Jamf Pro 10.44 Now Available

PCalomeni
Moderator
Moderator

Today we are releasing Jamf Pro 10.44. Highlights of this release include:

End User Notifications for App Installers

You can now customize push notifications to end users when an App Installer package has an available update and the app is open on the user's computer. Customizing these notifications will override any default notification settings in the App Installer package for a given software title.

OS Update Reporting

Jamf Pro now provides additional functionality, transparency, and reporting capabilities for managed software updates by MDM commands for both computers and mobile devices. The new Operating System category located within the Management tab displays the latest in-progress status report on managed updates to your devices. You can view the status of current updates, the number of user deferrals remaining, install action taken, and the next and past install notification dates. Additionally, the new Operating System History category within the History tab displays a record of completed updates.

4096-bit Key Size for Certificates Issued by External Certificate Authorities

You can now set the key size to 4096 bits for certificates issued by an external certificate authority through the Jamf Pro SCEP Proxy. While a larger key size increases security, it will consume more computer processing power and may be incompatible with some external systems.

 

For additional information on what's included in this release, review the release notes via the new Jamf Learning Hub, a one-stop shop for all our product technical content.

To access new versions of Jamf Pro, log into Jamf Account with your Jamf ID. The latest version is located in the Products section under Jamf Pro.

Note: Additional issues will be resolved in version 10.44.1, which is currently scheduled to release 2 March 2023.

 

Cloud Upgrade Schedule

Your Jamf Pro server, including any free sandbox environments, will be updated to Jamf Pro 10.44.1 based on your hosted data region below. Review this guide if you need assistance identifying the Hosted Data Region of your Jamf Cloud instance.

 

Hosted Region Begins Ends
ap-southeast-2 3 March at 1300 UTC 3 March at 2200 UTC
ap-northeast-1 3 March at 1400 UTC 4 March at 0000 UTC
eu-central-1 3 March at 2300 UTC 4 March at 0900 UTC
eu-west-2 4 March at 0000 UTC 4 March at 0700 UTC
us-east-1-sandbox/us-west-2-sandbox 4 March at 0100 UTC 4 March at 1000 UTC
us-east-1 4 March at 0500 UTC 4 March at 1800 UTC
us-west-2 4 March at 0800 UTC 4 March at 2100 UTC
5 REPLIES 5

mschroder
Valued Contributor

As there are plenty of CVE listed under 'Resolved Issues', can you please provide a summary of the security impact of these CVE's? Are there any known vulnerabilities in JSS 10.43, and if yes what is the score for these vulnerabilities?

@mschroder 

There was a broad variety of vulnerabilities resolved by the libraries updated in this release. You can feel free to look into each of the CVE listed for more specific details but at a high level it was 3 Critical, 7 High, 14 Medium, 1 Low, and 2 Informational severity tickets resolved in this release.

But be aware of the note that mentions "Additional issues will be resolved in version 10.44.1, which is currently scheduled to release 2 March 2023." While I will ALWAYS recommend upgrading to the newest versions of Jamf as they are released as each release resolves issues that were not resolved in the previous version, if an organization is limited in the amount of upgrades they can do to their self hosted systems they should be aware that I would strongly recommend that they upgrade to 10.44.1 when it becomes available. If you have the ability to do both 10.44 and 10.44.1, thats even better.

As you might remember from our previous discussion on the 10.43 release that we plan to document all security issues resolved in our library updates and that you can expect the number to generally be large. This is a never ending process as new vulnerabilities are identified in libraries all the time by both our internal scanning and testing along with community identifications. This means that previous releases of Jamf Pro often have the vulnerabilities resolved in the current version.

mschroder
Valued Contributor

As I learned from our last discussion not all Critical CVE's in the libraries can be exploited via the JSS. So for us to judge whether or not we have to take immediate action, we would have to know whether or not the CVE's in the libraries are exploitable via the JSS. For me the point is not so much how many updates I have to install (although I indeed like to minimize that number) but rather whether or not I shut down the service immediately and prepare for an emergency update. Of course I can always shut down the service when I see a CVE in the release notes, that way I'm on the safe side. My users would start to worry about the quality of JSS quite soon though...

mm2270
Legendary Contributor III

In the very least, all the CVE listings in the release notes should be links to the CVE detail pages on the NIST site. It shows a description and the severity ratings. Just to make it a little easier for anyone to examine them.

Other than that, this looks like another good upgrade, following on the last one which also gave us some nice additions to the product.

jbutler47
Contributor II

Like the update, but the timetable shown is cut off at the right.