNotes
Restrictions (Enhancements)
Pasteboard respects managed/unmanaged document restrictionsrequireManagedPasteboard

iOS 12 or later

If enforced, the Clipboard respects settings for managed/unmanaged destinations (e.g., prevents managed application content from being pasted into unmanaged applications).

Connections to Siri servers for the purpose of translationforceOnDeviceOnlyTranslation

iOS 15 or later*

If restricted, the device does not connect to Siri servers for translation.

Some apps not allowedblockedAppBundleIDs

iOS 9.3 or later

tvOS 11 or later

Supervised

If included, the applications linked to the listed bundled IDs do not display to users and cannot be opened.

Include the com.apple.webapp value to restrict all web clips.

The blockedAppBundleIDs key replaces the deprecated blacklistedAppBundleIDs key.

Only some apps allowedallowListedAppBundleIDs

If included, only the applications linked to the listed bundled IDs display to users and can be opened.

Include the com.apple.webapp value to allow all web clips.

The allowListedAppBundleIDs key replaces the deprecated whitelistedAppBundleIDs key.

Single Sign-On Extensions (Enhancements)
Managed apps in bundle IDACL

(Previously called Only managed applications to access and use the credential)

includeManagedAppsInBundleIdACL

iOS 14 or later

This setting replaces the Only managed applications to access and use the credential setting in the Jamf Pro interface.

Preferred KDCspreferredKDCs

iOS 13 or later

You can now configure the ordered list of preferred Key Distribution Centers (KDCs) for Kerberos traffic if the servers are not discoverable via DNS. If the servers are specified, they are used for connectivity checks and attempted first for Kerberos traffic. If the servers do not respond, the device falls back to DNS discovery.

Format the values as in the krb5.conf file (e.g., adserver1.example.com).

TV Remote (Enhancements)
Device NameTVDeviceName

iOS 11.3 or later

You can now configure names of an Apple TV device that iOS devices can connect to and control.

This settings will allow you to control Apple TV devices with tvOS 15 or later*.

*Feature support is based on testing with the latest Apple beta releases.

Remote Commands

Mobile Device Remote Commands

Remote CommandRequirementsNotesAvailable as a Mass Action
Recommend Software Update Version

iOS 14.5 or later

iPadOS 14.5 or later

Supervised

You can now recommend a software version to users in Software Update settings. This gives you more control over the version that user can install on their devices by only allowing users to install the software version you specify. You can recommend the following versions:

  • Latest major software version

  • Latest minor software version of the currently installed version

  • Any available version

For more information about Software Updates, see Managing Software Updates for Apple Devices in Apple's Mobile Device Management Settings.

Enhancements to Download/Download and Install Updates Remote Command for Computers

Jamf Pro now includes enhancements to the Download/Download and Install Updates remote command to make the update process more reliable and allow for the option to choose between updating computers to the latest minor update or latest major update.

To apply the latest major update (e.g., macOS 12), select the Download and install the update, and restart computers after installation option, and then select the Include major updates, if available checkbox. To apply the latest minor update (e.g., macOS 11.5.1), leave the checkbox deselected.

A new alert has also been added to the Download and install the update, and restart computers after installation option to notify you that computers that require a restart may immediately restart without notifying users beforehand.

Recovery Lock for macOS

Jamf Pro now allows you to enable Recovery Lock on computers with Apple silicon (i.e., M1 chip) with macOS 11.5 or later. Enabling this feature prevents access to macOS Recovery without a password, providing additional security for the computers in your environment. You can create and store this password using Jamf Pro. For more information about macOS Recovery, see Use macOS Recovery on a Mac with Apple silicon from Apple's macOS User Guide.

You can use a PreStage enrollment in Jamf Pro to set Recovery Lock on computers during enrollment. This allows you to select one of the following methods for how the Recovery Lock password is configured:
  • Manually enter a password that is applied to all computers in the scope of the PreStage

  • Enable Jamf Pro to generate a random password that is unique to each computer in the scope of the PreStage

Jamf Pro collects and stores the Recovery Lock password for each computer. You can view this information in the computer's inventory information.

Inventory Reporting

Additional Reporting Capabilities for Computers

You can create a smart computer group or an advanced search based on the following criteria:

Inventory AttributeRequirementsValues Returned in Inventory InformationSmart Group/Advanced Search Values
Apple siliconmacOS 12 or later*Jamf Pro displays the following values for the Apple sIlicon inventory attribute:
  • Yes

  • No

You can use the following values when creating a smart group or advanced search based on the Apple silicon criteria:
  • Yes

  • No

Recovery LockmacOS 11.5 or laterJamf Pro displays the following values for the Recovery Lock inventory attribute:
  • Enabled

  • Not enabled

You can use the following values when creating a smart group or advanced search based on the Recovery Lock criteria:
  • Enabled

  • Not enabled

Software Update Device IDmacOS 12 or later*

Jamf Pro displays the following value for the Software Update Device ID inventory attribute:

Model Identifier (e.g., "J29AP", "J313AP")

You can use the following value when creating a smart group or advanced search based on the Software Update Device ID criteria:

Model Identifier (e.g., "J29AP", "J313AP")

FirewallmacOS 10.12 or laterJamf Pro displays the following value for the Firewall attribute:
  • Enabled

  • Not enabled

You can use the following values when creating a smart group or advanced search based on the Firewall criteria:
  • Enabled

  • Not enabled

Bootstrap Token EscrowedmacOS 11 or later
Jamf Pro displays the following value for the Bootstrap Token Escrowed attribute:
  • Yes

  • No

N/A

*Feature support is based on testing with the latest Apple beta releases.

Additional Reporting Capabilities for Mobile Devices

You can create a smart mobile device group or an advanced search based on the following criteria:

Inventory AttributeRequirementsValues Returned in Inventory InformationSmart Group/Advanced Search Values
Software Update Device IDiOS 15 or later*

Jamf Pro displays the following value for the Software Update Device ID inventory attribute:

Model Identifier (e.g.,"iPad8,1", "iPad8,10")

You can use the following value when creating a smart group or advanced search based on the Software Update Device ID criteria:

Model Identifier (e.g.,"iPad8,1", "iPad8,10")

*Feature support is based on testing with the latest Apple beta releases.

Dynamic SCEP Challenge Webhook Enhancement

You can now use a webhook to use the SCEP Dynamic challenge type. When you create a webhook using the event "SCEPChallenge", the receiving web server is sent information about the enrolling device and the configuration profile. This allows the returning message body to be used as the SCEP challenge for that enrollment. For more information about webhooks, see Webhooks in the Jamf Pro Administrator's Guide.

Option to Revoke Jamf Parent Device Management Capabilities when Wiping or Re-enrolling Paired Student Devices

You can now configure Jamf Pro to revoke management capabilities from parent devices when a paired student device is wiped via MDM command or re-enrolled in Jamf Pro. This ensures that parent devices are not able to perform any management actions on reprovisioned devices. To configure this setting, navigate to Settings > Jamf Applications > Jamf Parent and select an option under Revoke Jamf Parent Management Capabilities When Wiping Or Re-Enrolling. The default selection is Yes.

TeamViewer Integration Session Reporting

New TeamViewer session reporting functionality allows you to access details of sessions that have been initiated through Jamf Pro, such as reasons for starting the session and the devices linked to the session. To access this feature in Jamf Pro, navigate to Settings > Global Management Settings > Remote Administration.

Jamf Setup and Jamf Reset 3.1.0

Jamf Setup and Jamf Reset 3.1.0 introduce improved UI enhancements for iPad support, bug fixes, and performance improvements.

Jamf Setup and Jamf Reset 3.1.0 will be available in the App Store when they are approved by Apple.

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example: https://jss.instancename.com:8443/api

Note:

In future releases, Jamf Pro API endpoints that have been deprecated for over a year will be removed. It is recommended that you update your applications to use the latest versions of these endpoints. See the API documentation for a complete list of endpoints.

The following endpoint was added:

GET /preview/remote-administration-configurations/team-viewer/{id}/sessions/{sessionId}/status

Other Changes and Improvements

  • You can now add Jamf Protect automated deployment settings (Settings > Jamf Applications > Jamf Protect) to sites in Jamf Pro.

  • You can now filter the display of Jamf Connect configuration profiles (Settings > Jamf Applications > Jamf Connect) by their Deployed Version field when using the search field at the top left corner of the pane.

  • The Jamf Parent settings page (Settings > Jamf Applications > Jamf Parent) has been updated with redesigned form controls and history table views for better ease of use.

  • Legacy Jamf Connect configuration profiles (profiles with settings for Jamf Connect Sync and Jamf Connect Verify) no longer display in the list of Jamf Connect profiles under Settings > Jamf Applications > Jamf Connect.

  • You can now configure automatic log flushing for automated Jamf Connect and Jamf Protect deployments under Settings > Log Flushing.

Further Considerations

  • Feature requests implemented in this release can be accessed by logging in to the ideas.jamf.com feature requests portal.

  • Privileges associated with new features in Jamf Pro are disabled by default.

  • It is recommended that you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.

  • Known issues for Jamf Pro can be accessed from the Jamf Pro products page in Jamf Account.