Today we released Jamf Connect 2.13.0 for general availability; this release includes the below details.
Microsoft Azure AD Change Required: If Microsoft Azure AD is your IdP, upcoming changes to Microsoft Authentication Library (MSAL) require changes to your Jamf Connect configuration. Existing applications remain functional, but in December 2022 Microsoft will discontinue security updates for Azure Active Directory Authentication Library (ADAL), deprecating the use of common endpoints.
To align with these changes in Jamf Connect, you must include organization-specific tenant information for your registered authentication applications in your configuration using the OIDC Tenant login window preference or the Tenant menu bar app preference. The information entered applies to all Jamf Connect products and is required to use ROPG test in Jamf Connect Configuration. If both of these fields are left blank, you will now receive an alert that a required field is missing. This helps you set up your configuration correctly.
For more information, see the OIDC Tenant preference in Login Window Preferences and the Tenant ID preference in Menu Bar App Preferences. Also see Migrate applications to the Microsoft Authentication Library (MSAL) in the Microsoft Azure Product Documentation.
Change to the minimum supported version of macOS: As of this release, Jamf Connect no longer supports macOS 10.15.3 or earlier. As you prepare to upgrade to version 2.13.0, ensure that all computers with Jamf Connect are on macOS 10.15.4 or later. If a computer with macOS 10.15.3 or earlier is in-scope for updating to Jamf Connect 2.13.0 or later, version 2.12.0 will remain installed and functional instead of updating to the newest version.
Change to the minimum supported version of macOS when using Jamf Unlock: As of this release, 2.13.0, computers must be on macOS 11.0.1 or later to pair Jamf Unlock with Jamf Connect. Computers on earlier versions of macOS that already paired Jamf Unlock with Jamf Connect will remain installed and functional.
Key Feature Content
Local Login Window Upgrades:
New Login Window Preferences: The Full Name (OIDCFullName) preference is now available for configuration in Jamf Pro. It allows you to specify different attribute claims for full name, such as firstName and lastName or other custom value(s) unique to your environment. This preference overrides the default attributes used to set the full name for an account: name, family_name/given_name, and first/last.
The Hide "Create New User" option at migration (CreateNewUserHide) preference is now available for configuration in Jamf Pro and Jamf Connect Configuration. It enables hiding the Create New User option from users during account migration. With this setting enabled (set to true), users are unable to disrupt account migration by creating a new account. This setting is not enabled (set to null) by default.
Microsoft Identity Platform Endpoints Support: Jamf Connect now supports updated Microsoft identity platform endpoints. If Microsoft Azure AD is your IdP, see the note above, "Microsoft Azure AD Change Required" for information about required changes.
Debugging Change: Due to enhancements, tmp log files for the login window (/tmp/jamf_login.log file) no longer automatically include debug level information. You may still manually produce logs using the Terminal or Console apps to help troubleshoot issues.
Key Technical Content
For more information, including Release Notes, please see the Jamf Connect Administrator Guide.
The Jamf Connect team
During the release sequence, they’ll post the new link so you just need to add it in.
Sure. Use a policy to deploy and run the JAMF Connect uninstaller, then once I know the unit no longer has the app I go to Jamf applications and push the 2.12 app to the clients. Its messy and manual. Also we had some machines that were newly issued to staff so they were in-between the MDM setup and 1st login with JAMF connect. Those users I needed to give the local admin password as they were all out in the field with no chance of coming into the office. I am testing a new solution for JAMF connect 2.13 and it has been working in my environment so far.
Thanks for the confirmation. We had to push out the uninstall and reinstall but were able to do it silently for the most part. Not ideal whatsoever. Can I see your config profiles please (redacted of course)? This would be immensely helpful as we are try to simply get it to work at this point. Then we'll need to test swapping profiles and pushing the new version for the fleet...
I also removed these, but they most likely do not need to be removed:
You must configure these:
I also configured the following, but you might not need to:
I'm just paste'ing in the value names from the jamf application template because I use Jamf Pro, but if you need the .plist keys, let me know.
I really wish Jamf had mentioned that we would need to remove Client Secret, Client Secret (Hybrid ID), Discovery URL, & Discovery URL (Hybrid ID) properties in their release notes. Took me hours to figure out what broke. I was just getting a generic "Something went wrong. Contact your IT Administrator" error, and on the Azure side it was saying the login attempt was successful.
I have discoveryURL set in our policies. We haven’t had any issues so far.
I’ll double check our profiles and confirm.
I know if I want to set azure as the IDP I had to set the discovery URL to not be the v2.0 link, but if you set it to custom IDP the v2.0 endpoint link works fine.
we don’t use client secret at all, so I can’t speak to that one.
I have a test profile now for 2.14 and an in place fully deployed profile for 2.12 that are both functioning as they should.