Disabling TLS 1.0 and 1.1 in Java 11

This article explains how to disable the TLS 1.0 and 1.1 protocols used by Java 11.​

​Oracle disabled the TLS 1.0 and 1.1 cryptographic protocols in Java 11 on April 20, 2021. It is recommended that you disable any enabled TLS 1.0 and 1.1 protocols in your on-premise installation of Java 11. This will provide more secure communication via TLS 1.2.​

In addition, if you have any workflows that are using TLS 1.0 or 1.1 connections (e.g., DEP, VPP, and the App Store), it is recommended that you disable the TLS 1.0 and 1.1 protocols.

There are two methods to disable TLS 1.0 and 1.1 in Java 11:
  • Disabling TLS 1.0 and 1.1 in Java 11 Manually for Only Jamf Pro

  • Disabling TLS 1.0 and 1.1 in Java 11 for Your Entire Environment Following Oracle's Instructions

This is a one-time change. The changes you make to the TLS settings will be retained when you upgrade Jamf Pro.

Disabling TLS 1.0 and 1.1 in Java 11 for Jamf Pro

This method disables TLS 1.0 and 1.1 for Jamf Pro and leaves TLS 1.2 as the only version enabled.

  1. Stop Tomcat.
  2. Navigate to one of the following files depending on your platform:
    • Linux: tomcat/bin/setenv.sh

    • Windows: tomcat/bin/setenv.bat

  3. Edit the file you navigated to and paste the following property into the JAVA_OPTS line:
    -Djdk.tls.client.protocols=TLSv1.2

    For example, the JAVA_OPTS line should now look like the following:

    JAVA_OPTS="$JAVA_OPTS -Xmx1024M -Djdk.tls.client.protocols=TLSv1.2"
  4. Save the file.
  5. Start Tomcat.

    TLS 1.2 will now be the only TLS version enabled for Jamf Pro.

Note:
If you also need TLS 1.3, you can append the following property to the JAVA_OPTS line:
-Djdk.tls.client.protocols=TLSv1.2,TLSv1.3

Disabling TLS 1.0 and 1.1 in Java 11 for Your Entire Environment

This method disables TLS 1.0 and 1.1 in Java 11 for your entire environment following Oracle's instructions.

  1. Stop Tomcat.
  2. Go to the following Oracle webpage: https://java.com/en/configure_crypto.html#DisableTLS
  3. Edit the conf/security/java.security file as directed by Oracle's instructions.
  4. Start Tomcat.