Release History

The release history contains a complete list of releases, features, and improvements.

2.4.1(2021-07-12)

Kerberos Ticket Caching

You can now use the Cache Kerberos Tickets on Network Change (CacheTicketsOnNetworkChange) setting to determine whether a user's Kerberos tickets are cached or destroyed when a network status changes on computers. When set to true, computers will cache Kerberos tickets when a network change occurs. By default, this setting is set to false and Kerberos tickets are destroyed during a network change.

For more information, see Kerberos Settings.

Custom Username for Resource Owner Password Grant (ROPG) Authentication

You can now use the ROPG Short Name (OIDCROPGShortName) setting to define an attribute from an ID token to use as the username during the ROPG authentication flow.

This setting is only used in complex IdP environments where an IdP does not respect the claims used by Jamf Connect to define the username (e.g., unique_name, preferred_username, email, and sub) during the ROPG workflow.

For more information, see Advanced Login Settings.

Bug Fixes

  • [PI-009715] Custom messages configured by the Sync Passwords Message (SyncPasswordsMessage) are now displayed when excludeUsername is also configured as a password policy requirement.

  • [JC-2795] The Pair New Device window that displays the QR code for pairing with Jamf Unlock now closes after a user successfully scans the QR code clicks the x button.

Jamf Unlock 1.1.0

Jamf Unlock 1.1.0 includes new managed app configuration settings and bug fixes. For more information see the Jamf Unlock Release History.

2.4.0 (2021-06-14)

Introducing Jamf Unlock 1.0.0

Jamf Unlock is a mobile device app that allows a user to unlock their Mac with a mobile device without using a password. With Jamf Unlock users complete a setup process to create or generate identity credentials(certificate) on their device, which is then used to pair and establish trust with a Mac. Once the setup is complete, users can easily use the app as an alternate authentication method in the following scenarios:

  • Unlocking a Mac
  • Prompts to change settings in System Preferences
  • Commands executed with root privileges with the sudo command

IT administrators can configure Jamf Unlock authentication settings via managed app configuration and deploy the app to users in their organization.

To use Jamf Unlock in your environment, you need the following:

  • A Jamf Unlock subscription and the Jamf Connect 2.4.0 menu bar app installed on computers.

    Note:

    You must also include the Enable Unlock (EnableUnlock) setting in your menu bar app configuration profile. For more more information, see Enabling Jamf Unlock on Computers.

  • An MDM solution, such as Jamf Pro

  • Managed devices with iOS 14.0 or later that are connected to the internet

  • Computers with macOS 10.15.4 or later with the Jamf Unlock menu bar app installed

  • A cloud identity provider (IdP) and an OpenID Connect app integration.

    Note:

    If you already deployed the menu bar app in your environment, you can use an existing app integration for the menu bar app by adding an additional Redirect URI for Jamf Pro. If you use Okta and its authentication API with the menu bar app, you must create a new app integration for to support the OpenID Connect authentication protocol.

For more information, see Jamf Unlock.

Jamf Pro 10.30 Deployment Integration

If you have a Jamf Pro subscription, you can now deploy Jamf Connect directly from Jamf Pro. This eliminates the need to manually upload the installer package and use a policy to deploy Jamf Connect to computers.

For more information, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.

Bug Fixes

  • [JC-2696] Fixed an issue that prevented VoiceOver from reading text on the Connect screen of the Jamf Connect login window during account migrations.

  • [JC-2533] Fixed an issue that cause Jamf Connect to display an unexpected password expiration date for user passwords that do not configured to expire in Active Directory.

2.3.3 (2021-05-24)

Bug Fixes

  • [PI-008947] Fixed an issue that sometimes caused the Close button for the login window Help window to be covered by text configured with the Login Window Message (LoginWindowMessage) setting.

  • [PI-008954] Network checks by the menu bar app now update the LastSignIn key written to the com.jamf.connect.state PLIST file.

  • [PI-009179] Fixed an issue that unexpectedly allowed Jamf Connect Configuration to accept multiple lines of text in single line text fields.

  • [PI-009673] Fixed an issue that prevented authchanger arguments passed via a configuration profile written to com.jamf.connect.authchanger from being respected.

  • [PI-009700] [PI-009695] Fixed an issue that prevented the Jamf Connect login window from completing password validation (ROPG) for PingFederate users, which also caused account creation to fail.

  • [JC-1938] Fixed an issue that prevented Jamf Connect from retrieving Kerberos tickets for a user when a different user that previously signed in already retrieved Kerberos tickets.

  • [JC-2385] Fixed and improved some translation issues for languages other than English in the Jamf Connect menu bar app.

2.3.2 (2021-05-03)

New Menu Bar App Preference for Network Checks

You can now use the Perform Network Checks on Network Changes (checkOnNetworkChange) setting to determine whether Jamf Connect performs a network check when a computer's network status changes. This setting is included in the PasswordPolicies dictionary and is a boolean that is set to true by default. For more information, see Password Policy Settings.

Change to Admin Roles Setting in Jamf Connect Configuration

Jamf Connect Configuration now only configures the Admin Roles (OIDCAdmin) setting as an array of strings.

If you import existing configuration profiles into Jamf Connect Configuration and configure the Admin Roles setting in your environment, make sure that an array of strings is used in your configuration profile before importing rather than a single string, like the following:

<key>OIDCAdmin</key>
<array>
<string>role</string>
</array>
Note:

This change fixes PI-007892.

Bug Fixes

  • [PI-009217] Fixed an issue that prevented the NameID attribute in email format from correctly being used as the user's account name when Jamf Connect was used to create users from Okta via Jamf Pro's Enrollment Customization settings.

  • [PI-008734] Fixed an issue that caused password policy information detected from Active Directory from displaying correctly in Jamf Connect's Password Change and New Password windows.

  • [PI-009494] Fixed an issue that prevented the Formatted ID Token Path (OIDCIDTokenPath) and Raw ID Token Path (OIDCIDTokenPathRaw) settings from storing a user's ID token at the configured file path.

  • [PI-009516] Fixed an account migration issue that prevented Jamf Connect from searching for an existing local account that matches a custom short name configured with the Custom Short Name (OIDCShortName) setting.

  • [PI-009613] Fixed an issue that prevented VoiceOver from reading text fields in the Jamf Connect login window.

2.3.1 (2021-04-05)

Login Window

[PI-009285] Improved the login and account creation experience by displaying an animated loading bar between when a user authenticates and when the Finder displays.

Menu Bar App

  • [PI-009164] Fixed an issue that caused Jamf Connect to fail to respect the custom action MenuIcon preference key. 

  • [PI-009223] Fixed an issue in which deploying a configuration with a misconfigured custom branding settings caused the menu bar app icon to be absent. 

  • [JC-2329] Fixed an issue that caused the menu bar to display a blank webview when attempting to authenticate if no MFA option was configured. 

  • [JC-2529] Fixed an issue that caused Jamf Connect to fail to update some AD attributes (e.g., password expiration date) after changing the password via the menu bar app. 

2.3.0 (2021-03-22)

Keyboard Layout Selection at the Login Window

Users can now select a keyboard type from the Jamf Connect login window by clicking the keyboard button  in the upper-right of the screen. Users can select from any keyboard input source supported by macOS. This feature also fixes PI-009230.

New Menu Bar App Preference Key for Okta Password Expiration Dates

The Password Expiration Manual Override (ExpirationManualOverrideDays) setting allows Okta administrators to display the amount of days remaining before a user's password expires in the menu bar app for Okta accounts that are not mastered by Active Directory. This setting is included in the PasswordPolices dictionary and is an integer that specifies the lifetime of an Okta password in your organization. For example, if users must change their Okta password every 90 days, set the integer value to 90.

Note: If your Okta accounts are mastered by Active Directory, this setting cannot be used. Continue to integrate Jamf Connect with a Kerberos realm to display the password expiration date in the Jamf Connect menu bar app

Identity Provider Endpoint Usage

Jamf Connect now detects and uses any discovery URLs that are included in a Jamf Connect configuration profile instead of using the pre-configured discovery URLs that are included in Jamf Connect's authentication framework by default.

To ensure authentication with Jamf Connect continues to succeed, make sure you do the following before you deploy Jamf Connect 2.3.0:

  • If you are using an identity provider other than PingFederate or a custom option, make sure discovery URL key-value pairs are either not configured (Jamf Connect uses pre-configured discovery URLs for supported IdPs) or match the discovery endpoint documented by your IdP.
  • If you use Jamf Connect with Azure AD in an AD FS hybrid identity environment, in addition to making sure the Discovery URL (OIDCDiscoveryURL) is not configured, make sure the Hybrid ID Discovery URL (ROPGDiscoveryURL) uses your AD FS discovery endpoint.

LAPS User Setting Behavior Changes

The LAPS User (LAPSUser) setting is now ignored on computers in the following scenarios: 

  • If any account type logs in with Jamf Connect on computers with macOS 11 or later.
  • If a local administrator logs in with Jamf Connect on computers with macOS 10.15 or earlier.

This helps ensure this setting only runs to enable FileVault for standard users on macOS 10.15 or earlier. This change also fixes PI-007744.

Custom Menu Bar Icon Changes for macOS 11 or Later

On computers with macOS 11 or later, the Dark Mode Icon (MenubarIconDark) setting is no longer supported. To continue using a custom menu bar icon for Jamf Connect on macOS 11 or later, make sure to only use the Light Mode Icon (MenuBarIcon) setting. 

Keep the following in mind about menu bar icons for macOS 11 or later:

  • macOS 11 will automatically change the tint of a monochrome icon to clearly display against the desktop image.
  • If you use a custom icon with multiple colors for Jamf Connect, the icon will automatically be converted to a monochrome template to match Apple guidelines. Using an icon with multiple colors is not recommended and may cause the menu bar icon to display in an unexpected way.

Bug Fixes

The following issues are fixed in the login window:

  • [PI-008572] Fixed an issue that caused ROPG authentication to fail when Jamf Connect was configured to use the OpenID Connect authentication protocol rather than the Okta Authentication API with Okta.
  • [PI-009139] Fixed an issue that caused the authchanger -preLogin command-line argument to incorrectly display the notify screen after a user logs in instead of before login.

The following issues are fixed in the menu bar app:

  • [PI-009274] Fixed an issue that caused Jamf Connect to not provide an option to complete unsupported MFA request types when attempting to log in.
  • [PI-009295] The Jamf Connect launch agent package is now built as a universal installer package.
  • [PI-009107] Fixed an issue that caused the Jamf Connect menu bar app to sometimes use old credentials during sign-in after a password change when the Enable Automatic Sign-in (AutoAuthenticate) setting was enabled, which caused sign-in to fail.

2.2.2 (2021-02-22)

Jamf Connect 2.2.2 includes the following bug fixes.

Login Window

  • [PI-009151] Fixed an issue that caused Jamf Connect to add the user's network short name as a local account alias rather than the local account name when the Short Name Attribute (OIDCShortName) setting was configured,

  • [PI-009104] Fixed an issue that prevented Jamf Connect from respecting Passcode payload settings configured via an MDM profile.

  • [PI-008376] Fixed an issue that caused the word "testing" to appear beneath the progress bar on the Notify screen when a user pressed any key.

Menu Bar App

  • [PI-009241] Fixed an issue that caused Jamf Connect to not respect the BrowserSelection preference key.

  • [PI-009280] Fixed an issue that caused the menu bar app to fail to display custom names configured in the MFA Option Names (MFARename) preference key and instead display "token:software:tot".

Configuration

[PI-009221] Fixed an issue that caused Jamf Connect Configuration to fail to include the Web Browser dictionary when exporting configurations.

2.2.1 (2021-02-08)

Jamf Connect 2.2.1 includes the following bug fix:

[JC-2246] Fixed an issue that caused automatic login with FileVault to fail on Mac computers with Apple silicon, which required users to enter a password at the FileVault screen and Jamf Connect login window on startup.

2.2.0 (2021-01-25)

Jamf Connect 2.2.0 includes the following enhancements and bug fixes.

Support for OneLogin OpenID Connect Version 2 Service

Jamf Connect now supports the version 2 endpoints of OneLogin's OpenID Connect service.

Important:

OneLogin will deprecate version 1 of their OpenID Connect service on January 26. To ensure OneLogin authentication continues to succeed with Jamf Connect, you must do the following:

  • Update your Jamf Connect configuration profiles to include a tenant ID

  • Upgrade to Jamf Connect 2.2.0

For more information about OneLogin's OpenID Connect service migration, see the Upgrade v1 to v2 developer documentation from OneLogin.

For instructions on updating your Jamf Connect configuration profiles, see the Migrating to OneLogin's Version 2 OpenID Connect Service for Jamf Connect Knowledge Base article.

Bug Fixes

Jamf Connect 2.2.0 includes the following bug fix:

[PI-009069] Fixed an issue that caused the Jamf Connect login window to disappear after 10 to 30 seconds of inactivity when Bomgar or another application was configured to run on startup.

2.1.3 (2021-01-11)

Jamf Connect 2.1.3 includes the following enhancement and bug fixes.

Acceptable Use Policy Customization Enhancements

You can now use either of the following new methods to display a PDF, TXT, RTF, and RTFD file on Jamf Connect's Acceptable Use Policy screen:

Apple policy banner

If you configured an Apple policy banner, Jamf Connect will display the contents of the policy banner on the acceptable use policy screen. Jamf Connect automatically searches /Library/Security for a file named "PolicyBanner" to display this file. No additional settings need to be configured for Jamf Connect to detect and display this file.
 For more information about Apple policy banners, see How to set up policy banners in macOS from Apple's support website

Custom File Upload

You can store a custom file that contains your acceptable use policy content and configure the Acceptable Use Policy Document (EULAFilePath) setting with the value of the file path.

Bug Fixes

Jamf Connect 2.1.3 includes the following bug fixes.

Login Window

[PI-008155] Fixed an issue that caused Jamf Connect to creates an empty recovery key PLIST file when the EnableFDERecoveryKey and LAPSUser preference keys were both configured.

Menu Bar App

[PI-009010] Fixed an issue that caused Jamf Connect to attempt to change passwords via Kerberos even when the domain was not reachable.

2.1.2 (2020-12-14)

Jamf Connect 2.1.2 includes the following bug fixes and enhancements.

Bug Fixes and Enhancements

Configuration

Fixed an issue that prevented Jamf Connect Configuration from notifying users of unsupported preference keys if their level of indentation in the XML file was three or more levels deep.

Menu Bar App

  • If you do not have MFA configured, you can now use the ShortNameAttribute preference key to specify a custom attribute included in an ID token for use as a Kerberos short name. This value is stored in the Jamf Connect state settings as the CustomShortName key-value.


  • [PI-08909] Fixed an issue that caused Jamf Connect to fail to sync and store passwords in Keychain if the password contained the pound symbol (£).

  • [PI-009016] Fixed an issue that caused Jamf Connect to continue to prompt users for their short name at each login.

  • [PI-009017] Fixed an issue that caused the menu bar app to not respect the Hide Password Expiration Menu Item (PasswordExpiration) preference.

  • [PI-009018] Fixed an issue that caused Jamf Connect to display a blank web view when attempting to log in to the menu bar app if the network password was expired and MFA was not configured.

  • [JC-2302] Fixed an issue that caused the menu bar app to display a nonresponsive item named "item" when the password expiration menu bar item was not configured to be hidden.

  • [JC-2195] Fixed an issue that caused some elements of security prompts to be obscured when the language settings were set to a language other than English.

2.1.1 (2020-11-30)

Jamf Connect 2.1.1 includes the following bug fixes and enhancement.

Configuration

Removed an extraneous button that could be added to the toolbar, which acted the same as the Test button.

Login Window

  • [PI-008978] Fixed an issued that caused Jamf Connect to display a grey screen when a custom login window message and an Apple policy banner were both configured.


  • [PI-008987] Fixed an issue that caused the Jamf Connect login window to freeze after entering the FileVault password when FileVault is enabled on computers, an Acceptable Use Policy screen was configured to display, and Require Network Authentication (DenyLocal) was disabled.

  • [JC-2126] Fixed an issue that caused the local help file, when configured, to unexpectedly display for about two seconds after a successful network authentication.

Menu Bar App

[PI-009016] Fixed an issue that prevented password sync prompts from displaying on Big Sur if Enable Automatic Sign-in (AutoAuthenticate) was enabled.

2.1.0 (2020-11-16)

Jamf Connect 2.1.0 includes the following enhancements and bug fixes.

Acceptable Use Policy Screen Redesign

The Acceptable Use Policy Screen has been redesigned to match the appearance of the Jamf Connect login window redesign that was released with Jamf Connect 2.0.0.

Apple Silicon Compatibility for Jamf Connect

Jamf Connect is now a universal app that can run on Macs with Apple silicon* or Intel hardware.

Important:

New Macs with Apple silicon do not install Rosetta, Apple's binary translation service, until an Intel-based application is first opened. To ensure Macs with Apple silicon successfully run Jamf Connect, make sure you deploy Jamf Connect 2.1.0 or later to Macs with Apple silicon in your environment.

*Hardware support is based on testing with the Mac Developer Transition Kit.

Changes to Enabling FileVault for Standard Accounts for macOS 11

Beginning with macOS 11, you no longer need to use the LAPS User (LAPSUser) setting to specify which local administrator account receives a SecureToken and then grants it to standard local accounts created by Jamf Connect. If you use Jamf Connect to enable FileVault for local administrator and standard accounts, remove the LAPS User (LAPSUser) setting from login window configuration profiles that are deployed to computers with macOS 11.

For more information, see FileVault Enablement with Jamf Connect.

Bug Fixes and Enhancements

Jamf Connect 2.1.0 includes the following bug fixes.

Configuration

You can now use the text editor in Jamf Connect Configuration to add and edit nonstandard preference keys. Configurations with nonstandard keys can also be imported without being modified.

Licensing

Fixed an issue that prevented license data from being respected as a base64 encoded string that is configured with the License File (LicenseFile) preference key.

Login Window

  • [PI-008704] Fixed an issue that prevented local user accounts created via Okta from respecting user role changes configured with OIDC apps in Okta.

  • [PI-008935] [JC-2017] Fixed an issue that prevented custom messages displayed with the Login Window Message (LoginWindowMessage) setting from hiding the last word of the message.

  • Fixed an issue that caused the login window to cache usernames in the identity provider (IdP) web view on computers with macOS 11.

  • Fixed an issue that caused the username text to turn black when selected after an unsuccessful Okta authentication attempt on computers with macOS 11.

2.0.2 (2020-11-03)

Note:

The legacy Jamf Connect applications (Login, Sync, Verify) were recently updated to support macOS Big Sur 11. If you have not yet upgraded to Jamf Connect 2.0.0 or later and want to ensure Jamf Connect is compatible with computers on macOS 11, you can deploy Jamf Connect 1.19.3. To download Jamf Connect 1.19.3 from Jamf Nation, navigate to My Assets > Jamf Connect > Previous Versions. 
 *Compatibility is based on testing with the latest Apple beta releases.

Jamf Connect 2.0.2 includes the following enhancements and bug fixes.

Jamf Connect Configuration Enhancements

  • Automatically Name Imported Configurations—Jamf Connect Configuration now uses the file names of imported configuration files to automatically name the configuration. You can still change the name of an imported configuration file by clicking on it in the sidebar and entering a new name.

  • Jamf Connect Setup Assistant Removed—The setup assistant has been removed from Jamf Connect Configuration to provide a simpler, more intuitive interface. To create a new configuration, click the + icon at the bottom of the sidebar.

Bug Fixes

Jamf Connect 2.0.2 includes the following bug fixes.

Login Window

  • [PI-008725] Fixed an issue that prevented password verification from succeeding and a custom short name from being added to the user's local account when the Short Name (OIDCShortName) setting was used.

  • [JC-2175] Fixed an issue that caused loginwindow mechanisms to run twice after upgrading Jamf Connect to a new version, which sometimes caused the Acceptable Use Policy screen, when configured, to appear twice during user logins.

Menu Bar App

[PI-008974] Fixed an issue that sometimes caused Jamf Connect to fail to prompt users to update out of sync passwords if the password was changed in Okta.

Configuration

  • [JC-2021] Fixed an issue that caused Jamf Connect Configuration to lose license file information when quit.

  • [JC-2050] Fixed an issue that caused Jamf Connect Configuration to create a blank configuration when clicking Cancel on an unsupported keys alert.

2.0.1 (2020-10-19)

Note:

Jamf Pro 10.25.0 introduced new computer extension attribute templates for Jamf Connect and an automatic way to install a Jamf Connect privacy preferences policy control (PPPC) profile. For more information, see the Jamf Pro Release Notes.

Bug Fixes

Jamf Connect 2.0.1 includes the following bug fixes:

Login Window

  • [PI-007101] Fixed an issue that prevented Google ID users from being prompted to enroll in multifactor authentication (MFA) when required.

  • [PI-008868] Fixed an issue that prevented the Use Local Authentication by Default (OIDCDefaultLocal) setting from being respected.

  • [PI-008870] [JC-1956] Fixed an issue that caused the acceptable use policy screen, when configured, to incorrectly display.

  • [PI-008874] Fixed an issue that prevented OneLogin users from creating accounts via Jamf Connect and Jamf Pro's Enrollment Customization settings.

  • [PI-008861] Fixed an issue that caused to Login Window Message (LoginWindowMessage) to be unavailable in the Jamf Repository settings available in Jamf Pro's Application & Custom Settings payload.

  • [PI-008899] Fixed an issue that caused the notify screen, when enabled, to expand to the full-screen width.

Menu Bar

  • [PI-008593] Fixed an issue that caused the menu bar app to fail to redirect users to the Okta dashboard if the Auth Server (AuthServer) value in the configuration is spelled with any capital letters.

  • [PI-008869] Fixed an issue that caused the menu bar app to incorrectly display a license validation error on computers with a valid Jamf Connect license.

  • [JC-1939] Fixed an issue that caused the menu bar app to always open Jamf Self Service if it is installed on the computer, even when the Self Service Path (SoftwarePath) preference is configured to open a different software.

  • [JC-1987] Fixed an issue that caused the Home or Home Directory menu bar item to appear even when the UserHomeDirectory value did not exist in a user's state settings or when a Kerberos integration was not configured.

  • [JC-2080] Fixed an issue that prevented the value of the ShortName key from being used for Kerberos authentication.

Configuration

  • [JC-1922] Fixed an issue that caused Jamf Connect Configuration to fail to clear formatting on text pasted into the code editing field.

  • [JC-2053] Fixed an issue that caused the Jamf Connect Configuration UI to be missing the User Help, Keychain, Scripting, and Certificates settings sections.

2.0.0 (2020-09-28)

Jamf Connect 2.0.0 introduces a significant redesign to the Jamf Connect login window user experience and product deployment.

For instructions on upgrading from Jamf Connect 1.19.2 or earlier to Jamf Connect 2.0.0, see the Upgrading to Jamf Connect 2.0.0 or Later Knowledge Base article.

What's New

Jamf Connect 2.0.0 includes the following new features and improvements.

Unified Menu Bar App

Jamf Connect Sync and Jamf Connect Verify are now a single menu bar app called "Jamf Connect". that can be configured and deployed for any supported cloud identity provider (IdP).

The Jamf Connect 2.0.0 packages install the following components on computers:

Component

Location

JamfConnectLogin.bundle

/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/
/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger
/usr/local/lib/pam/pam_saml.so.2

Jamf Connect.app

/Applications/Jamf Connect.app
New App Icon

The Jamf Connect app has a new icon. Look for the following icon in the Applications folder when Jamf Connect is installed on computers:

Note:

The Jamf icon is still used in the menu bar when the app is open.

New Menu Bar Sign-In Preference for Okta

Users can now determine whether the Okta dashboard is opened in their selected browser after sign-in by selecting the checkbox next to the Browser pop-up menu. This setting is enabled by default and can be managed with the LaunchBrowser preference key (boolean) in the WebBrowser dictionary.

Login Window Redesign

The login window has been redesigned with a modern and improved user experience for both Okta authentication and OpenID Connect authentication methods.

Step Indicators

The top of the login window now includes step indicators to help users through the Jamf Connect login process. Depending on the workflow, users will see the following:

Authenticate

Displays when users must authenticate with their cloud identity provider (IdP) and complete a multifactor authentication (MFA) challenge through their IdP, if configured.

Connect

Displays when the Connect existing local accounts to a network account (Migrate) settings is enabled. The user must 1) enter the password of an already existing local account that has a username that matches an account in the IdP, 2) choose an existing local account to connect to the IdP, or 3) create a new account based on the cloud IdP.

Verify

Asks the user to re-enter their network password, which serves as both an additional security layer and verifies that the user's local and IdP passwords match. If the network password does not match the local password, the user will be prompted to sync passwords.

Other Changes and Enhancements
Network Selection

The Allow Network Selection button has been replaced with a WiFi icon in the upper-right corner of the login window

Local Login

The Local Auth button is now named Local Login and appears along the bottom of the login window.

Error Messaging

Some error messages have been improved to help users troubleshoot configuration issues.

Custom Login Window Message

You can now add a custom message to the login window by configuring the LoginWindowMessage preference key.

For more information about the login window user experience, see End User Experience and Workflows.

Jamf Connect Configuration Enhancements

Jamf Connect Configuration 2.0.0 includes support for configuring primary Jamf Connect 2.0 settings and the following new features:

XML Editor

You can now use an XML editor mode to preview the configuration profile in XML and make manual changes to your configuration profile.

To view and edit your configuration profile in XML, click the </> icon.

New App Icon

Jamf Connect Configuration now uses the following icon in the Applications folder and Dock:

What's Changed

The following things have changed in Jamf Connect.

Installation

The login window and menu bar app are now included in a single package installer. You can use the package to install all components of Jamf Connect, or just the menu bar or login window.

The package installer will also remove the following from computers:

  • Jamf Connect Sync and Jamf Connect Verify apps

  • Jamf Connect Sync and Jamf Connect Verify launch agents. Launch agents will also be stopped.

  • Any associated installer receipts will be removed from the installer system.

authchanger Improvements
Requirements

The commands arguments executed by the authchanger tool can now be read from a configuration profile. If used, the configuration profile must be written to com.jamf.connect.authchanger and contains the Arguments key, which is an array of strings of supported authchanger arguments. Arguments are read in the order in which the strings are configured, similar to how they are ordered in the command-line.

The following example enables Jamf Connect authentication:

<key>Arguments</key>

<array>

<string>-reset<key>

<string>-jamfconnect</string>

</array>

The Jamf Connect installer does not add any arguments to authchanger by default. To enable the login window, you use one of the following methods to pass authchanger arguments:

Note:

Jamf Connect will look for authchanger arguments in this order.

  1. Commands executed via the command-line. Consider the following scenarios:
    • If a command is executed with arguments, any preferences found in a configuration profile will be ignored.

    • If a command is executed without arguments, Jamf Connect will look for preferences in a configuration profile.

  2. Preferences found in a configuration profile written to com.jamf.connect.authchanger
  3. The Identity Provider (OIDCProvider) or Auth Server (AuthServer) preferences written to the com.jamf.connect.login. These pass the -JamfConnect argument to automatically enable OpenID Connect or Okta authentication.
  4. If no arguments or preferences are found, the default loginwindow mechanisms will remain unchanged.
Licensing Updates
The Jamf Connect menu bar app will now check both the com.jamf.connect and com.jamf.connect.login preference domains for a valid license. This ensures that you only have to deploy the license file in a single configuration profile, if you are using both the login window and the menu bar app for your organization.

We may collect hashed data about license usage. This data is used to monitor the number of licenses in use with Jamf Connect in your organization and does not include any Personal Information.

Menu Bar App Launch Agent

A launch agent for the Jamf Connect menu bar is included as a separate installer package in the Jamf Connect DMG. When installed on computers, the launch agent will ensure that Jamf Connect remains open.

Preference Domains and Keys

The Jamf Connect menu bar app is configured using a single preference domain:

com.jamf.connect
Note:

Login window preferences will continue to be written to com.jamf.connect.login.

Preference keys from Sync and Verify have also been merged and restructured using dictionaries. Preferences are sorted into the following collections:

Dictionary

Type

Description

IdPSettings

Dictionary

Used to allow Jamf Connect to complete authentication between your IdP and local accounts. Required settings vary by IdP.

SignIn

Dictionary

Used to configure the Sign-in window and user experience

Appearance

Dictionary

Use to customize Jamf Connect for your organization

UserHelp

Dictionary

Used to configure in-app help options for users

PasswordPolicies

Dictionary

Used to configure network password checks, expiration notifications, and password policies

Kerberos

Dictionary

Used to integrate Jamf Connect with a Kerberos realm for password syncing

Keychain

Dictionary

Used to allow Jamf Connect to sync passwords with keychain items

CustomMenuItems

Dictionary

Used to customize the names of menu items in Jamf Connect

HiddenMenuItems

Array

An array of strings used to hide Jamf Connect menu items from users

Scripting

Dictionary

Used to run custom scripts that are triggered by Jamf Connect authentication events

Certificate

Dictionary

Used to configure Windows web CA settings

Keep the following in mind when configuring new preferences for the Jamf Connect menu bar:

  • Preferences that are configured with an interval, such as NetworkCheck, can be disabled by setting the interval value to 0.

  • If setting preferences with the command-line, you will need to use the -dict-add argument to configure a dictionary of keys. The following example shows how to disable network password checks:

Example: defaults write com.jamf.connect PasswordPolices -dict-add NetworkCheck 0

For a complete list of menu bar preferences, Menu Bar App Preferences.

Renamed Preference Keys

Most preference keys used in Jamf Connect Sync and Jamf Connect Verify have been renamed to better represent their function or as a result of Jamf Connect becoming one app.

The following tables show which preference key names from Jamf Connect Sync and Jamf Connect Verify have been replaced with a new name in Jamf Connect 2.0.0:

Jamf Connect Sync Preference Key Changes

1.19.2 or Earlier

2.0.0

AuthServer

OktaAuthServer

AutoAuth

AutoAuthenticate

DontShowWelcome

ShowWelcomeWindow

ExpirationWarningDays

ExpirationNotificationStartDay

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideActions

Actions

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HidePreferences

Preferences

HideQuit

Quit

HideSignIn

Connect

KerberosRealm

Realm

KerberosRenew

AutoRenewTickets

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShortNameAskMessage

AskForShortNameMessage

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LabelPassword

PasswordLabel

LabelUsername

UsernameLabel

LocalPasswordSyncMessage

SyncPasswordsMessage

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuIcon

MenubarIcon

MenuPreferences

Preferences

MenuSignIn

Connect

MessageOTPEntry

OneTimePasswordMessage

MessagePasswordChangePolicy

PolicyMessage

PasswordChangeCommand

OnPasswordChange

PasswordExpirationMenuDays

ExpirationCountdownStartDay

PasswordPolicy

PolicyRequirements

SelfServicePath

SoftwarePath

SignInCommand

OnAuthSuccess

Template

CertificateTemplate

TicketsOnSignIn

GetTicketsAtSignIn

TitleSignIn

WindowTitle

WifiNetworks

SecureNetworks

X509CA

WindowsCA
Jamf Connect Verify Preference Key Changes

1.9.2 or Earlier

2.0.0

DontShowWelcome

ShowWelcomeWindow

FailToolPath

OnAuthFailure

ForceSignInWindow

RequireSignIn

GetHelpOptions

HelpOptions

GetHelpType

HelpType

HideAbout

About

HideChangePassword

ChangePassword

HideGetHelp

GetHelp

HideGetSoftware

GetSoftware

HideHomeDirectory

HomeDirectory

HideLastUser

LastUser

HidePrefs

Preferences

HideQuit

Quit

HideResetPassword

ResetPassword

HideShares

Shares

KerberosGetTicketsAutomatically

GetTicketsAtSignIn

KerberosRealm

Realm

KerberosShortName

ShortNameAttribute

KerberosShortNameAsk

AskForShortName

KerberosShowCountdown

ExpirationCountdownStartDay

KerberosShowCountdownLimit

ExpirationCountdownStartDay

KeychainItems

PasswordItems

KeychainItemsInternet

InternetItems

LoginLogo

SignInLogo

MenuAbout

About

MenuActions

Actions

MenuChangePassword

ChangePassword

MenuGetHelp

GetHelp

MenuGetSoftware

GetSoftware

MenuHomeDirectory

HomeDirectory

MenuKerberosTickets

KerberosTickets

MenuResetPassword

ResetPassword

MenuShares

Shares

MessageLocalSync

SyncPasswordsMessage

ODICROPGID

ROPGID

OIDCChangePasswordURL

ChangePasswordURL

OIDCClientSecret

ClientSecret

OIDCDiscoveryURL

DiscoveryURL

OIDCProvider

Provider

OIDCResetPasswordURL

ResetPasswordURL

OIDCTenantID

TenantID

ROPGSuccessCodes

SuccessCodes

SelfServicePath

SoftwarePath

TimerNetworkCheck

NetworkCheck

WindowSignIn

WindowTitle

Additional Changes

  • The following custom URL scheme that allows users to perform quick actions within the menu bar app has been updated for the unified menu bar app. For more information, see Jamf Connect URL Scheme.

  • The Jamf Connect ( CreateJamfConnectPassword ) setting has been added to the login window preferences. This setting allows Jamf Connect to automatically populate the Sign In window in the menu bar app with a user's network username and password that was used to log in or create a new local account with Jamf Connect. This setting is enabled by default and replaces the Jamf Connect (CreateSyncPasswords ) and Create Jamf Connect ( CreateVerifyPasswords ) settings used in Jamf Connect 1.19.2 or earlier.

  • The Jamf Connect loginwindow mechanism that enables FileVault now only runs if the Enable FileVault (EnableFDE) setting is enabled in the Jamf Connect login window configuration profile.

  • The Retrieve Kerberos Tickets During Sign-in ( GetTicketsAtSignIn) setting has been removed from the menu bar app. Jamf Connect now automatically retrieves Kerberos tickets for users if a Kerberos realm is configured with the Kerberos Realm (Realm) setting. This enhancement fixes JC-1898.

Deprecations and Removals

The following Jamf Connect features and settings have been deprecated or removed.

Browser Extensions

The Safari and Google Chrome Browser Extensions included with Jamf Connect Sync are no longer supported.

Removed Preference Keys

The following preference keys are no longer supported. These settings should not be included in a configuration profile for Jamf Connect 2.0.0 or later:

Jamf Connect Login

Jamf Connect Sync

Jamf Connect Verify

  • BackgroundImageAlph
  • LoginScreen
  • CreateSyncPasswordsCreateVerifyPasswords

 

  • ActionsUpdateTime
  • ADExpirationShow
  • CenterSignInWindow
  • ChangePasswordOrder
  • ChangePasswordTimer
  • CheckSafariExtension
  • ExportableKey
  • HideLockScreen
  • IgnoreDomainReachability
  • KeychainItemsDebug
  • LDAPServers
  • LocalPasswordIgnore
  • LocalPasswordSync
  • LocalPasswordSyncOnMatc
  • MenuLockScreen
  • MessagePluginDisabled
  • NetworkCheckAutomatically
  • PasswordCheckUpdateTime
  • PasswordExpirationMenu
  • PeriodicUpdateTime
  • UseKeychain
  • UseKeychainPrompt
  • UseKeychainPromptExclusion
  • WarnOnPasswordExpiration
  • AlwaysShowSuccess
  • HideSignIn
  • KeychainItemsCreateSerial
  • KeychainItemsDebug
  • LocalPasswordIgnore
  • MessageBrowserPasswordChang
  • MessageNetworkPasswordWrong
  • MessagePasswordSuccess
  • NetworkCheckAutomatically
  • WindowAbout

Removed Preference Domains

Jamf Connect configuration profiles written to the following domains are no longer supported and should be removed from computers:

  • com.jamf.connect.sync

  • com.jamf.connect.verify

Documentation Removals

The Jamf Connect Evaluation Guide has been removed.