New Features and Enhancements
Correction—Updated 09 June 2022
Added the -bool type flag to the example script that enables JamfAAD WebView support.
App Installers Enhancements
App Installers includes the following enhancements:
By default, the table of available App Installers is sorted by Name but can also be sorted by Latest Version or Developer by clicking the column header.
You can filter the Name and Developer columns or use the search field to search these columns.
Additional metadata is available for each App Installer. The View App Installer Info button was removed, and the App Installer page displays all available metadata.
When adding an App Installer, the Deploy switch is in the on position by default to trigger the deployment process after clicking Save.
Note:The App Installer deployment may take up to 20 minutes to begin.
Force Password Reset
When configuring a password policy, you can now force a password reset for all user accounts in your Jamf Pro Instance. Navigate to and click Password Policy. After editing and saving your changes, follow the prompt to force the password reset during the next login. This will also force a password reset for the administrator configuring the password policy.
Single Sign-On Enhancements
The user interface for the Single Sign-On system setting has been improved, including the addition of new buttons and icons. The workflow has also been streamlined to improve usability. In addition, the back-end code has been updated to ensure the continuation of security updates to the underlying user interface framework.
Multiple SAN Values for AD CS Certificates
You can now enter multiple subject alternative name (SAN) values in the Certificate payload for Active Directory Certificate Services (AD CS) PKI certificate configurations. A certificate with multiple SANs provides encryption that protects multiple domains, subdomains, or environments. For example, a certificate with multiple SANs can be used to secure multiple site names, like example.com and example.net.
To access this feature, first configure AD CS as a certificate authority in PKI Certificates settings. Then navigate to either or .
JamfAAD WebView Support
In Jamf Pro environments integrated with Microsoft Intune, the JamfAAD app on managed computers now supports WebView when prompting users to sign in to Azure Active Directory (Azure AD). This avoids potential issues that can arise when redirecting users to sign in via a web browser.
#!/bin/sh
defaults write com.jamf.management.jamfAAD useWKWebView -bool trueThis command must be executed before the JamfAAD app initiates the registration process.
Force a Computer Restart to Install macOS Updates
You can now force computers to immediately restart and install an available macOS update using the /v1/macos-managed-software-updates/send-updates endpoint via the Jamf Pro API. To force a restart, add the forceRestart parameter to the API request body. When set to true, Jamf Pro sends the InstallForceRestart install action to targeted computers.
Forcing a computer restart may cause data loss.
For more information about managed software updates, see Manage software updates for Apple devices in Apple Platform Deployment.
Account-Driven User Enrollment Authentication Enhancement
You can now configure when users are prompted to re-authenticate on devices enrolled using Account-Driven User Enrollment. This ensures the security of devices in your organization.
curl -X PUT "<http://JAMF_PRO_URL/api/v1/adue-session-token-settings"> \
-H "accept: application/json" -H "Authorization: Bearer <TOKEN HERE>" \
-H "Content-Type: application/json" \
-d "{"expirationIntervalDays":1,"enabled":"true"}"After the session token expires, users must re-authenticate on the device after it checks in to Jamf Pro. When the session token expires, Jamf Pro can only send the Unmanage Device remote command to the device until the user re-authenticates or you unenroll and re-enroll the device.
For more information about how to configure when a user's authentication session expires for Account-Driven User Enrollment, see the Configuring the Session Token Expiration for Account-Driven User Enrollment article.
Configuration Profile Enhancements
The following settings are now configurable for computers and mobile devices, respectively, via the Restrictions payload.
| Setting | Key Included in Payload | Requirements | Notes |
|---|---|---|---|
| Allow iCloud Private Relay | allowCloudPrivateRelay |
| Restricting disables iCloud Relay |
| Touch ID Timeout | enforcedFingerprintTimeout | macOS 12 or later | Defaults to 48 hours. 48 hours is also the maximum value. |
For more information about configurable restrictions on a computer or mobile device, see this documentation from the Apple Developer website.
Mobile Device Inventory Reporting
| Inventory Attribute | Requirements | Values Returned in Inventory Information | Smart Group/Advanced Search Values |
|---|---|---|---|
Enrollment Session Token |
|
| None |
Other Changes and Improvements
The following areas in the Jamf Pro user interface were updated to rename Mac App Store to Mac Apps:
Jamf Pro can now notify you when there is a problem connecting to your Jamf Protect instance. To enable, navigate to account settings, click Notifications, and then select the types of notifications you want to receive next to Jamf Pro is unable to communicate with your Jamf Protect instance.
The Jamf Pro Summary now lists devices using Single Login configurations (i.e., Jamf Setup and Jamf Reset).
Jamf Pro now initiates less network activity when multiple browser tabs are logged in to the same instance.
Jamf Pro API Changes and Enhancements
The Jamf Pro API is open for user testing. The base URL for the Jamf Pro API is /api. You can access documentation for both the Jamf Pro API and the Classic API from the new API landing page. To access the landing page, append /api to your Jamf Pro URL. For example: https://JAMF_PRO_URL.com:8443/api
In future releases, Jamf Pro API endpoints that have been deprecated for over a year will be removed. It is recommended that you update your applications to use the latest versions of these endpoints. See the API documentation for a complete list of endpoints.
The following endpoints were added:
GET /v1/adue-session-token-settings
PUT /v1/adue-session-token-settings
POST /v1/reenrollment/history/export
GET /v1/sites
POST /v2/enrollment/languages/delete-multiple
GET /v2/jamf-pro-information
The following endpoints were removed:
POST /v1/cloud-ldaps
GET /v1/cloud-ldaps/defaults/mappings
GET /v1/cloud-ldaps/defaults/server-configuration
GET /v1/cloud-ldaps/{id}
PUT /v1/cloud-ldaps/{id}
DELETE /v1/cloud-ldaps/{id}
GET /v1/cloud-ldaps/{id}/connection/bind
GET /v1/cloud-ldaps/{id}/connection/search
GET /v1/cloud-ldaps/{id}/history
POST /v1/cloud-ldaps/{id}/history
GET /v1/cloud-ldaps/{id}/mappings
PUT /v1/cloud-ldaps/{id}/mappings
POST /v1/cloud-ldaps/{id}/test-group
POST /v1/cloud-ldaps/{id}/test-user
POST /v1/cloud-ldaps/{id}/test-user-membership
The following endpoints were deprecated:
GET /patch/obj/policy/{id}/logs/eligibleRetryCount
GET /patch/obj/softwareTitleConfiguration/{id}
GET /patch/patch-policies/{id}/logs
POST /patch/retryPolicy
POST /patch/searchPatchPolicyLogs
POST /patch/svc/retryPolicy
GET /settings/sites
GET /v1/jamf-pro-information
GET /vpp/admin-accounts
Further Considerations
Privileges associated with new features in Jamf Pro are disabled by default.
Jamf recommends you clear your browser's cache after upgrading Jamf Pro to ensure that the Jamf Pro interface displays correctly.
Known issues for Jamf Pro can be accessed from the Jamf Pro product page in Jamf Account.