Disabling TLS 1.0 and 1.1 in Java 11

Updated: 24 June 2022

Product: Jamf Pro

This article explains how to disable the TLS 1.0 and 1.1 protocols used by Java 11.

Oracle disabled the TLS 1.0 and 1.1 cryptographic protocols in Java 11 on April 20, 2021. It is recommended that you disable any enabled TLS 1.0 and 1.1 protocols in your on-premise installation of Java 11. This will provide more secure communication via TLS 1.2.

In addition, if you have any workflows that are using TLS 1.0 or 1.1 connections (e.g., DEP, VPP, and the App Store), it is recommended that you disable the TLS 1.0 and 1.1 protocols.

There are two methods to disable TLS 1.0 and 1.1 in Java 11:

Disabling TLS 1.0 and 1.1 in Java 11 Manually for Only Jamf Pro
Disabling TLS 1.0 and 1.1 in Java 11 for Your Entire Environment Following Oracle's Instructions

This is a one-time change. The changes you make to the TLS settings will be retained when you upgrade Jamf Pro.

Disabling TLS 1.0 and 1.1 in Java 11 for Jamf Pro

This method disables TLS 1.0 and 1.1 for Jamf Pro and leaves TLS 1.2 as the only version enabled.

Stop Tomcat.
For Linux, do the following:
1. Navigate to the tomcat/bin/setenv.sh file.
2. Edit the file and paste the following property into the JAVA_OPTS line:
```
-Djdk.tls.client.protocols=TLSv1.2
```
  For example, the JAVA_OPTS line should now look like the following:
```
JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djdk.tls.client.protocols=TLSv1.2"
```
3. Save the file.
4. Start Tomcat.
For Windows, do the following:
1. Open the tomcat8w.exe GUI utility.
  It's path is C:\Program Files\JSS\Tomcat\bin\tomcat8w.exe.
2. In the Apache Tomcat 8.5 Tomcat 8 Properties window, click the Java tab.
3. Add the -Djdk.tls.client.protocols=TLSv1.2 flag to the Java Options field.
4. Click Apply.
5. Click OK.
Start Tomcat.
TLS 1.2 will now be the only TLS version enabled for Jamf Pro.

Note:

If you also need TLS 1.3, you can append the following property to the JAVA_OPTS line:

-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3