Release History

2.0.0 (2020-09-28)

Jamf Connect 2.0.0 introduces a significant redesign to the Jamf Connect login window user experience and product deployment.

For instructions on upgrading from Jamf Connect 1.19.2 or earlier to Jamf Connect 2.0.0, see the Upgrading to Jamf Connect 2.0.0 or Later Knowledge Base article.

What's New

Jamf Connect 2.0.0 includes the following new features and improvements.

Unified Menu Bar App

Jamf Connect Sync and Jamf Connect Verify are now a single menu bar app called "Jamf Connect". that can be configured and deployed for any supported cloud identity provider (IdP).

The Jamf Connect 2.0.0 packages install the following components on computers:

Component

Location

JamfConnectLogin.bundle

  • /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle

  • /Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger

  • /usr/local/lib/pam/pam_saml.so.2

Jamf Connect.app

/Applications/Jamf Connect.app

New App Icon

The Jamf Connect app has a new icon. Look for the following icon in the Applications folder when Jamf Connect is installed on computers:

images/download/thumbnails/81550065/Screen_Shot_2020-08-18_at_3.46.38_PM.png

Note: The Jamf icon is still used in the menu bar when the app is open.

New Menu Bar Sign-In Preference for Okta

Users can now determine whether the Okta dashboard is opened in their selected browser after sign-in by selecting the checkbox next to the Browser pop-up menu. This setting is enabled by default and can be managed with the LaunchBrowser preference key (boolean) in the WebBrowser dictionary.

Login Window Redesign

The login window has been redesigned with a modern and improved user experience for both Okta authentication and OpenID Connect authentication methods.

Step Indicators

The top of the login window now includes step indicators to help users through the Jamf Connect login process. Depending on the workflow, users will see the following:

  • Authenticate—Displays when users must authenticate with their cloud identity provider (IdP) and complete a multifactor authentication (MFA) challenge through their IdP, if configured.

  • Connect—Displays when the Connect existing local accounts to a network account (Migrate) settings is enabled. The user must 1) enter the password of an already existing local account that has a username that matches an account in the IdP, 2) choose an existing local account to connect to the IdP, or 3) create a new account based on the cloud IdP.

  • Verify—Asks the user to re-enter their network password, which serves as both an additional security layer and verifies that the user's local and IdP passwords match. If the network password does not match the local password, the user will be prompted to sync passwords.

Other Changes and Enhancements

  • Network Selection—The "Allow Network Selection" button has been replaced with a WiFi icon in the upper-right corner of the login window

  • Local Login—The "Local Auth" button is now named "Local Login" and appears along the bottom of the login window.

  • Error Messaging—Some error messages have been improved to help users troubleshoot configuration issues.

  • Custom Login Window Message—You can now add a custom message to the login window by configuring the LoginWindowMessage preference key.

For more information about the login window user experience, see End User Experience and Workflows.

Jamf Connect Configuration Enhancements

Jamf Connect Configuration 2.0.0 includes support for configuring primary Jamf Connect 2.0 settings and the following new features:

XML Editor

You can now use an XML editor mode to preview the configuration profile in XML and make manual changes to your configuration profile.

To view and edit your configuration profile in XML, click the </> icon.

New App Icon

Jamf Connect Configuration now uses the following icon in the Applications folder and Dock:

images/download/thumbnails/81550065/Screen_Shot_2020-08-18_at_4.45.17_PM.png

What's Changed

The following things have changed in Jamf Connect.

Installation

The login window and menu bar app are now included in a single package installer. You can use the package to install all components of Jamf Connect, or just the menu bar or login window.

The package installer will also remove the following from computers:

  • Jamf Connect Sync and Jamf Connect Verify apps

  • Jamf Connect Sync and Jamf Connect Verify launch agents. Launch agents will also be stopped.

  • Any associated installer receipts will be removed from the installer system.

authchanger Improvements

The commands arguments executed by the authchanger tool can now be read from a configuration profile. If used, the configuration profile must be written to com.jamf.connect.authchanger and contains the Arguments key, which is an array of strings of supported authchanger arguments. Arguments are read in the order in which the strings are configured, similar to how they are ordered in the command-line.

The following example enables Jamf Connect authentication:

<key>Arguments</key>
<array>
<string>-reset<key>
<string>-jamfconnect</string>
</array>

The Jamf Connect installer does not add any arguments to authchanger by default. To enable the login window, you use one of the following methods to pass authchanger arguments:

Note: Jamf Connect will look for authchanger arguments in this order.

  1. Commands executed via the command-line. Consider the following scenarios:

    • If a command is executed with arguments, any preferences found in a configuration profile will be ignored.

    • If a command is executed without arguments, Jamf Connect will look for preferences in a configuration profile.

  2. Preferences found in a configuration profile written to com.jamf.connect.authchanger

  3. The Identity Provider (OIDCProvider) or Auth Server (AutherServer) preferences written to the com.jamf.connect.login. These pass the -JamfConnect argument to automatically enable OpenID Connect or Okta authentication.

  4. If no arguments or preferences are found, the default loginwindow mechanisms will remain unchanged.

For more information about the authchanger tool, see authchanger.

Licensing Updates

The Jamf Connect menu bar app will now check both the com.jamf.connect and com.jamf.connect.login preference domains for a valid license. This ensures that you only have to deploy the license file in a single configuration profile, if you are using both the login window and the menu bar app for your organization.

License Usage Data: We may collect hashed data about license usage. This data is used to monitor the number of licenses in use with Jamf Connect in your organization and does not include any Personal Information.

Menu Bar App Launch Agent

A launch agent for the Jamf Connect menu bar is included as a separate installer package in the Jamf Connect DMG. When installed on computers, the launch agent will ensure that Jamf Connect remains open.

Preference Domains and Keys

The Jamf Connect menu bar app is configured using a single preference domain:

com.jamf.connect

Note: Login window preferences will continue to be written to the following domain:

/Library/Preferences/com.jamf.connect.login

Preference keys from Sync and Verify have also been merged and restructured using dictionaries. Preferences are sorted into the following collections:

Dictionary

Type

Description

IdPSettings

Dictionary

Used to allow Jamf Connect to complete authentication between your IdP and local accounts. Required settings vary by IdP.

SignIn

Dictionary

Used to configure the Sign-in window and user experience

Appearance

Dictionary

Use to customize Jamf Connect for your organization

UserHelp

Dictionary

Used to configure in-app help options for users

PasswordPolicies

Dictionary

Used to configure network password checks, expiration notifications, and password policies

Kerberos

Dictionary

Used to integrate Jamf Connect with a Kerberos realm for password syncing

Keychain

Dictionary

Used to allow Jamf Connect to sync passwords with keychain items

CustomMenuItems

Dictionary

Used to customize the names of menu items in Jamf Connect

HiddenMenuItems

Array

An array of strings used to hide Jamf Connect menu items from users

Scripting

Dictionary

Used to run custom scripts that are triggered by Jamf Connect authentication events

Certificate

Dictionary

Used to configure Windows web CA settings

Keep the following in mind when configuring new preferences for the Jamf Connect menu bar:

  • Preferences that are configured with an interval, such as NetworkCheck, can be disabled by setting the interval value to 0.

  • If setting preferences with the command-line, you will need to use the -dict-add argument to configure a dictionary of keys. The following example shows how to disable network password checks:

    Example: defaults write com.jamf.connect PasswordPolices -dict-add NetworkCheck 0

For a complete list of menu bar preferences, Menu Bar App Preferences.

Renamed Preference Keys

Most preference keys used in Jamf Connect Sync and Jamf Connect Verify have been renamed to better represent their function or as a result of Jamf Connect becoming one app.

The following tables show which preference key names from Jamf Connect Sync and Jamf Connect Verify have been replaced with a new name in Jamf Connect 2.0.0:

Jamf Connect Sync Preference Key Changes

1.19.2 or Earlier

2.0.0

AuthServer

OktaAuthServer

AutoAuth

AutoAuthenticate

DontShowWelcome

ShowWelcomeWindow

ExpirationWarningDays

ExpirationNotificationStartDay

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideActions

Actions

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HidePreferences

Preferences

HideQuit

Quit

HideSignIn

Connect

KerberosRealm

Realm

KerberosRenew

AutoRenewTickets

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShortNameAskMessage

AskForShortNameMessage

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LabelPassword

PasswordLabel

LabelUsername

UsernameLabel

LocalPasswordSyncMessage

SyncPasswordsMessage

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuIcon

MenubarIcon

MenuPreferences

Preferences

MenuSignIn

Connect

MessageOTPEntry

OneTimePasswordMessage

MessagePasswordChangePolicy

PolicyMessage

PasswordChangeCommand

OnPasswordChange

PasswordExpirationMenuDays

ExpirationCountdownStartDay

PasswordPolicy

PolicyRequirements

SelfServicePath

SoftwarePath

SignInCommand

OnAuthSuccess

Template

CertificateTemplate

TicketsOnSignIn

GetTicketsAtSignIn

TitleSignIn

WindowTitle

WifiNetworks

SecureNetworks

X509CA

WindowsCA

Jamf Connect Verify Preference Key Changes

1.9.2 or Earlier

2.0.0

DontShowWelcome

ShowWelcomeWindow

FailToolPath

OnAuthFailure

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HideHomeDirectory

HomeDirectory

HideLastUser

LastUser

HidePrefs

Preferences

HideQuit

Quit

HideResetPassword

ResetPassword

HideShares

Shares

HideTickets

KerberosTickets

KerberosGetTicketsAutomatically

GetTicketsAtSignIn

KerberosRealm

Realm

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShowCountdownLimit

ExpirationCountdownStartDay

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LoginLogo

SignInLogo

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuHomeDirectory

HomeDirectory

MenuKerberosTickets

KerberosTickets

MenuResetPassword

ResetPassword

MenuShares

Shares

MessageLocalSync

SyncPasswordsMessage

ODICROPGID

ROPGID

OIDCChangePasswordURL

ChangePasswordURL

OIDCClientSecret

ClientSecret

OIDCDiscoveryURL

DiscoveryURL

OIDCProvider

Provider

OIDCResetPasswordURL

ResetPasswordURL

OIDCTenantID

TenantID

ROPGSuccessCodes

SuccessCodes

SelfServicePath

SoftwarePath

TimerNetworkCheck

NetworkCheck

WindowSignIn

WindowTitle

Additional Changes

  • The following custom URL scheme that allows users to perform quick actions within the menu bar app has been updated for the unified menu bar app. For more information, see Jamf Connect URL Scheme.

  • The Create Jamf Connect Keychain (CreateJamfConnectPassword) setting has been added to the login window preferences. This setting allows Jamf Connect to automatically populate the Sign In window in the menu bar app with a user's network username and password that was used to log in or create a new local account with Jamf Connect. This setting is enabled by default and replaces the Create Jamf Connect Sync Keychain (CreateSyncPasswords) and Jamf Connect Verify Keychain (CreateVerifyPasswords) settings used in Jamf Connect 1.19.2 or earlier.

  • The Jamf Connect loginwindow mechanism that enables FileVault now only runs if the Enable FileVault (EnableFDE) setting is enabled in the Jamf Connect login window configuration profile.

  • The Retrieve Kerberos Tickets During Sign-in (GetTicketsAtSignIn) setting has been removed from the menu bar app. Jamf Connect now automatically retrieves Kerberos tickets for users if a Kerberos realm is configured with the Kerberos Realm (Realm) setting. This enhancement fixes JC-1898.

Deprecations and Removals

The following Jamf Connect features and settings have been deprecated or removed.

Browser Extensions

The Safari and Google Chrome Browser Extensions included with Jamf Connect Sync are no longer supported.

Removed Preference Keys

The following preference keys are no longer supported. These settings should not be included in a configuration profile for Jamf Connect 2.0.0 or later:

Jamf Connect Login

Jamf Connect Sync

Jamf Connect Verify

  • BackgroundImageAlpha

  • LoginScreen

  • CreateSyncPasswords

  • CreateVerifyPasswords

 

  • ActionsUpdateTime

  • ADExpirationShow

  • CenterSignInWindow

  • ChangePasswordOrder

  • ChangePasswordTimer

  • CheckSafariExtension

  • ExportableKey

  • HideLockScreen

  • IgnoreDomainReachability

  • KeychainItemsDebug

  • LDAPServers

  • LocalPasswordIgnore

  • LocalPasswordSync

  • LocalPasswordSyncOnMatchOnly

  • MenuLockScreen

  • MessagePluginDisabled

  • NetworkCheckAutomatically

  • PasswordCheckUpdateTime

  • PasswordExpirationMenu

  • PeriodicUpdateTime

  • UseKeychain

  • UseKeychainPrompt

  • UseKeychainPromptExclusions

  • WarnOnPasswordExpiration

  • AlwaysShowSuccess

  • HideSignIn

  • KeychainItemsCreateSerial

  • KeychainItemsDebug

  • LocalPasswordIgnore

  • MessageBrowserPasswordChange

  • MessageNetworkPasswordWrong

  • MessagePasswordSuccess

  • NetworkCheckAutomatically

  • WindowAbout

Removed Preference Domains

Jamf Connect configuration profiles written to the following domains are no longer supported and should be removed from computers:

  • com.jamf.connect.sync

  • com.jamf.connect.verify

Documentation Removals

The Jamf Connect Evaluation Guide has been removed.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.