Today I was going through the release notes for Jamf Pro 10.49.0 (almost a week late to the party, I know) and was pleasantly surprised by the number of meaningful changes in this release. From LAPS to the mention of Jamf Remote Assist to a bunch of deprecations.
There’s some awesome stuff in there and I really want to share it!
Let’s talk about LAPS and the deprecation of the Management Account Password
In previous versions of Jamf Pro, you could choose to set the management account password (Settings > Global > User-initiated Enrollment > macOS, if I remember correctly) instead of having it randomly generated. From here on out, you won’t have the option to set a static password on the Management Account and will instead need to leverage LAPS.
You’re able to implement LAPS using either, or both, of the following methods:
MDM Command – Introduced with Jamf Pro 10.46.0, this method leverages Apple’s SetAutoAdminPassword command, which allows management of the managed administrator account created during the PreStage enrollment process using MDM. This method rotates the managed administrator account password using the MDM command. LAPS is disabled by default using this method. The managed administrator account is created via a PreStage enrollment (Automated Device Enrollment) during the macOS Setup Assistant.
Jamf Management Framework – Starting with Jamf Pro 10.49.0, this method automatically rotates management account passwords using instructions from the Jamf management framework. LAPS is always enabled using this method. You can create the management account on all enrolled computers using either Automated Device Enrollment or user-initiated enrollment. Some advantages of this method include the following:
- Automatic password rotation is always enabled.
- You can enable LAPS even though the management account was not originally created via PreStage during the macOS Setup Assistant.
- If the management account had cryptographic privileges with a secure token, those privileges are maintained during password rotation.
One thing to note here is that an account that has become encrypted with a secure token will result in the login password being changed. However, the new password will not work for user authentication purposes. Bottom line is that Jamf does not recommend using this account type for LAPS password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon.
Jamf Remote Assist Announcement
Jamf Remote Assist, a new screen-sharing feature, will be coming in a future release of Jamf Pro for both on-premise and cloud-hosted environments. Remote Assist will allow you to securely initiate a session to remotely manage computers and help users troubleshoot issues. Using the Jamf Pro interface or the command line, Remote Assist sessions will allow you to connect to an end user computer even when the user is not on the internal network. Additional details will be included in the Jamf Pro release notes in the future.https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html
This one is huge, in my opinion.
In today’s world, remote capabilities should be built into the foundation of any MDM and for the longest time this was, arguably, Jamf’s weakest area.
When I started my current career in 2019, Jamf Remote was still being provided in the DMG of tools in your product dashboard but during jump start my Jamf engineer cautioned that there was a plan to retire it, so I shouldn’t rely on it too heavily. As a result, I only used Jamf Remote a handful of times during my first year of managing macOS devices and primarily leveraged Microsoft Teams for screensharing (definitely not ideal).
Then, in 2021, Jamf announced TeamViewer integration! At the surface level, this was awesome but it also meant that additional licensing would come into play. Since my organization didn’t already use TeamViewer, the thought of purchasing licensing for just our Mac fleet didn’t fly.
Fortunately, I run a well-oiled and reasonably sized machine, so the need for screen-to-screen troubleshooting is almost nonexistent. Still, any improvement in this area would be a welcome one. I’ve talked to other admins who work in education, and I KNOW they’re dying for something like this.
There were quite a few deprecations in this release, I’m only going to be touching on the ones that I think are big. I mostly manage macOS devices, so keep that in mind. I recommend checking out the release notes for the full list:
Jamf Admin – Jamf will stop distributing Jamf Admin in a future release of Jamf Pro (estimated removal date: late 2023). Jamf is committed to supporting key workflows from Jamf Admin (including printer creation, package synchronization, and package metadata editing) in future product enhancements.
Deprecation of Basic Authentication in the Classic API – Basic authentication in the Classic API is no longer enabled by default for new Jamf Pro instances to enhance security. Support for Basic authentication is currently scheduled to be removed in March of 2024. Bearer Token authentication or API roles and clients should be used in favor of Basic authentication. To disable Basic authentication before support is removed, navigate to Settings > Jamf Pro User Accounts & Groups > Password Policy and deselect the Allow Basic authentication in addition to Bearer Token authentication checkbox.
SCCM Plug-in – In a future release of Jamf Pro, Jamf will stop distributing the SCCM plug-in. Existing installations will be supported until licenses expire. For additional information, contact Jamf Customer Success.
Password expiration, Replication time Settings – The Password expiration and Replication time settings will be removed from the Single Sign-On Extensions payload in computer configuration profiles in a future release because Apple deprecated them.
Maintenance Pages – The Maintenance Pages setting (Settings > System > Maintenance pages) will be removed in a future release of Jamf Pro.
Functionality to specify the local administrator account for computers in a PreStage enrollment – in an upcoming release, the ability to specify or modify a local administrator account password in a PreStage enrollment for computers will be removed from Jamf Pro.