Release History

The release history contains a complete list of releases, features, and enhancements.

Microsoft Azure AD Change Required

If Microsoft Azure AD is your IdP, upcoming changes to Microsoft Authentication Library (MSAL) require changes to your Jamf Connect configuration. Existing applications remain functional, but in December 2022 Microsoft will discontinue security updates for Azure Active Directory Authentication Library (ADAL), deprecating the use of common endpoints.

To align with these changes in Jamf Connect, you must include organization-specific tenant information for your registered authentication applications in your configuration using the Tenant ID (OIDCTenant) login window preference or the Tenant ID (TenantID) menu bar app preference. The information entered applies to all Jamf Connect products and is required to use ROPG test in Jamf Connect Configuration. If both of these fields are left blank, you will now receive an alert that a required field is missing. This helps you set up your configuration correctly.

For more information, see the Tenant ID (OIDCTenant) preference in Login Window Preferences and the Tenant ID (TenantID) preference in Menu Bar App Preferences. Also see Migrate applications to the Microsoft Authentication Library (MSAL) in the Microsoft Azure Product Documentation.

2.17.0 (2022-11-07)

Password Policy Requirement Enhancements

When a user changes their password with Jamf Connect, the Change Password screen now displays your organization's password policy requirements in the following scenarios:

  • Password changes via a web view of your IdP's Change Password page in the menu bar app.

  • Password changes at the Jamf Connect login window. Passwords are dynamically validated against the policy requirements password as the user types.

Changes and Improvements

  • The Jamf Connect Configuration app is now available in Traditional Chinese.

  • The Jamf Connect version number can now be seen in the logs.

  • The Change Password Workflow (PasswordChangeWorkflow) setting is now a configurable setting in the Jamf Connect Configuration app.

  • The Change Password URL (ChangePasswordURL) setting is now located in the Identity Provider tab and can be included in both menu bar app and login window configuration profile exports.

Resolved Issues

  • [PI110229] The message that appears with the Jamf Connect login window no longer displays on top of macOS buttons in certain resolutions. The Restart and Shutdown buttons will also consistently display in their normal placement when custom background images are used.

  • [PI110368] Resolved an issue that caused login failures to appear in Azure activity logs when using multifactor authentication with Microsoft Conditional Access.

  • [PI110503] The Jamf Connect login window now notifies users when a login session is expiring after extended inactivity and automatically refreshes the login screen.

  • [PI110534] Resolved an issue that caused the menu bar app to populate populate the Username field in the Sign In window in an unexpected format (DOMAIN/username) when Kerberos authentication is used.

  • [PI110535] The Jamf Unlock switch no longer displays unexpectedly at the macOS login window in environments where neither Jamf Unlock nor the Jamf Connect login window are enabled.

2.16.0 (2022-10-05)

Update 24 October 2022

Added compatibility statement for macOS Ventura 13.

Compatibility with macOS Ventura 13

Jamf Connect 2.16.0 provides compatibility with macOS Ventura 13. This includes compatibility for the following features and workflows:

  • Network and local authentication

  • Local account creation

  • Password syncing

  • Login window and menu bar app custom branding

  • Creating configuration profiles with the Jamf Connect Configuration app

Compatibility and new feature support are based on testing with the latest Apple beta releases.

Password Policy Requirement Enhancements

  • The login window now notifies and allows users to change their password when it does not meet your local password policy requirements. To direct users to the correct location to change their password, set the Change Password URL (ChangePasswordURL) setting to change password URL for you organization's identity provider (IdP). This setting is only supported for IdP integrations that use OpenID Connect authentication.

  • If Kerberos is enabled with Jamf Connect, the menu bar app now detects and displays your organization's password policy requirements for users to reference while changing their password. If multiple sources for password policies exist, Jamf Connect looks for a policy to display in the following order:

    1. Password requirements configured directly in a menu bar app configuration profile using the Password Policy Requirements (PolicyRequirements) setting

    2. Password requirements available in Active Directory

    3. Password requirements set locally on macOS (via an MDM solution)

  • If Kerberos is enabled with Jamf Connect, you can now configure whether password changes are completed directly in the menu bar app or via a web view with your IdP. The Change Password Workflow (PasswordChangeWorkflow) setting in the PasswordPolicies dictionary can be set to Kerberos to change passwords directly in the menu bar app or Web redirect users to their IdP in a web view. Kerberos is used by default.

For more information, see the Jamf Connect Settings Reference.

Other Changes and Improvements

  • The menu bar app is now available in Traditional Chinese.

  • Notifications on computers about an upcoming password expiration are more intuitive for end users.

Resolved Issues

  • [PI110483] The menu bar app now correctly obtains Kerberos tickets during network change when the CheckOnNetworkChange setting is set to true.

  • [PI110555] The Jamf Connect login window no longer displays unexpectedly in environments where it is not enabled or configured after updating Jamf Connect to 2.15.0 or later.

  • [JC-4259] Resolved an issue that sometimes caused macOS to identify Jamf Connect as a login item from an unidentified developer.

2.15.0 (2022-09-12)

Updated 24 October 2022

Corrected the description of PI110367 to include any supported IdP rather than just Okta.

Password Policy Requirements Display at the Login window

If a user's password syncing fails because their new password doesn't meet the requirements enforced by macOS (via MDM passcode configuration, etc.), the user now sees a list of the requirements their password must meet directly at the Jamf Connect login window.

For more information, see Local Account Creation and Subsequent and Routine Logins.

Okta authentication at the login window with password requirements

Okta login with password requirements

OpenID Connect authentication at the login window

Prompt Users to Change Non-compliant Passwords

When a user sign in through with the menu bar app with a password that does not meet the password policy requirements configured via MDM, the users are now notified and prompted to change their password.
The sign in window displays a pop up window with a change password button since the user's password doesn't meet the requirements set up in the MDM/UEM solution.

Resolved Issues

  • [PI103293] When executing an authchanger command with the DefaultJCRight parameter, you no longer incorrectly receive an error message. DefaultJCRight enables using the Jamf Connect Pluggable Authentication Module (PAM) for sudo and other system preference changes.

  • [PI110230] Updating macOS from 12.3.1 to 12.4.x no longer results in abnormal Jamf Connect Login behavior.

  • [PI100478] [PI007071] When a Mac updates, Jamf Connect no longer interrupts the update process and prompts users to log in.

  • [PI110002] If a user authenticates with letter cases different from what is stored for the user (e.g.,MaRiLYn vs. Marilyn), the user no longer fails to connect to the Kerberos shared drive.

  • [JC-4108] Improved the spacing for the Sign In window banner image, adding spacing between the image and the top of the window.

  • [JC-4191] On Apple silicon Mac computers, the Jamf Connect login interface no longer appears during minor macOS updates. Instead, it appears after all software updates are fully installed.

  • [JC-4108] The Enable Jamf Unlock toggle is now visible on the local login screen if the Enable Unlock Authentication at the Login Window (EnableUnlockForLogin) key is enabled (set to true).

  • [PI110367] If a username is created in your IdP with capital letters, it is now converted to lowercase to prevent issues with scripts and some applications.

2.14.0 (2022-08-01)

Disable Password Syncing for Specific Local Accounts

The Password Sync Block List (PasswordSyncBlockList) setting is now available for configuration in Jamf Pro and Jamf Connect Configuration. It allows you to specify a list of local macOS accounts that you do not want to go through password syncing (typically admin accounts). You can specify one or more local accounts as an array of strings using their local macOS account names (i.e., short names).

For more information, see Password Policy Settings.

Configure Custom Local Account Full Names

The Full Name (OIDCFullName) setting is now available for configuration in Jamf Connect Configuration. It was added to Jamf Pro in the 2.13.0 release. This setting allows you to specify a single different claim for full name, such as firstName, lastName, or another custom value unique to your environment. This preference overrides the default attributes used to set the full name for an account: name, family_name/given_name, and first/last.

For more information, see Advanced Login Authentication Settings.

Default Login Window Background Image Change

When the Background Image (BackgroundImage) setting does not contain an image file path, the default background is now macOS wallpaper instead of a gray background. This enhancement was noted as part of version 2.13.0 but is only available starting with version 2.14.0.

For more information, see Login Window Custom Branding Settings.

Users Now See Password Requirements

If a user's password syncing fails because their new password doesn't meet the requirements enforced by macOS (via MDM passcode configuration, etc.), the user now sees a list of the requirements their password must meet instead of a generic message.
The Jamf Connect menu bar app change password screen with a pop up message about password requirements. The message has the Connect logo and says, "New password must:" and is followed by a bulleted list of requirements. An OK button is below the requirements.
For more information, see Password Syncing with Jamf Connect.

Other Changes and Improvements

  • Jamf Connect login window screens are now available in Traditional Chinese.

  • Due to device token upgrades, Okta no longer registers Jamf Connect authentications as "anomalous".

  • Made branding enhancements to the menu bar app.

  • To make your login window and menu bar app preferences easier to configure, preferences in Jamf Pro now display the default settings (unless you change them), and only preferences that you change or enter values for are saved to the file.

Resolved Issues

  • [PI110177] Jamf Connect now performs a single network check when a computer is locked for longer than the network check-in frequency instead of performing two network checks. Network check-in frequency is specified by the Network Check-in Frequency (NetworkCheck) preference—the default is every 60 minutes.

  • [JC-3999] On the login screen when the Enable Unlock toggle is on, the user is now prompted to provide a pin, as expected, rather than a password.

  • [PI101105] [JC-3932] The Jamf Connect login window is now disabled when Apple Migration Assistant is running, enabling the migration process.

  • [JC-3912] At the login window, the Wi-Fi network selection window no longer enlarges when selecting different networks.

  • [PI110155] Users' Jamf Connect menu bar password and Google Cloud Identity password did not sync in some situations. This issue is now resolved.

2.13.0 (2022-06-27)

Change to the minimum supported version of macOS

As of this release, Jamf Connect no longer supports macOS 10.15.3 or earlier. As you prepare to upgrade to version 2.13.0, ensure that all computers with Jamf Connect are on macOS 10.15.4 or later. If a computer with macOS 10.15.3 or earlier is in-scope for updating to Jamf Connect 2.13.0 or later, version 2.12.0 will remain installed and functional instead of updating to the newest version.

Change to the minimum supported version of macOS when using Jamf Unlock

As of this release, 2.13.0, computers must be on macOS 11.0.1 or later to pair Jamf Unlock with Jamf Connect. Computers on earlier versions of macOS that already paired Jamf Unlock with Jamf Connect will remain installed and functional.

Local Login Window Upgrades

  • The local login window now resembles the macOS login window. This includes the following:

    • If multiple users are set up on a Mac, a user is now able to see all available account options, select their account, and log in. If you create a configuration profile with the SHOWFULLNAME key, users' full names show up here as well. For more information, see the SHOWFULLNAME key in Device Management Profile LoginWindow Properties in the Apple Developer Documentation.

  • The Jamf Connect local login window now checks for Jamf Unlock availability based on existing pairing records for the user. If a pairing record exists, the user is allowed to use Jamf Unlock to log in.

  • There is now an Enable Jamf Unlock switch on the local login screen so that users can pair with the Jamf Unlock iOS app when they log in, enabling authentication via the user's biometrics or pin. This switch also exists in the Jamf Connect menu bar app.

Connect login screen on a Mac with multiple users to select from, showing their picture and name.

Users select from available account options when multiple users are set up on a Mac.

Connect login screen on a Mac with picture of the user, password field, and a phone button for signing in with biometrics or a pin code via the Unlock app. The new Enable Jamf Unlock toggle at the bottom of the screen.

A user's local login displays with a password field and a button with a phone icon for singing in with Jamf Unlock. The Enable Jamf Unlock toggle appears at the bottom of the screen if the user is paired with Jamf Unlock.

For more information, see End User Experience and Workflows.

New Login Window Preferences

The Full Name (OIDCFullName) preference is now available for configuration in Jamf Pro. It allows you to specify a single, different attribute for full name, such as firstName, lastName or another custom value unique to your environment. This preference overrides the default attributes used to set the full name for an account: name, family_name/given_name, and first/last.

The Hide "Create New User" option at migration (CreateNewUserHide) preference is now available for configuration in Jamf Pro and Jamf Connect Configuration. It enables hiding the Create New User option from users during account migration. With this setting enabled (set to true), users are unable to disrupt account migration by creating a new account. This setting is not enabled (set to null) by default.

For more information see Login Window Preferences.

Microsoft Identity Platform Endpoints Support

Jamf Connect now supports updated Microsoft identity platform endpoints. If Microsoft Azure AD is your IdP, see the note above, "Microsoft Azure AD Change Required" for information about required changes.

Debugging Change

Due to enhancements, tmp log files for the login window (/tmp/jamf_login.log file) no longer automatically include debug level information. You may still manually produce logs using the Terminal or Console apps to help troubleshoot issues.

For more information, see Jamf Connect Logs.

Resolved Issues

  • [PI109623] When Jamf Unlock is enabled for a user on a computer, you may only authenticate as that user. Documentation now exists to help you disable Jamf Unlock for the user, log in as an admin to make changes, then renable the user. For more information, see Enabling Jamf Unlock on Computers.
  • [JC-3794] When a user resizes the Pair new device window in the menu bar app under Paired Devices > Pair new device, the QR code now scales with the window.
  • [JC-3921] At the login window, a progress bar no longer remains in the background after closing the acceptable use policy screen at the login window.
  • [JC-3998] Improvements ensure that admins don't receive unnecessary notifications during the Jamf Connect installation process.
  • [PI110103] The menu bar app no longer launches multiple times during the first launch of the app during installation. Only one copy of Jamf Connect remains open at a time.
  • [PI110113] The login window message no longer overlaps with the Done button at the bottom of the screen during the login process.
  • [PI109924] Duo MFA and PingID MFA windows that require Webkit now render properly on devices running macOS12.3. macOS 12.4 resolved this issue.
  • [PI109612] FileVault enabled users now consistently appear on the FileVault unlock screen after rebooting.
  • [PI104597] [PI010181] When Jamf Pro is configured to pass through enrollment customization details to the login window, the login window no longer only passes through the first and last space-separated elements of each user's name. This results in correctly passing through full names when they contain multiple spaces (e.g., Abdul Malik Abadi).
  • [JC-3907] When Jamf Connect is configured to use Kerberos authentication, users may now retrieve tickets for authentication on computers without a Kerberos preferences plist or with an old Kerberos preferences plist (e.g., from being previously bound to an Active Directory domain).
  • [PI110012] The menu bar app now notifies users during each background check if their local and network passwords are out of sync rather than notifying them only one time. The notification prompts users to sync their passwords. The interval of background checks and the resulting notification is set by the Network Check-in Frequency (NetworkCheck) menu bar app preference, which is set to every 60 minutes by default. For more information about this preference, see Menu Bar App Preferences.
  • [JC-3793] When a user keeps the return key pressed down during local or network login, unexpected behaviors no longer occur.
  • [JC-3874] When a user switches between Wi-Fi networks and attempts logging into a network that only requires a password, the password field now displays instead of both username and password fields.

2.12.0 (2022-05-03)

Change to the minimum supported version of macOS when using Jamf Unlock

As of this release, 2.12.0, computers must be on macOS 11 or later to pair Jamf Unlock with Jamf Connect. Computers on earlier versions of macOS that already paired Jamf Unlock with Jamf Connect will remain installed and functional.

Upcoming change to the minimum supported version of macOS

With the next release, 2.13.0, Jamf Connect will no longer support macOS 10.15.3 or earlier. As you prepare to upgrade to Jamf Connect 2.13.0, ensure that all computers with Jamf Connect are on macOS 10.15.4 or later. If a computer with macOS 10.15.3 or earlier is in-scope for updating to Connect 2.13.0 or later, Connect 2.12.0 will remain installed and functional instead of updating to the newest version of Connect.

Login Window Enhancements

Enhancements include:

  • [PI109797] When the Use Local Authentication by Default (OIDCDefaultLocal) login window preference is set to true, the Shutdown and Restart buttons now display at the bottom of the screen when Jamf Connect first loads.

  • [JC-3808] When the Use Passthrough Authentication (OIDCUsePassthroughAuth) login window preference is set to true, the login window no longer displays a step indicator if there is only one step required.

Local login window

Connect local login window with Shut Down, Restart, and Network Login buttons at the bottom

Azure IdP login window

Azure IdP login window with Shut Down, Restart, Local Login, and Refresh buttons at the bottom and a step indicator at the top with Authenticate and Verify steps.

Resolved Issues and Enhancements

  • [PI109860] If your IdP is Azure or a hybrid integration and you configure the Discovery URL (OIDCDiscoveryURL) login window preference or the Discovery URL (Discovery URL) menu bar app preference, ROPG now works and you no longer get an error message.

  • [PI109787] Password synchronization no longer fails when a user connects their mobile active directory (network) account with their IdP account using Jamf Connect's local account migration workflow.

  • [JC-3749] It is now easier for potential Jamf Connect customers to uninstall the Jamf Connect test file.

  • [JC-3735] Only one Jamf Connect menu bar app now launches, rather than two, when Jamf Unlock is enabled. This results in only one Jamf Connect icon in the menu bar rather than two.
  • [PI109938] When Jamf Connect is deployed automatically via Jamf Pro, users' credentials are saved in their login keychain so they no longer receive a keychain error. Jamf Connect no longer looks for an existing keychain item in the context of the _appstore user's home directory rather than the user who is logged in and running the app.

  • [JC-3910] If a user has the menu bar app open and loads the launch agent, all instances of the menu bar app are now killed so that when the system relaunches the app, only one copy is running. The second instance no longer kills itself and relaunches.

  • [PI009255] When Jamf Connect is configured to use Kerberos authentication, users may now change their passwords on computers without a Kerberos preferences plist or with an old Kerberos preferences plist (e.g., from being previously bound to an Active Directory domain). While resolved in version 2.7.0, this issue persisted in versions 2.8.0 and 2.9.0.
  • [PI102789] When a user disconnects from their VPN/internal network and attempts to change their password using Jamf Connect menu bar app's change password feature, they're no longer presented with a Kerberos password change window that fails to change their password since the Kerberos realm is unreachable. Instead, they're presented with a web interface window where they can change their IdP password.

2.11.0 (2022-04-04)

Azure Default URLs Added for Changing and Resetting Passwords

If Azure is your IdP, you no longer need to add a URL to your configuration that opens when end users select Change password or Reset password in the Jamf Connect menu bar app. Instead:

  • For password changes which require a user to know their current password, Jamf Connect now defaults to opening the URL https://myaccount.microsoft.com/ where the end user may change their password. This is associated with the Menu Bar preference key Change Password URL (ChangePasswordURL).

  • For password resets where a user does not know their current password, Jamf Connect now defaults to opening the URL https://passwordreset.microsoftonline.com/ where the end user may reset their password. This is associated with the Menu Bar preference key Reset Password URL (ResetPasswordURL).

  • Note: If Okta is your IdP, this functionality already exists and directs end users to Okta URLs.

For more information, see Menu Bar App Preferences.

Resolved Issues and Enhancements

  • [JC-3775] Implemented changes to more efficiently manage Okta communications.

  • [PI109956] Identified and resolved a security issue related to specific configurations of Okta and initial MFA setup requirements

  • [JC-3798] In Jamf Connect Configuration there is a character limit that limits how much of a configuration name you can see in the left hand navigation. You may now hover over a configuration name to see the full name if it goes beyond the character limit.

  • [PI109837] The Change Password menu bar item now works reliably in all environments. Previously, when users selected Change Password in environments that specified a Kerberos realm using a .local domain, nothing happened if the Kerberos realm was unreachable.

  • [PI109890] The Jamf Connect menu bar app now correctly performs network checks to validate passwords and notifies Google users when their network password does not match their local password.

  • [JC-2866] The Cancel button in the Acceptable Use Policy window now works as expected on macOS 11 or later.

  • [PI010418] [JC-3229] Local accounts that are FileVault-enabled now display on the FileVault unlock screen after restarting when the Jamf Connect login window is enabled.

  • [JC-3745] The ROPG Scopes (Scopes) setting is now configurable in the Connect pane of the Jamf Connect Configuration app.

2.10.0 (2022-03-07)

Display an Acceptable Use Policy via URL

You can now populate Jamf Connect's Acceptable Use Policy screen using a URL. This eliminates the need to create and deploy an Acceptable Use Policy TXT or PDF file to computers alongside Jamf Connect.

For more information, see Acceptable Use Policy Screen.

Default Password Verification Interval Change

The Network Check-in Frequency (NetworkCheck) setting is now set to one hour rather than 15 minutes by default. Extending the default interval mitigates the risk of the Jamf Connect menu bar app unexpectedly locking out a user from their identity provider (IdP) resources in environments where authentication frequency limits exist.

For more information, see Password Policy Settings.

Custom OpenID Connect Scopes Support for Menu Bar App

The Jamf Connect menu bar app now supports the Scopes (Scopes) setting. This allows you to receive additional OpenID Connect claims, such as email, in a user's ID token during sign-in with Jamf Connect. To use this setting, include this key-value in the IdPSettings dictionary of a menu bar configuration profile.

This setting resolves [PI109710].

For more information, see Menu Bar App Preferences.

Resolved Issues

  • [JC-2925] Jamf Connect menu bar now consistently retrieves Kerberos tickets when a user changes their network and during Jamf Connect network checks.

  • [JC-3030] Kerberos tickets are no longer destroyed if a user disables VPN and the menu bar preference key CacheTicketsOnNetworkChange is set to True.

  • [PI109830] The Jamf Connect login background image now appears behind the "Welcome to your new Mac!" login screens instead of appearing as a black screen.

  • [JC-2585] The Shutdown, Restart, and Local Login buttons are now hidden from the Jamf Connect login window when the Acceptable Use Policy screen displays.

  • [JC-2918] Jamf Connect now starts after a user's account is created instead of the native Apple Setup Assistant window.

  • [JC-3703] When users change their password using Jamf Connect, passwords for keychain items specified in Jamf Connect Configuration are automatically updated to match their new password.

  • [JC-3229] FileVault-enabled users now appear on the FileVault unlock screen upon restart.

  • [PI109771] Using a third party MFA provider for pass-through authentication no longer produces a ROPG failure that results in users reentering their password. Users now enter their password one time.

2.9.1 (2022-02-22)

Resolved Issues

  • [JC-3740] In Jamf Connect Configuration, selecting then deselecting the Automatically Open Jamf Connect at Login checkbox on the Connect pane no longer removes additional apps from users' login items.

  • [JC-3737] The Automatically Open Jamf Connect at Login setting is now respected when an end-user selects this preference from the menu bar app's Preferences window.

  • [PI109800] Jamf Connect no longer launches prematurely while users are setting up their Mac with Apple Setup Assistant.

  • [JC-3702] In Jamf Connect Configuration, the tooltip for the Use Passthrough Authentication checkbox on the Login pane is now translated into supported languages. Supported languages include English, German, Spanish, French, and Japanese.

2.9.0 (2022-02-07)

Installer Changes

Jamf Connect now automatically opens upon first installation. Additionally, when Jamf Connect is upgraded, the app now automatically quits and then relaunches as the updated version. This ensures that older versions do not run concurrently.

For more information, see Launch Agent and Jamf Connect Updates.

Ability to Uninstall Jamf Connect Using a Package in the DMG

The Jamf Connect DMG now contains a package to fully uninstall Jamf Connect. To uninstall Jamf Connect, run the Jamf Connect Uninstaller package on the intended user's machine.

For more information, see Uninstalling Using the Jamf Connect Uninstaller Package.

Resolved Issues

  • [JC-3204] The Jamf Connect menu bar app is now able to retrieve custom Azure ShortName attributes.

  • [JC-3247] The Jamf Connect login window message that appears when signing in as a new user, "Creating your account on this Mac", is now translated into supported languages.

  • [JC-2859] The Jamf Connect Configuration interface now allows you to save 0 as the value of the Network Check-in Frequency field, disabling check-ins for network connection availability every x number of minutes.

  • [JC-2963] The Jamf Connect menu bar app now provides a descriptive error message when users enter either an incorrect username or password.

  • [JC-2977] When importing a configuration, the Create Jamf Connect keychain checkbox is now pre-checked in the Jamf Connect Configuration interface.

  • [JC-3185] ldapsearch search queries now resolve, rather than becoming unresponsive, if a user is in 1000+ active directory groups.

  • [JC-3199] The Enable Jamf Unlock toggle at the top of users' screens now automatically translates to the supported language set on each user's Mac.

2.8.0 (2022-01-10)

Jamf Connect Configuration Upload Integration with Jamf Pro

You can now upload configurations created in the Jamf Connect Configuration app directly to your organization's Jamf Pro instance. This eliminates the need to save the configuration profile locally and then manually upload the profile to Jamf Pro.

Keep the following requirements and limitations in mind when using this feature:

  • You need your Jamf Pro instance URL and a Jamf Pro user account with administrator privileges to upload a configuration.

  • Configurations must be saved in .mobileconfig format.

  • Profile names cannot match an already existing name of a configuration profile in Jamf Pro.

  • You cannot upload updates to an already existing configuration profile with the same name.

For more information, see Creating a Configuration Profile using Jamf Connect Configuration.

Passthrough Authentication for OneLogin and PingFederate

Organizations that use OneLogin and PingFederate with the Jamf Connect login window can now securely send the password entered by users in the sign-in web view to Jamf Connect for local authentication. This allows Jamf Connect to complete network and local authentication without prompting users to re-enter a password. During local account creation, this ensures that the network password is automatically used as the local password.

To enable passthrough authentication with OneLogin or PingFederate, do the following:

  • Set the Use Passthrough Authentication (OIDCUsePassthroughAuth) setting to true in your Jamf Connect login configuration profile. This setting is set to false by default.

  • Make sure the Create a Separate Local Password (OIDCNewPassword) setting is set to false or undefined.

For more information about passthrough authentication with Jamf Connect, see Passthrough Authentication with Jamf Connect.

Set Jamf Connect as a Login Item

You can now set the Jamf Connect menu bar app as a macOS login item for users. This ensures that Jamf Connect automatically opens after login rather than needing to manually direct users to open the app from the /Applications folder.

To enable this feature, set the Automatically Open Jamf Connect at Login (AutoOpenAppAtLogin) setting to true in the SignIn dictionary of your Jamf Connect menu bar app configuration profile. this setting is set to false by default.

Note:

If you deploy Jamf Connect using Jamf Now's built-in deployment feature, this setting is automatically enabled.

For more information, see Menu Bar Sign-in Settings.

Resolved Issues

  • [PI-010318] Executing authchanger -reset -JamfConnect via Jamf Pro policy no longer returns a false positive "Failed to write file `default.profraw`" error message.

  • [PI-010364] Custom icons used in the Sign In window are no longer stretched to fit the maximum allowed size (450 x 450 px).

2.7.0 (2021-12-06)

Password Syncing Support for Google Cloud ID

You can now deploy the Jamf Connect menu bar app to allow users to sync passwords between their Google account and local account on the Mac.

To setup password syncing, organizations that use Google as their identity provider (IdP) need the following:

  • A Jamf Connect menu bar app configuration profile deployed to computers that configures Google as the IdP.

  • A Google Cloud Identity or Workspace edition that includes Google's Secure LDAP service, such as the following:

    • Business Plus

    • Enterprise

    • Education Fundamentals

    • Standard

    • Teaching and Learning Upgrade

    • Plus

  • Google user accounts that support Google's Secure LDAP service and an LDAP client certificate deployed to computers.

For more information about password syncing with Google, including how to generate and install an LDAP certificate, see Integrating with Google Identity and Password Syncing with Google.

For more information about Google's Secure LDAP service, see About the Secure LDAP service from the Google Workspace Admin Help web site.

Jamf Unlock with the macOS login window

Users can now use the Jamf Unlock app to log in via Apple's native macOS login window.

To enable Jamf Unlock authentication at the login window for users, you need the following:

  • The Jamf Unlock 1.2.0 installed on mobile devices.

    For more information, see Jamf Unlock Overview.

  • Jamf Connect 2.7.0 or later installed on computers with macOS 10.15.4 or later.

  • The EnableUnlockForLogin setting set to true to the Unlock dictionary in your Jamf Connect menu bar configuration profile.

  • The Jamf Connect launch agent installed on computers.

When enabled, users have the option to use Jamf Unlock authentication rather than entering their local password by using the Enable Jamf Unlock switch at the top of the login window.

Keep the following in mind when enabling this feature:

  • By default, Jamf Unlock authentication is only available after logout and is skipped after restart. To use Jamf Unlock authentication after a full restart, you must disable Apple's automatic FileVault login setting on computers. For more information, see FileVault Enablement with Jamf Connect.

  • Make sure the EnableUnlock setting is also enabled in the Unlock dictionary of your Jamf Connect menu bar configuration profile.

  • During the first login attempt, users may need to enter their password to allow macOS to use the "login" keychain.

  • The Jamf Connect login screen cannot be used with Jamf Unlock authentication, to use Jamf Unlock authentication, make sure the Jamf Connect login window is disabled by executing sudo authchanger -reset.

For more information, see Enabling Jamf Unlock on Computers.

Other Changes and Improvements

  • Improved the local account migration user experience by adding a Creating Your Account On This Mac... loading screen. The Verify screen no longer unexpectedly re-appears after the user authenticates to the local account for migration.

  • The Create a Separate Local Password (OIDCNewPassword) setting no longer needs to be set to false to enable passthrough authentication with Azure AD.

  • The Short Name (OIDCShortName) setting is now included in the Login tab in Jamf Connect Configuration.

Resolved Issues

  • [PI-008286] Disabling Wi-Fi before a logout or restart no longer prevents users from choosing a network connection with the Jamf Connect login window.

  • [PI-009255] Jamf Connect can now change passwords on computers previously bound to an Active Directory domain.

  • [PI-009570] [PI-009625] Passwords are no longer duplicated when pasted into the Password field using the keyboard shortcut Command-V.

  • [PI-010264] Jamf Connect now allows OneLogin users to authenticate with a one-time password (OTP) in the OneLogin web view.

Documentation Updates

2.6.0 (2021-11-01)

Passthrough Authentication for Microsoft Azure AD

Organizations that use Microsoft Azure AD with the Jamf Connect login window can now securely send the password entered by users in the Microsoft sign-in web view to Jamf Connect for local authentication. This allows Jamf Connect to complete network and local authentication without prompting users to re-enter a password. During local account creation, this ensures that the network password is automatically used as the local password.

To enable passthrough authentication with Microsoft Azure AD, do the following:

  • Set the Use Passthrough Authentication (OIDCUsePassthroughAuth) setting to true in your Jamf Connect login configuration profile. This setting is set to false by default.

  • Make sure the Create a Separate Local Password (OIDCNewPassword) setting is set to false. This setting is set to true by default.

Note:

Future releases of Jamf Connect will support passthrough authentication for other identity providers (IdPs).

For more information about passthrough authentication with Jamf Connect, see Passthrough Authentication with Jamf Connect.

Resolved Issues

  • [PI-008964] Okta MFA challenges that expire due to user inactivity are now canceled in Jamf Connect and allow users to re-attempt authentication.

  • [PI-009948] The menu bar app no longer attempts continuous Kerberos authentication attempts during networks checks when an account is locked out in Active Directory.

  • [PI-010139] Custom Sign In window logos are now scaled to fit the window and are automatically limited to 450x450 pixels.

  • [PI-010199] The Welcome to Jamf Connect window now correctly displays an image of the menu bar app icon.

  • [JC-3045] Okta Verify number challenges now display as a sheet attached to the Sign In window rather than a separate window.

2.5.0 (2021-10-04)

Changes in Minimum Supported Version of macOS

macOS 10.14.3 or earlier is no longer supported by Jamf Connect. Before you upgrade to Jamf Connect 2.5.0, make sure all computers with Jamf Connect are on macOS 10.14.4 or later.

Compatibility with macOS Monterey 12

Jamf Connect 2.5.0 provides compatibility with macOS Monterey 12. This includes compatibility for the following features and workflows:

  • Network and local authentication

  • Local account creation

  • Password syncing

  • Login window and menu bar app custom branding

  • Creating configuration profiles with the Jamf Connect Configuration app

Compatibility and new feature support are based on testing with the latest Apple beta releases.

Passthrough Authentication for Google Cloud ID

Organizations that use Google Cloud ID with the Jamf Connect login window can now securely send the password entered by users in the Google sign-in web view to Jamf Connect for local authentication. This allows Jamf Connect to complete network and local authentication without prompting users to re-enter a password. During local account creation, this ensures that the network password is automatically used as the local password.

To enable passthrough authentication with Google Cloud ID, set the Use Passthrough Authentication (OIDCUsePassthroughAuth) setting to true in your Jamf Connect login configuration profile. This setting is set to false by default.

Note:

Future releases of Jamf Connect will support passthrough authentication for other identity providers (IdPs).

For more information about passthrough authentication with Jamf Connect, see Passthrough Authentication with Jamf Connect.

Other Enhancements

  • The Pluggable Authentication Module (PAM) prompts can now be disabled when users attempt to edit the Network pane settings in System Preferences. To disable the PAM for changes to Network > System Preferences, execute sudo authchanger -SysPrefsReset. To re-enable PAM for the Network preferences pane, execute sudo authchanger -SysPrefs.

  • Okta Verify number challenges are now a supported MFA method when testing authentication with the Jamf Connect Configuration app.

  • You can now save the ID, access, and refresh tokens obtained from testing OpenID Connect authentication in the Jamf Connect Configuration app. All three token types are saved as encoded .txt files. For more information, see Saving User Tokens from Jamf Connect Configuration.

  • Improved the stability and performance of the Jamf Unlock authentication and pairing processes in the Jamf Connect menu bar app.

Resolved Issues

  • [PI-009600] The Jamf Connect login window no longer fails to log in Okta users when their password expiration date is within the range that Okta is configured to send password expiration prompts.

  • [PI-009743] Okta multifactor authentication (MFA) prompts no longer time out before users can complete the MFA setup process for new accounts.

  • [PI-009936] Resolved an issue that caused local account migration to be unavailable for some local accounts due to Jamf Connect defining the NetworkUser attribute as Unknown.

  • [PI-010122] Resolved an issue that made the UserPrincipal value in the Jamf Connect state settings case sensitve, which caused the Change Password window to display a webview rather than the native Jamf Connect UI when a Kerberos realm was integrated with Jamf Connect.

  • Resolved an issue that prevented Jamf Connect from obtaining Kerberos tickets using the jamfconnect://gettickets URL.

2.4.5 (2021-09-07)

Resolved an issue that prevented the Admin Client ID (OIDCAdminClientID) setting from being respected during account creation via Okta and Jamf Connect, which unexpectedly created all new local accounts as standard users.

2.4.4 (2021-08-30)

Menu Bar App Branding Enhancements

You can now configure the menu bar app to use a new alternate icon rather than the default Jamf logo and company name.

To use the new icon, set the Use Unbranded App Icon (AlternateBranding) setting to true in the Appearance dictionary or your Jamf Connect menu bar app configuration profile. This setting is disabled by default.

For more information, see Using the Alternate Branding in the Menu Bar App.

Resolved Issues

  • [PI-009301] Okta Verify number challenges now complete multifactor authentication requests as expected, when triggered by Okta's behavior detection policies.

  • [PI-009849] Fixed an issue that caused Jamf Connect to continuously queue Kerberos authentication requests when the Renew Kerberos Tickets (AutoRenewTickets) setting was enabled and computers were offline or not connected to an Active Directory domain, which resulted in users being locked out of Active Directory.

  • The Paired Devices window that displays a device used for Jamf Unlock authentication now displays the user's device name rather than just the device type.

2.4.3 (2021-08-09)

Support for Jamf Unlock Menu Bar App Settings in Jamf Connect Configuration

You can now configure menu bar app settings that are used to configure Jamf Unlock authentication with computers using the Jamf Connect Configuration app.

Resolved Issues

  • [PI-009779] The Shutdown and Restart buttons are now hidden on the Acceptable Use Policy screen.

  • [PI-009851] [JC-2732] Jamf Unlock authentication is now enabled immediately after a device is paired with a Mac computer.

  • [PI-009829] Fixed an issue that caused an unsupported browser error message for OneLogin users when changing password's via a web view.

  • [JC-2755] The status of the Enable Unlock setting now correctly matches between the switch in the menu bar app drop down and Paired Devices window.

2.4.1(2021-07-12)

Kerberos Ticket Caching

You can now use the Cache Kerberos Tickets on Network Change (CacheTicketsOnNetworkChange) setting to determine whether a user's Kerberos tickets are cached or destroyed when a network status changes on computers. When set to true, computers will cache Kerberos tickets when a network change occurs. By default, this setting is set to false and Kerberos tickets are destroyed during a network change.

For more information, see Kerberos Settings.

Custom Username for Resource Owner Password Grant (ROPG) Authentication

You can now use the ROPG Short Name (OIDCROPGShortName) setting to define an attribute from an ID token to use as the username during the ROPG authentication flow.

This setting is only used in complex IdP environments where an IdP does not respect the claims used by Jamf Connect to define the username (e.g., unique_name, preferred_username, email, and sub) during the ROPG workflow.

For more information, see Advanced Login Settings.

Bug Fixes

  • [PI-009715] Custom messages configured by the Sync Passwords Message (SyncPasswordsMessage) are now displayed when excludeUsername is also configured as a password policy requirement.

  • [JC-2795] The Pair New Device window that displays the QR code for pairing with Jamf Unlock now closes after a user successfully scans the QR code clicks the x button.

Jamf Unlock 1.1.0

Jamf Unlock 1.1.0 includes new managed app configuration settings and bug fixes. For more information see the Jamf Unlock Release History.

2.4.0 (2021-06-14)

Introducing Jamf Unlock 1.0.0

Jamf Unlock is a mobile device app that allows a user to unlock their Mac with a mobile device without using a password. With Jamf Unlock users complete a setup process to create or generate identity credentials(certificate) on their device, which is then used to pair and establish trust with a Mac. Once the setup is complete, users can easily use the app as an alternate authentication method in the following scenarios:

  • Unlocking a Mac
  • Prompts to change settings in System Preferences
  • Commands executed with root privileges with the sudo command

IT administrators can configure Jamf Unlock authentication settings via managed app configuration and deploy the app to users in their organization.

To use Jamf Unlock in your environment, you need the following:

  • A Jamf Unlock subscription and the Jamf Connect 2.4.0 menu bar app installed on computers.

    Note:

    You must also include the Enable Unlock (EnableUnlock) setting in your menu bar app configuration profile. For more more information, see Enabling Jamf Unlock on Computers.

  • An MDM solution, such as Jamf Pro

  • Managed devices with iOS 14.0 or later that are connected to the internet

  • Computers with macOS 10.15.4 or later with the Jamf Unlock menu bar app installed

  • A cloud identity provider (IdP) and an OpenID Connect app integration.

    Note:

    If you already deployed the menu bar app in your environment, you can use an existing app integration for the menu bar app by adding an additional Redirect URI for Jamf Pro. If you use Okta and its authentication API with the menu bar app, you must create a new app integration for to support the OpenID Connect authentication protocol.

For more information, see Jamf Unlock Overview.

Jamf Pro 10.30 Deployment Integration

If you have a Jamf Pro subscription, you can now deploy Jamf Connect directly from Jamf Pro. This eliminates the need to manually upload the installer package and use a policy to deploy Jamf Connect to computers.

For more information, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.

Bug Fixes

  • [JC-2696] Fixed an issue that prevented VoiceOver from reading text on the Connect screen of the Jamf Connect login window during account migrations.

  • [JC-2533] Fixed an issue that cause Jamf Connect to display an unexpected password expiration date for user passwords that do not configured to expire in Active Directory.

2.3.3 (2021-05-24)

Bug Fixes

  • [PI-008947] Fixed an issue that sometimes caused the Close button for the login window Help window to be covered by text configured with the Login Window Message (LoginWindowMessage) setting.

  • [PI-008954] Network checks by the menu bar app now update the LastSignIn key written to the com.jamf.connect.state PLIST file.

  • [PI-009179] Fixed an issue that unexpectedly allowed Jamf Connect Configuration to accept multiple lines of text in single line text fields.

  • [PI-009673] Fixed an issue that prevented authchanger arguments passed via a configuration profile written to com.jamf.connect.authchanger from being respected.

  • [PI-009700] [PI-009695] Fixed an issue that prevented the Jamf Connect login window from completing password validation (ROPG) for PingFederate users, which also caused account creation to fail.

  • [JC-1938] Fixed an issue that prevented Jamf Connect from retrieving Kerberos tickets for a user when a different user that previously signed in already retrieved Kerberos tickets.

  • [JC-2385] Fixed and improved some translation issues for languages other than English in the Jamf Connect menu bar app.

2.3.2 (2021-05-03)

New Menu Bar App Preference for Network Checks

You can now use the Perform Network Checks on Network Changes (checkOnNetworkChange) setting to determine whether Jamf Connect performs a network check when a computer's network status changes. This setting is included in the PasswordPolicies dictionary and is a boolean that is set to true by default. For more information, see Password Policy Settings.

Change to Admin Roles Setting in Jamf Connect Configuration

Jamf Connect Configuration now only configures the Admin Roles (OIDCAdmin) setting as an array of strings.

If you import existing configuration profiles into Jamf Connect Configuration and configure the Admin Roles setting in your environment, make sure that an array of strings is used in your configuration profile before importing rather than a single string, like the following:

<key>OIDCAdmin</key>
<array>
<string>role</string>
</array>
Note:

This change fixes PI-007892.

Bug Fixes

  • [PI-009217] Fixed an issue that prevented the NameID attribute in email format from correctly being used as the user's account name when Jamf Connect was used to create users from Okta via Jamf Pro's Enrollment Customization settings.

  • [PI-008734] Fixed an issue that caused password policy information detected from Active Directory from displaying correctly in Jamf Connect's Password Change and New Password windows.

  • [PI-009494] Fixed an issue that prevented the Formatted ID Token Path (OIDCIDTokenPath) and Raw ID Token Path (OIDCIDTokenPathRaw) settings from storing a user's ID token at the configured file path.

  • [PI-009516] Fixed an account migration issue that prevented Jamf Connect from searching for an existing local account that matches a custom short name configured with the Custom Short Name (OIDCShortName) setting.

  • [PI-009613] Fixed an issue that prevented VoiceOver from reading text fields in the Jamf Connect login window.

2.3.1 (2021-04-05)

Login Window

[PI-009285] Improved the login and account creation experience by displaying an animated loading bar between when a user authenticates and when the Finder displays.

Menu Bar App

  • [PI-009164] Fixed an issue that caused Jamf Connect to fail to respect the custom action MenuIcon preference key. 

  • [PI-009223] Fixed an issue in which deploying a configuration with a misconfigured custom branding settings caused the menu bar app icon to be absent. 

  • [JC-2329] Fixed an issue that caused the menu bar to display a blank webview when attempting to authenticate if no MFA option was configured. 

  • [JC-2529] Fixed an issue that caused Jamf Connect to fail to update some AD attributes (e.g., password expiration date) after changing the password via the menu bar app. 

2.3.0 (2021-03-22)

Keyboard Layout Selection at the Login Window

Users can now select a keyboard type from the Jamf Connect login window by clicking the keyboard button  in the upper-right of the screen. Users can select from any keyboard input source supported by macOS. This feature also fixes PI-009230.

New Menu Bar App Preference Key for Okta Password Expiration Dates

The Password Expiration Manual Override (ExpirationManualOverrideDays) setting allows Okta administrators to display the amount of days remaining before a user's password expires in the menu bar app for Okta accounts that are not managed by Active Directory. This setting is included in the PasswordPolices dictionary and is an integer that specifies the lifetime of an Okta password in your organization. For example, if users must change their Okta password every 90 days, set the integer value to 90.

Note: If your Okta accounts are managed by Active Directory, this setting cannot be used. Continue to integrate Jamf Connect with a Kerberos realm to display the password expiration date in the Jamf Connect menu bar app

Identity Provider Endpoint Usage

Jamf Connect now detects and uses any discovery URLs that are included in a Jamf Connect configuration profile instead of using the pre-configured discovery URLs that are included in Jamf Connect's authentication framework by default.

To ensure authentication with Jamf Connect continues to succeed, make sure you do the following before you deploy Jamf Connect 2.3.0:

  • If you are using an identity provider other than PingFederate or a custom option, make sure discovery URL key-value pairs are either not configured (Jamf Connect uses pre-configured discovery URLs for supported IdPs) or match the discovery endpoint documented by your IdP.
  • If you use Jamf Connect with Azure AD in an AD FS hybrid identity environment, in addition to making sure the Discovery URL (OIDCDiscoveryURL) is not configured, make sure the Hybrid ID Discovery URL (ROPGDiscoveryURL) uses your AD FS discovery endpoint.

LAPS User Setting Behavior Changes

The LAPS User (LAPSUser) setting is now ignored on computers in the following scenarios: 

  • If any account type logs in with Jamf Connect on computers with macOS 11 or later.
  • If a local administrator logs in with Jamf Connect on computers with macOS 10.15 or earlier.

This helps ensure this setting only runs to enable FileVault for standard users on macOS 10.15 or earlier. This change also fixes PI-007744.

Custom Menu Bar Icon Changes for macOS 11 or Later

On computers with macOS 11 or later, the Dark Mode Icon (MenubarIconDark) setting is no longer supported. To continue using a custom menu bar icon for Jamf Connect on macOS 11 or later, make sure to only use the Light Mode Icon (MenuBarIcon) setting. 

Keep the following in mind about menu bar icons for macOS 11 or later:

  • macOS 11 will automatically change the tint of a monochrome icon to clearly display against the desktop image.
  • If you use a custom icon with multiple colors for Jamf Connect, the icon will automatically be converted to a monochrome template to match Apple guidelines. Using an icon with multiple colors is not recommended and may cause the menu bar icon to display in an unexpected way.

Bug Fixes

The following issues are fixed in the login window:

  • [PI-008572] Fixed an issue that caused ROPG authentication to fail when Jamf Connect was configured to use the OpenID Connect authentication protocol rather than the Okta Authentication API with Okta.
  • [PI-009139] Fixed an issue that caused the authchanger -preLogin command-line argument to incorrectly display the notify screen after a user logs in instead of before login.

The following issues are fixed in the menu bar app:

  • [PI-009274] Fixed an issue that caused Jamf Connect to not provide an option to complete unsupported MFA request types when attempting to log in.
  • [PI-009295] The Jamf Connect launch agent package is now built as a universal installer package.

  • [PI-009107] Fixed an issue that caused the Jamf Connect menu bar app to sometimes use old credentials during sign-in after a password change when the Enable Automatic Sign-in (AutoAuthenticate) setting was enabled, which caused sign-in to fail.

2.2.2 (2021-02-22)

Jamf Connect 2.2.2 includes the following bug fixes.

Login Window

  • [PI-009151] Fixed an issue that caused Jamf Connect to add the user's network short name as a local account alias rather than the local account name when the Short Name Attribute (OIDCShortName) setting was configured,

  • [PI-009104] Fixed an issue that prevented Jamf Connect from respecting Passcode payload settings configured via an MDM profile.

  • [PI-008376] Fixed an issue that caused the word "testing" to appear beneath the progress bar on the Notify screen when a user pressed any key.

Menu Bar App

  • [PI-009241] Fixed an issue that caused Jamf Connect to not respect the BrowserSelection preference key.

  • [PI-009280] Fixed an issue that caused the menu bar app to fail to display custom names configured in the MFA Option Names (MFARename) preference key and instead display "token:software:tot".

Configuration

[PI-009221] Fixed an issue that caused Jamf Connect Configuration to fail to include the Web Browser dictionary when exporting configurations.

2.2.1 (2021-02-08)

Jamf Connect 2.2.1 includes the following bug fix:

[JC-2246] Fixed an issue that caused automatic login with FileVault to fail on Mac computers with Apple silicon, which required users to enter a password at the FileVault screen and Jamf Connect login window on startup.

2.2.0 (2021-01-25)

Jamf Connect 2.2.0 includes the following enhancements and bug fixes.

Support for OneLogin OpenID Connect Version 2 Service

Jamf Connect now supports the version 2 endpoints of OneLogin's OpenID Connect service.

Important:

OneLogin will deprecate version 1 of their OpenID Connect service on January 26. To ensure OneLogin authentication continues to succeed with Jamf Connect, you must do the following:

  • Update your Jamf Connect configuration profiles to include a tenant ID

  • Upgrade to Jamf Connect 2.2.0

For more information about OneLogin's OpenID Connect service migration, see the Upgrade v1 to v2 developer documentation from OneLogin.

Bug Fixes

Jamf Connect 2.2.0 includes the following bug fix:

[PI-009069] Fixed an issue that caused the Jamf Connect login window to disappear after 10 to 30 seconds of inactivity when Bomgar or another application was configured to run on startup.

2.1.3 (2021-01-11)

Jamf Connect 2.1.3 includes the following enhancement and bug fixes.

Acceptable Use Policy Customization Enhancements

You can now use either of the following new methods to display a PDF, TXT, RTF, and RTFD file on Jamf Connect's Acceptable Use Policy screen:

Apple policy banner

If you configured an Apple policy banner, Jamf Connect will display the contents of the policy banner on the acceptable use policy screen. Jamf Connect automatically searches /Library/Security for a file named "PolicyBanner" to display this file. No additional settings need to be configured for Jamf Connect to detect and display this file.
 For more information about Apple policy banners, see How to set up policy banners in macOS from Apple's support website

Custom File Upload

You can store a custom file that contains your acceptable use policy content and configure the Acceptable Use Policy Document (EULAFilePath) setting with the value of the file path.

Bug Fixes

Jamf Connect 2.1.3 includes the following bug fixes.

Login Window

[PI-008155] Fixed an issue that caused Jamf Connect to creates an empty recovery key PLIST file when the EnableFDERecoveryKey and LAPSUser preference keys were both configured.

Menu Bar App

[PI-009010] Fixed an issue that caused Jamf Connect to attempt to change passwords via Kerberos even when the domain was not reachable.

2.1.2 (2020-12-14)

Jamf Connect 2.1.2 includes the following bug fixes and enhancements.

Bug Fixes and Enhancements

Configuration

Fixed an issue that prevented Jamf Connect Configuration from notifying users of unsupported preference keys if their level of indentation in the XML file was three or more levels deep.

Menu Bar App

  • If you do not have MFA configured, you can now use the ShortNameAttribute preference key to specify a custom attribute included in an ID token for use as a Kerberos short name. This value is stored in the Jamf Connect state settings as the CustomShortName key-value.


  • [PI-08909] Fixed an issue that caused Jamf Connect to fail to sync and store passwords in Keychain if the password contained the pound symbol (£).

  • [PI-009016] Fixed an issue that caused Jamf Connect to continue to prompt users for their short name at each login.

  • [PI-009017] Fixed an issue that caused the menu bar app to not respect the Hide Password Expiration Menu Item (PasswordExpiration) preference.

  • [PI-009018] Fixed an issue that caused Jamf Connect to display a blank web view when attempting to log in to the menu bar app if the network password was expired and MFA was not configured.

  • [JC-2302] Fixed an issue that caused the menu bar app to display a nonresponsive item named "item" when the password expiration menu bar item was not configured to be hidden.

  • [JC-2195] Fixed an issue that caused some elements of security prompts to be obscured when the language settings were set to a language other than English.

2.1.1 (2020-11-30)

Jamf Connect 2.1.1 includes the following bug fixes and enhancement.

Configuration

Removed an extraneous button that could be added to the toolbar, which acted the same as the Test button.

Login Window

  • [PI-008978] Fixed an issued that caused Jamf Connect to display a grey screen when a custom login window message and an Apple policy banner were both configured.


  • [PI-008987] Fixed an issue that caused the Jamf Connect login window to freeze after entering the FileVault password when FileVault is enabled on computers, an Acceptable Use Policy screen was configured to display, and Require Network Authentication (DenyLocal) was disabled.

  • [JC-2126] Fixed an issue that caused the local help file, when configured, to unexpectedly display for about two seconds after a successful network authentication.

Menu Bar App

[PI-009016] Fixed an issue that prevented password sync prompts from displaying on Big Sur if Enable Automatic Sign-in (AutoAuthenticate) was enabled.

2.1.0 (2020-11-16)

Jamf Connect 2.1.0 includes the following enhancements and bug fixes.

Acceptable Use Policy Screen Redesign

The Acceptable Use Policy Screen has been redesigned to match the appearance of the Jamf Connect login window redesign that was released with Jamf Connect 2.0.0.

Apple Silicon Compatibility for Jamf Connect

Jamf Connect is now a universal app that can run on Macs with Apple silicon* or Intel hardware.

Important:

New Macs with Apple silicon do not install Rosetta, Apple's binary translation service, until an Intel-based application is first opened. To ensure Macs with Apple silicon successfully run Jamf Connect, make sure you deploy Jamf Connect 2.1.0 or later to Macs with Apple silicon in your environment.

*Hardware support is based on testing with the Mac Developer Transition Kit.

Changes to Enabling FileVault for Standard Accounts for macOS 11

Beginning with macOS 11, you no longer need to use the LAPS User (LAPSUser) setting to specify which local administrator account receives a SecureToken and then grants it to standard local accounts created by Jamf Connect. If you use Jamf Connect to enable FileVault for local administrator and standard accounts, remove the LAPS User (LAPSUser) setting from login window configuration profiles that are deployed to computers with macOS 11.

For more information, see FileVault Enablement with Jamf Connect.

Bug Fixes and Enhancements

Jamf Connect 2.1.0 includes the following bug fixes.

Configuration

You can now use the text editor in Jamf Connect Configuration to add and edit nonstandard preference keys. Configurations with nonstandard keys can also be imported without being modified.

Licensing

Fixed an issue that prevented license data from being respected as a Base64 encoded string that is configured with the License File (LicenseFile) preference key.

Login Window

  • [PI-008704] Fixed an issue that prevented local user accounts created via Okta from respecting user role changes configured with OIDC apps in Okta.

  • [PI-008935] [JC-2017] Fixed an issue that prevented custom messages displayed with the Login Window Message (LoginWindowMessage) setting from hiding the last word of the message.

  • Fixed an issue that caused the login window to cache usernames in the identity provider (IdP) web view on computers with macOS 11.

  • Fixed an issue that caused the username text to turn black when selected after an unsuccessful Okta authentication attempt on computers with macOS 11.

2.0.2 (2020-11-03)

Note:

The legacy Jamf Connect applications (Login, Sync, Verify) were recently updated to support macOS Big Sur 11. If you have not yet upgraded to Jamf Connect 2.0.0 or later and want to ensure Jamf Connect is compatible with computers on macOS 11, you can deploy Jamf Connect 1.19.3. To download Jamf Connect 1.19.3 from Jamf Nation, navigate to My Assets > Jamf Connect > Previous Versions. 
 *Compatibility is based on testing with the latest Apple beta releases.

Jamf Connect 2.0.2 includes the following enhancements and bug fixes.

Jamf Connect Configuration Enhancements

  • Automatically Name Imported Configurations—Jamf Connect Configuration now uses the file names of imported configuration files to automatically name the configuration. You can still change the name of an imported configuration file by clicking on it in the sidebar and entering a new name.

  • Jamf Connect Setup Assistant Removed—The setup assistant has been removed from Jamf Connect Configuration to provide a simpler, more intuitive interface. To create a new configuration, click the + icon at the bottom of the sidebar.

Bug Fixes

Jamf Connect 2.0.2 includes the following bug fixes.

Login Window

  • [PI-008725] Fixed an issue that prevented password verification from succeeding and a custom short name from being added to the user's local account when the Short Name (OIDCShortName) setting was used.

  • [JC-2175] Fixed an issue that caused loginwindow mechanisms to run twice after upgrading Jamf Connect to a new version, which sometimes caused the Acceptable Use Policy screen, when configured, to appear twice during user logins.

Menu Bar App

[PI-008974] Fixed an issue that sometimes caused Jamf Connect to fail to prompt users to update out of sync passwords if the password was changed in Okta.

Configuration

  • [JC-2021] Fixed an issue that caused Jamf Connect Configuration to lose license file information when quit.

  • [JC-2050] Fixed an issue that caused Jamf Connect Configuration to create a blank configuration when clicking Cancel on an unsupported keys alert.

2.0.1 (2020-10-19)

Note:

Jamf Pro 10.25.0 introduced new computer extension attribute templates for Jamf Connect and an automatic way to install a Jamf Connect privacy preferences policy control (PPPC) profile. For more information, see the Jamf Pro Release Notes.

Bug Fixes

Jamf Connect 2.0.1 includes the following bug fixes:

Login Window

  • [PI-007101] Fixed an issue that prevented Google ID users from being prompted to enroll in multifactor authentication (MFA) when required.

  • [PI-008868] Fixed an issue that prevented the Use Local Authentication by Default (OIDCDefaultLocal) setting from being respected.

  • [PI-008870] [JC-1956] Fixed an issue that caused the acceptable use policy screen, when configured, to incorrectly display.

  • [PI-008874] Fixed an issue that prevented OneLogin users from creating accounts via Jamf Connect and Jamf Pro's Enrollment Customization settings.

  • [PI-008861] Fixed an issue that caused to Login Window Message (LoginWindowMessage) to be unavailable in the Jamf Repository settings available in Jamf Pro's Application & Custom Settings payload.

  • [PI-008899] Fixed an issue that caused the notify screen, when enabled, to expand to the full-screen width.

Menu Bar

  • [PI-008593] Fixed an issue that caused the menu bar app to fail to redirect users to the Okta dashboard if the Auth Server (AuthServer) value in the configuration is spelled with any capital letters.

  • [PI-008869] Fixed an issue that caused the menu bar app to incorrectly display a license validation error on computers with a valid Jamf Connect license.

  • [JC-1939] Fixed an issue that caused the menu bar app to always open Jamf Self Service if it is installed on the computer, even when the Self Service Path (SoftwarePath) preference is configured to open a different software.

  • [JC-1987] Fixed an issue that caused the Home or Home Directory menu bar item to appear even when the UserHomeDirectory value did not exist in a user's state settings or when a Kerberos integration was not configured.

  • [JC-2080] Fixed an issue that prevented the value of the ShortName key from being used for Kerberos authentication.

Configuration

  • [JC-1922] Fixed an issue that caused Jamf Connect Configuration to fail to clear formatting on text pasted into the code editing field.

  • [JC-2053] Fixed an issue that caused the Jamf Connect Configuration UI to be missing the User Help, Keychain, Scripting, and Certificates settings sections.

2.0.0 (2020-09-28)

Jamf Connect 2.0.0 introduces a significant redesign to the Jamf Connect login window user experience and product deployment.

For instructions on upgrading from Jamf Connect 1.19.2 or earlier to Jamf Connect 2.0.0, see Upgrading to Jamf Connect 2.0.0 or Later .

What's New

Jamf Connect 2.0.0 includes the following new features and improvements.

Unified Menu Bar App

Jamf Connect Sync and Jamf Connect Verify are now a single menu bar app called "Jamf Connect". that can be configured and deployed for any supported cloud identity provider (IdP).

The Jamf Connect 2.0.0 packages install the following components on computers:

Component

Location

JamfConnectLogin.bundle

/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/
/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger
/usr/local/lib/pam/pam_saml.so.2

Jamf Connect.app

/Applications/Jamf Connect.app
New App Icon

The Jamf Connect app has a new icon. Look for the following icon in the Applications folder when Jamf Connect is installed on computers:

Note:

The Jamf icon is still used in the menu bar when the app is open.

New Menu Bar Sign-In Preference for Okta

Users can now determine whether the Okta dashboard is opened in their selected browser after sign-in by selecting the checkbox next to the Browser pop-up menu. This setting is enabled by default and can be managed with the LaunchBrowser preference key (boolean) in the WebBrowser dictionary.

Login Window Redesign

The login window has been redesigned with a modern and improved user experience for both Okta authentication and OpenID Connect authentication methods.

Step Indicators

The top of the login window now includes step indicators to help users through the Jamf Connect login process. Depending on the workflow, users will see the following:

Authenticate

Displays when users must authenticate with their cloud identity provider (IdP) and complete a multifactor authentication (MFA) challenge through their IdP, if configured.

Connect

Displays when the Connect existing local accounts to a network account (Migrate) settings is enabled. The user must 1) enter the password of an already existing local account that has a username that matches an account in the IdP, 2) choose an existing local account to connect to the IdP, or 3) create a new account based on the cloud IdP.

Verify

Asks the user to re-enter their network password, which serves as both an additional security layer and verifies that the user's local and IdP passwords match. If the network password does not match the local password, the user will be prompted to sync passwords.

Other Changes and Enhancements
Network Selection

The Allow Network Selection button has been replaced with a WiFi icon in the upper-right corner of the login window

Local Login

The Local Auth button is now named Local Login and appears along the bottom of the login window.

Error Messaging

Some error messages have been improved to help users troubleshoot configuration issues.

Custom Login Window Message

You can now add a custom message to the login window by configuring the LoginWindowMessage preference key.

For more information about the login window user experience, see End User Experience and Workflows.

Jamf Connect Configuration Enhancements

Jamf Connect Configuration 2.0.0 includes support for configuring primary Jamf Connect 2.0 settings and the following new features:

XML Editor

You can now use an XML editor mode to preview the configuration profile in XML and make manual changes to your configuration profile.

To view and edit your configuration profile in XML, click the </> icon.

New App Icon

Jamf Connect Configuration now uses the following icon in the Applications folder and Dock:

What's Changed

The following things have changed in Jamf Connect.

Installation

The login window and menu bar app are now included in a single package installer. You can use the package to install all components of Jamf Connect, or just the menu bar or login window.

The package installer will also remove the following from computers:

  • Jamf Connect Sync and Jamf Connect Verify apps

  • Jamf Connect Sync and Jamf Connect Verify launch agents. Launch agents will also be stopped.

  • Any associated installer receipts will be removed from the installer system.

authchanger Improvements
Requirements

The commands arguments executed by the authchanger tool can now be read from a configuration profile. If used, the configuration profile must be written to com.jamf.connect.authchanger and contains the Arguments key, which is an array of strings of supported authchanger arguments. Arguments are read in the order in which the strings are configured, similar to how they are ordered in the command-line.

The following example enables Jamf Connect authentication:

<key>Arguments</key>

<array>

<string>-reset<key>

<string>-jamfconnect</string>

</array>

The Jamf Connect installer does not add any arguments to authchanger by default. To enable the login window, you use one of the following methods to pass authchanger arguments:

Note:

Jamf Connect will look for authchanger arguments in this order.

  1. Commands executed via the command-line. Consider the following scenarios:

    • If a command is executed with arguments, any preferences found in a configuration profile will be ignored.

    • If a command is executed without arguments, Jamf Connect will look for preferences in a configuration profile.

  2. Preferences found in a configuration profile written to com.jamf.connect.authchanger
  3. The Identity Provider (OIDCProvider) or Auth Server (AuthServer) preferences written to the com.jamf.connect.login. These pass the -JamfConnect argument to automatically enable OpenID Connect or Okta authentication.
  4. If no arguments or preferences are found, the default loginwindow mechanisms will remain unchanged.
Licensing Updates
The Jamf Connect menu bar app will now check both the com.jamf.connect and com.jamf.connect.login preference domains for a valid license. This ensures that you only have to deploy the license file in a single configuration profile, if you are using both the login window and the menu bar app for your organization.

We may collect hashed data about license usage. This data is used to monitor the number of licenses in use with Jamf Connect in your organization and does not include any Personal Information.

Menu Bar App Launch Agent

A launch agent for the Jamf Connect menu bar is included as a separate installer package in the Jamf Connect DMG. When installed on computers, the launch agent will ensure that Jamf Connect remains open.

Preference Domains and Keys

The Jamf Connect menu bar app is configured using a single preference domain:

com.jamf.connect
Note:

Login window preferences will continue to be written to com.jamf.connect.login.

Preference keys from Sync and Verify have also been merged and restructured using dictionaries. Preferences are sorted into the following collections:

Dictionary

Type

Description

IdPSettings

Dictionary

Used to allow Jamf Connect to complete authentication between your IdP and local accounts. Required settings vary by IdP.

SignIn

Dictionary

Used to configure the Sign-in window and user experience

Appearance

Dictionary

Use to customize Jamf Connect for your organization

UserHelp

Dictionary

Used to configure in-app help options for users

PasswordPolicies

Dictionary

Used to configure network password checks, expiration notifications, and password policies

Kerberos

Dictionary

Used to integrate Jamf Connect with a Kerberos realm for password syncing

Keychain

Dictionary

Used to allow Jamf Connect to sync passwords with keychain items

CustomMenuItems

Dictionary

Used to customize the names of menu items in Jamf Connect

HiddenMenuItems

Array

An array of strings used to hide Jamf Connect menu items from users

Scripting

Dictionary

Used to run custom scripts that are triggered by Jamf Connect authentication events

Certificate

Dictionary

Used to configure Windows web CA settings

Keep the following in mind when configuring new preferences for the Jamf Connect menu bar:

  • Preferences that are configured with an interval, such as NetworkCheck, can be disabled by setting the interval value to 0.

  • If setting preferences with the command-line, you will need to use the -dict-add argument to configure a dictionary of keys. The following example shows how to disable network password checks:

Example: defaults write com.jamf.connect PasswordPolices -dict-add NetworkCheck 0

For a complete list of menu bar preferences, Menu Bar App Settings.

Renamed Preference Keys

Most preference keys used in Jamf Connect Sync and Jamf Connect Verify have been renamed to better represent their function or as a result of Jamf Connect becoming one app.

The following tables show which preference key names from Jamf Connect Sync and Jamf Connect Verify have been replaced with a new name in Jamf Connect 2.0.0:

Jamf Connect Sync Preference Key Changes

1.19.2 or Earlier

2.0.0

AuthServer

OktaAuthServer

AutoAuth

AutoAuthenticate

DontShowWelcome

ShowWelcomeWindow

ExpirationWarningDays

ExpirationNotificationStartDay

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideActions

Actions

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HidePreferences

Preferences

HideQuit

Quit

HideSignIn

Connect

KerberosRealm

Realm

KerberosRenew

AutoRenewTickets

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShortNameAskMessage

AskForShortNameMessage

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LabelPassword

PasswordLabel

LabelUsername

UsernameLabel

LocalPasswordSyncMessage

SyncPasswordsMessage

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuIcon

MenubarIcon

MenuPreferences

Preferences

MenuSignIn

Connect

MessageOTPEntry

OneTimePasswordMessage

MessagePasswordChangePolicy

PolicyMessage

PasswordChangeCommand

OnPasswordChange

PasswordExpirationMenuDays

ExpirationCountdownStartDay

PasswordPolicy

PolicyRequirements

SelfServicePath

SoftwarePath

SignInCommand

OnAuthSuccess

Template

CertificateTemplate

TicketsOnSignIn

GetTicketsAtSignIn

TitleSignIn

WindowTitle

WifiNetworks

SecureNetworks

X509CA

WindowsCA
Jamf Connect Verify Preference Key Changes

1.9.2 or Earlier

2.0.0

DontShowWelcome

ShowWelcomeWindow

FailToolPath

OnAuthFailure

ForceSignInWindow

RequireSignIn

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HideHomeDirectory

HomeDirectory

HideLastUser

LastUser

HidePrefs

Preferences

HideQuit

Quit

HideResetPassword

ResetPassword

HideShares

Shares

KerberosGetTicketsAutomatically

GetTicketsAtSignIn

KerberosRealm

Realm

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShowCountdown

ExpirationCountdownStartDay

KerberosShowCountdownLimit

ExpirationCountdownStartDay

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LoginLogo

SignInLogo

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuHomeDirectory

HomeDirectory

MenuKerberosTickets

KerberosTickets

MenuResetPassword

ResetPassword

MenuShares

Shares

MessageLocalSync

SyncPasswordsMessage

ODICROPGID

ROPGID

OIDCChangePasswordURL

ChangePasswordURL

OIDCClientSecret

ClientSecret

OIDCDiscoveryURL

DiscoveryURL

OIDCProvider

Provider

OIDCResetPasswordURL

ResetPasswordURL

OIDCTenantID

TenantID

ROPGSuccessCodes

SuccessCodes

SelfServicePath

SoftwarePath

TimerNetworkCheck

NetworkCheck

WindowSignIn

WindowTitle

Additional Changes

  • The following custom URL scheme that allows users to perform quick actions within the menu bar app has been updated for the unified menu bar app. For more information, see Jamf Connect URL Scheme.

  • The Jamf Connect ( CreateJamfConnectPassword ) setting has been added to the login window preferences. This setting allows Jamf Connect to automatically populate the Sign In window in the menu bar app with a user's network username and password that was used to log in or create a new local account with Jamf Connect. This setting is enabled by default and replaces the Jamf Connect (CreateSyncPasswords ) and Create Jamf Connect ( CreateVerifyPasswords ) settings used in Jamf Connect 1.19.2 or earlier.

  • The Jamf Connect loginwindow mechanism that enables FileVault now only runs if the Enable FileVault (EnableFDE) setting is enabled in the Jamf Connect login window configuration profile.

  • The Retrieve Kerberos Tickets During Sign-in ( GetTicketsAtSignIn) setting has been removed from the menu bar app. Jamf Connect now automatically retrieves Kerberos tickets for users if a Kerberos realm is configured with the Kerberos Realm (Realm) setting. This enhancement fixes JC-1898.

Deprecations and Removals

The following Jamf Connect features and settings have been deprecated or removed.

Browser Extensions

The Safari and Google Chrome Browser Extensions included with Jamf Connect Sync are no longer supported.

Removed Preference Keys

The following preference keys are no longer supported. These settings should not be included in a configuration profile for Jamf Connect 2.0.0 or later:

Jamf Connect Login

Jamf Connect Sync

Jamf Connect Verify

  • BackgroundImageAlph
  • LoginScreen
  • CreateSyncPasswordsCreateVerifyPasswords

 

  • ActionsUpdateTime
  • ADExpirationShow
  • CenterSignInWindow
  • ChangePasswordOrder
  • ChangePasswordTimer
  • CheckSafariExtension
  • ExportableKey
  • HideLockScreen
  • IgnoreDomainReachability
  • KeychainItemsDebug
  • LDAPServers
  • LocalPasswordIgnore
  • LocalPasswordSync
  • LocalPasswordSyncOnMatc
  • MenuLockScreen
  • MessagePluginDisabled
  • NetworkCheckAutomatically
  • PasswordCheckUpdateTime
  • PasswordExpirationMenu
  • PeriodicUpdateTime
  • UseKeychain
  • UseKeychainPrompt
  • UseKeychainPromptExclusion
  • WarnOnPasswordExpiration
  • AlwaysShowSuccess
  • HideSignIn
  • KeychainItemsCreateSerial
  • KeychainItemsDebug
  • LocalPasswordIgnore
  • MessageBrowserPasswordChang
  • MessageNetworkPasswordWrong
  • MessagePasswordSuccess
  • NetworkCheckAutomatically
  • WindowAbout

Removed Preference Domains

Jamf Connect configuration profiles written to the following domains are no longer supported and should be removed from computers:

  • com.jamf.connect.sync

  • com.jamf.connect.verify

Documentation Removals

The Jamf Connect Evaluation Guide has been removed.