New Features and Enhancements

Correction—Updated 09 June 2022

Added the -bool type flag to the example script that enables JamfAAD WebView support.

App Installers Enhancements

App Installers includes the following enhancements:

  • By default, the table of available App Installers is sorted by Name but can also be sorted by Latest Version or Developer by clicking the column header.

  • You can filter the Name and Developer columns or use the search field to search these columns.

  • Additional metadata is available for each App Installer. The View App Installer Info button was removed, and the App Installer page displays all available metadata.

  • When adding an App Installer, the Deploy switch is in the on position by default to trigger the deployment process after clicking Save.


    The App Installer deployment may take up to 20 minutes to begin.

Force Password Reset

When configuring a password policy, you can now force a password reset for all user accounts in your Jamf Pro Instance. Navigate to Settings > User Accounts & Groups and click Password Policy. After editing and saving your changes, follow the prompt to force the password reset during the next login. This will also force a password reset for the administrator configuring the password policy.

Single Sign-On Enhancements

​The user interface for the Single Sign-On system setting has been improved, including the addition of new buttons and icons. The workflow has also been streamlined to improve usability. In addition, the back-end code has been updated to ensure the continuation of security updates to the underlying user interface framework.

Multiple SAN Values for AD CS Certificates

You can now enter multiple subject alternative name (SAN) values in the Certificate payload for Active Directory Certificate Services (AD CS) PKI certificate configurations. A certificate with multiple SANs provides encryption that protects multiple domains, subdomains, or environments. For example, a certificate with multiple SANs can be used to secure multiple site names, like and

To access this feature, first configure AD CS as a certificate authority in PKI Certificates settings. Then navigate to either Computers > Configuration Profiles > New > Certificate or Devices > Configuration Profiles > New > Certificate.

JamfAAD WebView Support

In Jamf Pro environments integrated with Microsoft Intune, the JamfAAD app on managed computers now supports WebView when prompting users to sign in to Azure Active Directory (Azure AD). This avoids potential issues that can arise when redirecting users to sign in via a web browser.

To configure JamfAAD to use WebView for users signing into Azure AD, deploy a policy to managed computers that runs the following script:
defaults write useWKWebView -bool true

This command must be executed before the JamfAAD app initiates the registration process.

Force a Computer Restart to Install macOS Updates

You can now force computers to immediately restart and install an available macOS update using the /v1/macos-managed-software-updates/send-updates endpoint via the Jamf Pro API. To force a restart, add the forceRestart parameter to the API request body. When set to true, Jamf Pro sends the InstallForceRestart install action to targeted computers.


Forcing a computer restart may cause data loss.

For more information about managed software updates, see Manage software updates for Apple devices in Apple Platform Deployment.

Account-Driven User Enrollment Authentication Enhancement

You can now configure when users are prompted to re-authenticate on devices enrolled using Account-Driven User Enrollment. This ensures the security of devices in your organization.

To configure the session token duration for all devices enrolled using Account-Driven User Enrollment, you can execute a command in Terminal similar to the following:
curl -X PUT "<http://JAMF_PRO_URL/api/v1/adue-session-token-settings"> \
    -H  "accept: application/json" -H  "Authorization: Bearer <TOKEN HERE>" \
    -H  "Content-Type: application/json" \
    -d "{"expirationIntervalDays":1,"enabled":"true"}"
This example configures the Account-Driven User Enrollment session to expire after one day. You should configure the session token duration based on the security standards for your organization. For more information about how to generate a Bearer Token, see the Jamf Pro API Overview.

After the session token expires, users must re-authenticate on the device after it checks in to Jamf Pro. When the session token expires, Jamf Pro can only send the Unmanage Device remote command to the device until the user re-authenticates or you unenroll and re-enroll the device.

For more information about how to configure when a user's authentication session expires for Account-Driven User Enrollment, see the Configuring the Session Token Expiration for Account-Driven User Enrollment article.

Configuration Profile Enhancements

The following settings are now configurable for computers and mobile devices, respectively, via the Restrictions payload.

SettingKey Included in PayloadRequirementsNotes
Allow iCloud Private RelayallowCloudPrivateRelay
  • macOS 12 or later

  • iOS or iPadOS 15 or later

Restricting disables iCloud Relay
Touch ID TimeoutenforcedFingerprintTimeoutmacOS 12 or laterDefaults to 48 hours. 48 hours is also the maximum value.

For more information about configurable restrictions on a computer or mobile device, see this documentation from the Apple Developer website.

Mobile Device Inventory Reporting

Inventory AttributeRequirementsValues Returned in Inventory InformationSmart Group/Advanced Search Values

Enrollment Session Token

  • iOS 15 or later

  • iPadOS 15 or later

  • Valid

  • Invalid


Other Changes and Improvements

  • The following areas in the Jamf Pro user interface were updated to rename Mac App Store to Mac Apps:

    • Settings > System Settings > User Accounts > Privileges > Jamf Pro Server Objects

    • Settings > System Settings > User Groups > Privileges > Jamf Pro Server Objects

    • Settings > Jamf Pro Information > Jamf Pro Summary > Computers

  • Jamf Pro can now notify you when there is a problem connecting to your Jamf Protect instance. To enable, navigate to account settings, click Notifications, and then select the types of notifications you want to receive next to Jamf Pro is unable to communicate with your Jamf Protect instance.

  • The Jamf Pro Summary now lists devices using Single Login configurations (i.e., Jamf Setup and Jamf Reset).

  • Jamf Pro now initiates less network activity when multiple browser tabs are logged in to the same instance.

Jamf Pro API Changes and Enhancements

The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append /api to your Jamf Pro URL. For example:


In future releases, Jamf Pro API endpoints that have been deprecated for over a year will be removed. It is recommended that you update your applications to use the latest versions of these endpoints. See the API documentation for a complete list of endpoints.

The following endpoints were added:

  • GET /v1/adue-session-token-settings

  • PUT /v1/adue-session-token-settings

  • POST /v1/reenrollment/history/export

  • GET /v1/sites

  • POST /v2/enrollment/languages/delete-multiple

  • GET /v2/jamf-pro-information

The following endpoints were removed:

  • POST /v1/cloud-ldaps

  • GET /v1/cloud-ldaps/defaults/mappings

  • GET /v1/cloud-ldaps/defaults/server-configuration

  • GET /v1/cloud-ldaps/{id}

  • PUT /v1/cloud-ldaps/{id}

  • DELETE /v1/cloud-ldaps/{id}

  • GET /v1/cloud-ldaps/{id}/connection/bind

  • GET /v1/cloud-ldaps/{id}/connection/search

  • GET /v1/cloud-ldaps/{id}/history

  • POST /v1/cloud-ldaps/{id}/history

  • GET /v1/cloud-ldaps/{id}/mappings

  • PUT /v1/cloud-ldaps/{id}/mappings

  • POST /v1/cloud-ldaps/{id}/test-group

  • POST /v1/cloud-ldaps/{id}/test-user

  • POST /v1/cloud-ldaps/{id}/test-user-membership

The following endpoints were deprecated:

  • GET /patch/obj/policy/{id}/logs/eligibleRetryCount

  • GET /patch/obj/softwareTitleConfiguration/{id}

  • GET /patch/patch-policies/{id}/logs

  • POST /patch/retryPolicy

  • POST /patch/searchPatchPolicyLogs

  • POST /patch/svc/retryPolicy

  • GET /settings/sites

  • GET /v1/jamf-pro-information

  • GET /vpp/admin-accounts

Further Considerations

  • Privileges associated with new features in Jamf Pro are disabled by default.

  • Jamf recommends you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.

  • Known issues for Jamf Pro can be accessed from the Jamf Pro product page in Jamf Account.