Today I was going through the release notes for Jamf Pro 10.49.0 (almost a week late to the party, I know) and was pleasantly surprised by the number of meaningful changes in this release. From LAPS to the mention of Jamf Remote Assist to a bunch of deprecations.
There’s some awesome stuff in there and I really want to share it!
Let’s talk about LAPS and the deprecation of the Management Account Password
In previous versions of Jamf Pro, you could choose to set the management account password (Settings > Global > User-initiated Enrollment > macOS, if I remember correctly) instead of having it randomly generated. From here on out, you won’t have the option to set a static password on the Management Account and will instead need to leverage LAPS.
You’re able to implement LAPS using either, or both, of the following methods:
MDM Command – Introduced with Jamf Pro 10.46.0, this method leverages Apple’s SetAutoAdminPassword command, which allows management of the managed administrator account created during the PreStage enrollment process using MDM. This method rotates the managed administrator account password using the MDM command. LAPS is disabled by default using this method. The managed administrator account is created via a PreStage enrollment (Automated Device Enrollment) during the macOS Setup Assistant.
Jamf Management Framework – Starting with Jamf Pro 10.49.0, this method automatically rotates management account passwords using instructions from the Jamf management framework. LAPS is always enabled using this method. You can create the management account on all enrolled computers using either Automated Device Enrollment or user-initiated enrollment. Some advantages of this method include the following:
- Automatic password rotation is always enabled.
- You can enable LAPS even though the management account was not originally created via PreStage during the macOS Setup Assistant.
- If the management account had cryptographic privileges with a secure token, those privileges are maintained during password rotation.
One thing to note here is that an account that has become encrypted with a secure token will result in the login password being changed. However, the new password will not work for user authentication purposes. Bottom line is that Jamf does not recommend using this account type for LAPS password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon.
Read more here: https://learn.jamf.com/bundle/technical-paper-laps-current/page/LAPS_Mechanisms.html
Jamf Remote Assist Announcement
Jamf Remote Assist, a new screen-sharing feature, will be coming in a future release of Jamf Pro for both on-premise and cloud-hosted environments. Remote Assist will allow you to securely initiate a session to remotely manage computers and help users troubleshoot issues. Using the Jamf Pro interface or the command line, Remote Assist sessions will allow you to connect to an end user computer even when the user is not on the internal network. Additional details will be included in the Jamf Pro release notes in the future.
https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Important_Notices.html
This one is huge, in my opinion.
In today’s world, remote capabilities should be built into the foundation of any MDM and for the longest time this was, arguably, Jamf’s weakest area.
When I started my current career in 2019, Jamf Remote was still being provided in the DMG of tools in your product dashboard but during jump start my Jamf engineer cautioned that there was a plan to retire it, so I shouldn’t rely on it too heavily. As a result, I only used Jamf Remote a handful of times during my first year of managing macOS devices and primarily leveraged Microsoft Teams for screensharing (definitely not ideal).
Then, in 2021, Jamf announced TeamViewer integration! At the surface level, this was awesome but it also meant that additional licensing would come into play. Since my organization didn’t already use TeamViewer, the thought of purchasing licensing for just our Mac fleet didn’t fly.
Fortunately, I run a well-oiled and reasonably sized machine, so the need for screen-to-screen troubleshooting is almost nonexistent. Still, any improvement in this area would be a welcome one. I’ve talked to other admins who work in education, and I KNOW they’re dying for something like this.