Hosting Locations

When distributing in-house content, consider where the content will be hosted. There are three hosting locations that you can use:

  • Distribution points

    This hosting location is only available if your principal distribution point is the cloud distribution point. To use this hosting location, you upload the content to the principal distribution point when configuring settings for the content in Jamf Pro.


    Content cannot be replicated to file share distribution points.

  • Web server

    This hosting location is always available, regardless of what type of distribution point the principal is. To use this hosting location, the content must be hosted on a web server before you distribute it. Then, when you distribute the content, you specify the URL where it is hosted. If your principal distribution point is a file share distribution point, it is recommended that you host large apps or books on a web server.

    Jamf Pro also allows you to configure a JSON Web Token (JWT) to control the distribution of iOS and tvOS in-house apps from a web server. In-house apps downloaded from the Jamf Pro database are automatically secured with JWT. For more information see JSON Web Token for Securing In-House Content.

  • jamfsoftware database (in-house apps only)

    If your principal distribution point is a file share distribution point, you can use Jamf Pro to upload the app and host it in the jamfsoftware database.

JSON Web Token for Securing In-House Content

You can configure a JSON Web Token (JWT) in Jamf Pro to secure downloads of packages, in-house apps, and in-house books hosted on a web server. After the JWT is configured, packages, in-house apps, and books can only be downloaded on managed computers and mobile devices and within the time period you specify.


Packages, in-house apps, and books must be hosted on the same web server that is configured for JWT authentication.

The JWT is generated using the RS256 algorithm, is signed with the RSA private key provided in the configuration, and has the following claims:

  • "sub" (subject) of "AppManifest"

  • "iss" (issuer) of "JSS"

  • "exp" (expiration) configurable in the JSON Web Token Configuration settings

After configuring the JWT, the administrator of the web server must perform further setup to ensure the server validates the request using the JWT "token" query parameter.


Until the web server validates the requests, unsecured downloads of in-house apps and books may still be possible.

Configuring a JSON Web Token

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click PKI Certificates .
  3. Click the JSON Web Token Configuration tab.
  4. Click New .
  5. Enter a display name for the token.
  6. Select one of the following encryption key options:
    1. Choose Paste or Type Encryption Key, then enter the RSA private encryption key in the Paste the Encryption Key Below field.
    2. Choose Upload Encryption Key File, then click Choose File to upload a .pem file containing the RSA private encryption key.

      To generate the private encryption key file on a Mac, open Terminal and execute the following command:

      openssl genrsa -out key.pem 2048

  7. From the Token Expiry pop-up menu, select a time period during which in-house apps and books can be downloaded. After the specified time period, in-house apps and books can no longer be downloaded.
  8. Click Save .

When Jamf Pro sends the device a command to install an in-house app or ebook, a new JWT is generated and added to the download URL as a "token" query parameter. For example, the download URL would look similar to the following with the JWT added: