Configuration Profile Payload Settings Specific to Jamf Pro

This article explains the function of configuration profile payload settings that affect computers or mobile devices in a complex way or are unique to Jamf Pro.

Jamf Pro Versions AffectedConfiguration Profile TypePayload(s)SettingDescription
10.19.0 or laterComputerApplication & Custom SettingsConfigure Settings

You can enter a JSON Schema manifest for an application that is not currently provided by Jamf Pro. After entering the manifest, you can use the settings provided in the Jamf Pro interface to further customize your application.

For more information about managing an app using a JSON Schema manifest and Jamf Pro, see the Managing Settings for Computer Applications using JSON Schema and Jamf Pro Technical Paper.

10.18.0 or laterComputerApplication & Custom SettingsConfigure Settings

You can use Jamf Pro to choose an application you want to customize, and then configure settings for the specified app. You can use the settings in the payload to customize applications such as Jamf Connect or Microsoft Office.

10.17.0 or laterComputerPasscodeRequire Passcode

This setting is not explicitly displayed in the user interface in Jamf Pro 10.16.0 or earlier.

This setting is automatically enabled and deployed to devices in scope if any other Passcode payload setting is enabled.

10.17.0 or laterComputerPasscodeComplex Passcode

This setting has been renamed from "Allow simple value" in Jamf Pro 10.16.0 or earlier.

Select Require complex passcode to ensure the passcode cannot contain repeating, ascending, and descending character sequences. If you do not select the checkbox, the use of a simple passcode will be allowed on a computer.

10.17.0 or laterComputerPasscodeAlphanumeric Value

This setting has been renamed from "Require alphanumeric value" in Jamf Pro 10.16.0 or earlier.

Select Require alphanumeric value if the passcode must contain at least one letter and one number. If you do not select the checkbox, the use of alphabetic characters ("abcd") along with numbers will not be required on a computer.

10.17.0 or laterComputerPasscodeChange at Next Authentication (macOS 10.13 or later)

This setting has been renamed from "Force password reset on next user authentication (macOS 10.13 or later)" in Jamf Pro 10.16.0.

Note:

The implementation of this setting has effects that are unique to Jamf Pro. The setting is not unique to Jamf Pro and is available in Profile Manager/Apple Configurator.

When this setting is enabled, the profile forces a password reset the next time the user authenticates. In addition, if the profile containing this payload is modified and re-saved, the setting is enforced the next time the user authenticates.

This setting applies to the Jamf Management Account and all local accounts including the administrator on target computers. Authentications may fail until the password is reset.

10.16.0 or laterComputerSystem Extensions

You can allow app developers to extend their products by using the team bundle identifier and specifying one of the following:

  • A list of allowed system extensions using bundle identifiers

  • The allowed system extensions types

  • Allowing all system extensions

10.16.0 or laterComputerPasscodeForce password reset on next user authentication (macOS 10.13 or later)
Note:

The implementation of this setting has effects that are unique to Jamf Pro. The setting is not unique to Jamf Pro and is available in Profile Manager/Apple Configurator.

When this setting is enabled, the profile forces a password reset the next time the user authenticates. In addition, if the profile containing this payload is modified and re-saved, the setting is enforced the next time the user authenticates.

This setting applies to the Jamf Management Account and all local accounts including the administrator on target computers. Authentications may fail until the password is reset.

10.13.0 or laterMobile DevicePasscodeRequire Passcode

This setting is not explicitly displayed in the user interface in Jamf Pro 10.12.0 or earlier.

This setting is automatically enabled and deployed to devices in scope if any other Passcode payload setting is enabled.

10.13.0 or laterMobile DevicePasscodeComplex Passcode

This setting has been renamed from "Allow simple value" in Jamf Pro 10.12.0 or earlier.

Select Require complex passcode to ensure the passcode cannot contain repeating, ascending, and descending character sequences. If you do not select the checkbox, the use of a simple passcode will be allowed on a device.

10.13.0 or laterMobile DevicePasscodeAlphanumeric Value

This setting has been renamed from "Require alphanumeric value" in Jamf Pro 10.12.0 or earlier.

Select Require alphanumeric value if the passcode must contain at least one letter and one number. If you do not select the checkbox, the use of alphabetic characters ("abcd") along with numbers will not be required on a device.

10.9.0 or laterComputerPrivacy Preferences Policy Control

Jamf Pro allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preference pane as part of the Privacy Preferences Policy Control profile.

This feature is available in macOS 10.14 or later.

This payload allows you to define an app based on the Identifier and Code Requirement of the app. After you define the app, you can choose which application or service from the target computer's Security & Privacy preference pane that you want to deny or allow access to.

For more information about the contents of the Privacy Preferences Policy Control profile, see the Preparing Your Organization for User Data Protections on macOS 10.14 article.

10.8.0 or laterComputerCertificate SCEPPreference Items

Allows you to configure a Certificate Preference or an Identity Preference by entering the locations (URLs) or email addresses for each preference item. You can include as many preference items as your environment requires.

This feature is available in macOS 10.12 or later.
Note:

This setting is only available for user-level profiles.

10.6.2 or laterMobile Device ComputerVPNEnable VPN on Demand

Jamf Pro allows you to configure VPN On Demand rules that specify when and how devices are able to access your VPN services. To configure this feature, you must upload a configuration XML file that contains your rules. This feature is available for any supported VPN type.

The configuration XML file can contain one or more keys defined by the Apple configuration profile keys.

10.3.0 or laterMobile DeviceHome Screen LayoutDock Layout/Page Layout
To add a web clip to the Dock or page layout on a mobile device with iOS 11.3 or later, you must also configure the Web Clips payload.
Important:

The following settings must match the respective fields in both payloads:

  • The Display Name field in the Home Screen Layout payload must match the Label field in the Web Clips payload.

  • The Unique ID field in the Home Screen Layout payload must match the URL field in the Web Clips payload.

10.3.0 or laterMobile Device ComputerSCEPSubject text field

Jamf Pro automatically appends $PROFILE_IDENTIFIER in the Subject field in Jamf Pro if the Redistribute Profile option is configured.

Important:

To ensure the profile is redistributed before the SCEP-issued certificate expires, you must manually redistribute the profile to all computers and mobile devices that had the profile installed between Jamf Pro 10.0.0–10.2.x. If the appended identifier is not included in the Subject field of the SCEP payload, the profile is not redistributed before the certificate expires. Redistributing the profile to affected devices after upgrading to Jamf Pro 10.3.0 mitigates this issue.

9.101.0ComputerSecurity & PrivacyRecovery Key Encryption Method

Allows you to choose whether Jamf Pro will automatically encrypt and decrypt personal (also known as "individual") FileVault recovery keys.

There are two options:

Automatically encrypt and decrypt recovery key (default)

  • Key decryptionKey is automatically decrypted. If you choose this option, you do not need to configure a certificate in the Certificate payload when the Enable Escrow Personal Recovery Key option is enabled.
  • Key storageKey is stored in Jamf Pro
  • Viewing the recovery keyWhen you view the personal recovery key for a computer, the decrypted recovery key is displayed.

Manually specify encryption key

  • Key decryptionYou must manually specify the encryption key to decrypt the FileVault recovery key. Manually specifying the encryption key requires a Certificate payload (.cer) included in the configuration profile. The certificate used to encrypt the personal recovery key must be specified in the Personal Recovery Key Encryption Certificate pop-up menu.
  • Key storageKey is not stored in Jamf Pro
  • Viewing the recovery keyWhen you view the personal recovery key for a computer, the encrypted recovery key is displayed. The encrypted key file will be base64- and CMS-encoded and is accessible when viewing management information for a computer by navigating to Management tab > FileVault 2 > Get FileVault 2 Recovery Key. (For Jamf Pro 10.14.0 or earlier, the recovery key can be viewed by navigating to Inventory tab > Disk Encryption > Show Key.)
9.9 or laterMobile DeviceHome Screen LayoutPage Layout

Allows you to configure the content and layout for each page on the device.

Apps and web clips that are assigned to the device but are not added to the page layout are placed on the last page of the device in alphabetical order.

If a folder on the device is not added to the page layout, the apps within the folder are removed from the folder and are placed on the last page of the device. The folder is removed from the device.

9.98 or laterMobile DeviceRestrictionsAllow connection to unmanaged Wi-Fi networks
Allows you to prevent users from connecting to any Wi-Fi networks not deployed through Jamf Pro.
Warning:

If left unchecked, and if at least one Wi-Fi payload is not configured on scoped devices through a configuration profile, devices may lose all network connectivity.

9.98 or laterMobile DeviceRestrictionsAllow installing apps using Apple Configurator and iTunes (supervised iOS 9 only)/Allow installing apps using App Store (iOS 5–8 only)

This setting works differently depending on the iOS version:

  • On iOS 9 or laterDevices must be supervised. When selected, the App Store is disabled and removed from the Home screen but apps from the App Store can still be installed and updated using Apple Configurator, iTunes, or Jamf Pro. When deselected, the App Store is still disabled and apps from the App Store can only be installed or updated using Jamf Pro.
  • On iOS 5–8Supervision not required. When selected, the App Store is enabled and displayed on the Home screen. Apps from the App Store can be installed or updated using the App Store, iTunes, or Jamf Pro. When deselected, the App Store is disabled and removed from the Home screen. Apps from the App Store cannot be installed or updated using the App Store or iTunes but can be installed or updated using Jamf Pro.
9.8 or laterMobile DeviceRestrictionsAllow installing apps using App Store (iOS 9 only; supervised only)

Works on supervised devices with iOS 9 only.

When selected, the App Store is enabled and displayed on the Home screen. Apps from the App Store can be installed or updated using the App Store, iTunes, Apple Configurator, or Jamf Pro. (This excludes automatic downloads.)

When deselected, the App Store is disabled and removed from the Home screen but apps from the App Store can still be installed and updated via Apple Configurator, iTunes, or Jamf Pro.

9.2 or laterComputerFileVault Recovery Key RedirectionRecovery Key Redirection (macOS 10.9–10.12 only)

Unique to Jamf Pro.

Choose how you want the recovery keys to be redirected.

9.0 or laterMobile Device ComputerSCEPDisplay "Redistribute Profile" setting for this profile

Unique to Jamf Pro.

Select this checkbox if you want to display the Redistribute Profile setting in the General payload.

9.0 or laterMobile Device ComputerGeneralRedistribute Profile

Unique to Jamf Pro.

Automatically redistributes the profile when its SCEP-issued certificate is the specified number of days from expiring.

8.6 or laterMobile Device ComputerSCEPChallenge Type

Unique to Jamf Pro.

The challenge password is used as the pre-shared secret for enrollment. There are three challenge type options:
  • StaticUse the same challenge password for each computer or mobile device.
  • DynamicUse a unique challenge password for each computer or mobile device. This option is for non-Microsoft CAs. The Dynamic option requires use of the Jamf API and membership in the Jamf Developer Program. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.
  • Dynamic-Microsoft CAUse a unique challenge password for each computer or mobile device. This option is for Microsoft CAs only.