Jamf Connect 2.13.0 Now Available

kaylee_carlson
Contributor
Contributor

Today we released Jamf Connect 2.13.0 for general availability; this release includes the below details.

 

Key Notes

Microsoft Azure AD Change Required: If Microsoft Azure AD is your IdP, upcoming changes to Microsoft Authentication Library (MSAL) require changes to your Jamf Connect configuration. Existing applications remain functional, but in December 2022 Microsoft will discontinue security updates for Azure Active Directory Authentication Library (ADAL), deprecating the use of common endpoints.

To align with these changes in Jamf Connect, you must include organization-specific tenant information for your registered authentication applications in your configuration using the OIDC Tenant login window preference or the Tenant menu bar app preference. The information entered applies to all Jamf Connect products and is required to use ROPG test in Jamf Connect Configuration. If both of these fields are left blank, you will now receive an alert that a required field is missing. This helps you set up your configuration correctly.

For more information, see the OIDC Tenant preference in Login Window Preferences and the Tenant ID preference in Menu Bar App Preferences. Also see Migrate applications to the Microsoft Authentication Library (MSAL) in the Microsoft Azure Product Documentation.

 

Change to the minimum supported version of macOS: As of this release, Jamf Connect no longer supports macOS 10.15.3 or earlier. As you prepare to upgrade to version 2.13.0, ensure that all computers with Jamf Connect are on macOS 10.15.4 or later. If a computer with macOS 10.15.3 or earlier is in-scope for updating to Jamf Connect 2.13.0 or later, version 2.12.0 will remain installed and functional instead of updating to the newest version.

 

Change to the minimum supported version of macOS when using Jamf Unlock: As of this release, 2.13.0, computers must be on macOS 11.0.1 or later to pair Jamf Unlock with Jamf Connect. Computers on earlier versions of macOS that already paired Jamf Unlock with Jamf Connect will remain installed and functional.

 

Key Feature Content

Local Login Window Upgrades:

  • The local login window now resembles the macOS login window. This includes the following:
    • The system background or the user's desktop background now load as the login window background instead of a gray background if a custom background isn't configured for your organization.
    • If multiple users are set up on a Mac, a user is now able to see all available account options, select their account, and log in. If you create a configuration profile with the SHOWFULLNAME key, users' full names show up here as well. For more information, see the SHOWFULLNAME key in Device Management Profile LoginWindow Properties in the Apple Developer Documentation.
  • The Jamf Connect local login window now checks for Jamf Unlock availability based on existing pairing records for the user. If a pairing record exists, the user is allowed to use Jamf Unlock to log in.
  • There is now an Enable Jamf Unlock switch on the local login screen so that users can pair with the Jamf Unlock iOS app when they log in, enabling authentication via the user's biometrics or pin. This switch also exists in the Jamf Connect menu bar app.

 

New Login Window Preferences: The Full Name (OIDCFullName) preference is now available for configuration in Jamf Pro. It allows you to specify different attribute claims for full name, such as firstName and lastName or other custom value(s) unique to your environment. This preference overrides the default attributes used to set the full name for an account: name, family_name/given_name, and first/last.

The Hide "Create New User" option at migration (CreateNewUserHide) preference is now available for configuration in Jamf Pro and Jamf Connect Configuration. It enables hiding the Create New User option from users during account migration. With this setting enabled (set to true), users are unable to disrupt account migration by creating a new account. This setting is not enabled (set to null) by default.

Microsoft Identity Platform Endpoints Support: Jamf Connect now supports updated Microsoft identity platform endpoints. If Microsoft Azure AD is your IdP, see the note above, "Microsoft Azure AD Change Required" for information about required changes.

 

Debugging Change: Due to enhancements, tmp log files for the login window (/tmp/jamf_login.log file) no longer automatically include debug level information. You may still manually produce logs using the Terminal or Console apps to help troubleshoot issues.

 

Key Technical Content

Resolved Issues:

  • [PI109623] When Jamf Unlock is enabled for a user on a computer, you may only authenticate as that user. Documentation now exists to help you disable Jamf Unlock for the user, log in as an admin to make changes, then renable the user. For more information, see Enabling Jamf Unlock on Computers.
  • [JC-3794] When a user resizes the Pair new device window in the menu bar app under Paired Devices > Pair new device, the QR code now scales with the window.
  • [JC-3921] At the login window, a progress bar no longer remains in the background after closing the acceptable use policy screen at the login window.
  • [JC-3998] Improvements ensure that admins don't receive unnecessary notifications during the Jamf Connect installation process.
  • [PI110103] The menu bar app no longer launches multiple times during the first launch of the app during installation. Only one copy of Jamf Connect remains open at a time.
  • [PI110113] The login window message no longer overlaps with the Done button at the bottom of the screen during the login process.
  • [PI109924] Duo MFA and PingID MFA windows that require Webkit now render properly on devices running macOS12.3. macOS 12.4 resolved this issue.
  • [PI109612] FileVault enabled users now consistently appear on the FileVault unlock screen after rebooting.
  • [PI104597] [PI010181] When Jamf Pro is configured to pass through enrollment customization details to the login window, the login window no longer only passes through the first and last space-separated elements of each user's name. This results in correctly passing through full names when they contain multiple spaces (e.g., Abdul Malik Abadi).
  • [JC-3907] When Jamf Connect is configured to use Kerberos authentication, users may now retrieve tickets for authentication on computers without a Kerberos preferences plist or with an old Kerberos preferences plist (e.g., from being previously bound to an Active Directory domain).
  • [PI110012] The menu bar app now notifies users during each background check if their local and network passwords are out of sync rather than notifying them only one time. The notification prompts users to sync their passwords. The interval of background checks and the resulting notification is set by the Network Check-in Frequency (NetworkCheck) menu bar app preference, which is set to every 60 minutes by default. For more information about this preference, see Menu Bar App Preferences.
  • [JC-3793] When a user keeps the return key pressed down during local or network login, unexpected behaviors no longer occur.
  • [JC-3874] When a user switches between Wi-Fi networks and attempts logging into a network that only requires a password, the password field now displays instead of both username and password fields.

Product Documentation

For more information, including Release Notes, please see the Jamf Connect Administrator Guide.

Thank you!

The Jamf Connect team

 

During the release sequence, they’ll post the new link so you just need to add it in.

9 REPLIES 9

CoMb0BrEaKeR-To
New Contributor II

This update of JAMF Connect 2.13.0 broke my deployment with Azure that was working under 2.12.0 so far best solution has been to roll back to 2.12.0 and that has been.....difficult. 

have you had any luck with any of this thus far?

So far we got all the users downgraded to 2.12 and its working correctly.  Thankfully it was a very small group of users as we did not move the rest of the company of  to JAMF Connect yet.  I hope my support ticket with JAMF finds a good resolution to this. 

Are you uninstalling and reinstalling? May I ask your process?

Sure.  Use a policy to deploy and run the JAMF Connect uninstaller, then once I know the unit no longer has the app I go to Jamf applications and push the 2.12 app to the clients.  Its messy and manual.  Also we had some machines that were newly issued to staff so they were in-between the MDM setup and 1st login with JAMF connect.  Those users I needed to give the local admin password as they were all out in the field with no chance of coming into the office.  I am testing a new solution for JAMF connect 2.13 and it has been working in my environment so far.  

Thanks for the confirmation. We had to push out the uninstall and reinstall but were able to do it silently for the most part. Not ideal whatsoever. Can I see your config profiles please (redacted of course)? This would be immensely helpful as we are try to simply get it to work at this point. Then we'll need to test swapping profiles and pushing the new version for the fleet...

CalleyO
Contributor III

Thank you, @CoMb0BrEaKeR-To, for reaching out and connecting with our Technical Support team regarding this issue. As always, we try to make sure updates go as smoothly as possible for all our customers, and we appreciate you working with our teams to resolve this with you. 

PieQuest
New Contributor II

@CoMb0BrEaKeR-To & @matt_wiese 
I was able to fix my issues with Azure caused by this release by removing the following properties:

  • Client Secret
  • Client Secret (Hybrid ID)
  • Discovery URL
  • Discovery URL (Hybrid ID)

I also removed these, but they most likely do not need to be removed:

  • One-time Password Message
  • Set Token Cache to /tmp/cachedata
  • Password Verification Success Codes
  • Hidden MFA Options
  • MFA Option Names

You must configure these:

  • Identity Provider
  • Client ID
  • Client ID (Password Verification)
  • Tenant ID
  • Identity Provider (Hybrid ID)
  • Tenant ID (Hybrid ID)

I also configured the following, but you might not need to:

  • Redirect URI
  • Redirect URI (Hybrid ID)
  • Ignore Cookies (true)

I'm just paste'ing in the value names from the jamf application template because I use Jamf Pro, but if you need the .plist keys, let me know.

I really wish Jamf had mentioned that we would need to remove Client Secret, Client Secret (Hybrid ID), Discovery URL, & Discovery URL (Hybrid ID) properties in their release notes. Took me hours to figure out what broke. I was just getting a generic "Something went wrong. Contact your IT Administrator" error, and on the Azure side it was saying the login attempt was successful.

I have discoveryURL set in our policies. We haven’t had any issues so far. 

I’ll double check our profiles and confirm. 

I know if I want to set azure as the IDP I had to set the discovery URL to not be the v2.0 link, but if you set it to custom IDP the v2.0 endpoint link works fine. 

we don’t use client secret at all, so I can’t speak to that one. 

I have a test profile now for 2.14 and an in place fully deployed profile for 2.12 that are both functioning as they should.