New Features and Enhancements

Account-Driven User Enrollment with Jamf Pro

You can allow users to enroll personally owned mobile devices with iOS 15 or later, or iPadOS 15 or later with Jamf Pro using Account-Driven User Enrollment. When a user authenticates to their device with a Managed Apple ID, the enrollment process initializes. Users are redirected to the enrollment portal and prompted to install the MDM profile on their device.

Account-Driven User Enrollment is similar to the current User Enrollment method: It keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited management of devices using a set of configurations that associate management with the user, not the entire device. The user can access their corporate data while the administrator cannot erase, modify, or view the personal data. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf Pro, when the corporate data is deleted.

Before a user can initiate the enrollment process, you must define the Jamf Pro enrollment information in a .JSON file and host it on a web server. This allows a device to initiate a service discovery process to retrieve the information and direct the user to the enrollment portal on their device. For more information, see Account-Driven User Enrollment for Personally Owned Mobile Devices in the Jamf Pro Administrator's Guide.

Recovery Lock Password Rotation

To enhance the security of the Recovery Lock password, you can configure Jamf Pro to rotate the Recovery Lock password after the password is viewed in Jamf Pro. Password rotation applies to passwords that are randomly generated by Jamf Pro.

Viewing the password in the computer's inventory information automatically enables Jamf Pro to generate a new, random password for that computer 60 minutes after the password was viewed.

Configuration Profiles

Computer Configuration Profiles

The following table provides an overview of the computer configuration profile enhancements in this release, organized by payload:

SettingKey Included in PayloadRequirementsNotes

Security and Privacy: FileVault (Enhancement)

Secure Token User Promptcachedaccounts.askForSecureTokenAuthBypass

macOS 10.13.5 or later

You can now prevent the secure token authorization dialog from displaying. This dialog only appears on APFS volumes.

Note that this may prevent mobile accounts from unlocking a FileVault volume.

Application & Custom Settings (Enhancements)

  • You can now add custom properties to forms generated in the computer Application & Custom Settings payload. This allows for a more granular payload configuration. Ensure to select the data type and assign values for your custom properties after you add them.

  • When editing forms, you can now select or deselect all properties at once. This allows for a more convenient payload configuration. To select or deselect all properties, use the Property checkbox when adding or removing properties.

Azure Cloud Identity Provider Enhancements

The following enhancements have been introduced in Azure cloud identity provider (IdP) settings:
  • The default Connection Timeout is now 5 seconds. This limits the time to identify the potential connection issues. If your environment already integrates with Azure cloud IdP, it is recommended to change the Connection Timeout value to 5.

  • You can now enforce transitive membership lookups for directory workflows to include all groups that a user or group is a member of. This is recursive and checks more than only the direct membership. To access this feature, navigate to your Azure cloud IdP instance and select Transitive membership lookups.

Inventory Reporting

Mobile Device Inventory Reporting

You can create a smart mobile device group or an advanced search based on the following criteria:
Inventory AttributeRequirementsValues Returned in Inventory InformationSmart Group/Advanced Search Values
(Enhancement) Device Ownership Type
  • iOS 15 or later
  • iPadOS 15 or later
Personal (Account-Driven User Enrollment)Personal (Account-Driven User Enrollment)

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append "/api" to your Jamf Pro URL. For example:


In future releases, Jamf Pro API endpoints that have been deprecated for over a year will be removed. It is recommended that you update your applications to use the latest versions of these endpoints. See the API documentation for a complete list of endpoints.

The following endpoints were added:
  • GET /v1/self-service/branding/ios

  • POST /v1/self-service/branding/ios

  • GET /v1/self-service/branding/ios/{id}

  • PUT /v1/self-service/branding/ios/{id}

  • DELETE /v1/self-service/branding/ios/{id}

  • GET /v1/self-service/branding/macos

  • POST /v1/self-service/branding/macos

  • GET /v1/self-service/branding/macos/{id}

  • PUT /v1/self-service/branding/macos/{id}

  • DELETE /v1/self-service/branding/macos/{id}

  • GET /v2/cloud-ldaps/{id}/connection/status

  • GET /v3/check-in

  • PUT /v3/check-in

  • GET /v3/check-in/history

  • POST /v3/check-in/history

  • POST /v2/enrollment/access-groups

The following endpoints were removed:
  • GET /self-service/branding/configurations

  • POST /self-service/branding/configurations

  • GET /self-service/branding/configurations/{id}

  • PUT /self-service/branding/configurations/{id}

  • DELETE /self-service/branding/configurations/{id}

  • GET /v1/check-in

  • PUT /v1/check-in

  • GET /v1/check-in/history

  • POST /v1/check-in/history

The following endpoints were deprecated:
  • GET /v2/check-in

  • PUT /v2/check-in

  • GET /v2/check-in/history

  • POST /v2/check-in/history

Other Changes and Improvements

  • When configuring a patch management software title, you can now search software titles to locate the title more easily.

  • The following configuration profile payloads are now redesigned:
    • AirPlay for computers and mobile devices

    • DNS Proxy for mobile devices


    When upgrading Jamf Pro, any previously created configuration profiles that include the redesigned payload settings are automatically migrated. Use the Jamf Pro user interface to review the settings. The migrated configuration profiles are not automatically redistributed.

  • Some deprecated login hooks functionality has been replaced with support for login events. To configure login events settings, navigate to Settings > Computer Management > Login Events.

  • Jamf Pro now syncs and redeploys Jamf Protect configuration profiles to computers in the scope of the profile when a change to its core components is made in Jamf Protect. For example, this allows for the addition of a system extension payload to be deployed without requiring administrators to create a new plan.

    Making changes to a plan in Jamf Protect does not trigger this process.

  • Changes made to batching in mobile device inventory tables allow for improved error handling.

  • Duplicated rows stored in the computer inventory applications database table are removed for accuracy and improved performance.

Further Considerations

  • Privileges associated with new features in Jamf Pro are disabled by default.

  • It is recommended that you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.

  • Known issues for Jamf Pro can be accessed from the Jamf Pro product page in Jamf Account.