09-07-2021 07:23 AM - edited 09-10-2021 12:20 PM
Hi Jamf Nation,
Jamf is prepared to deliver same-day support for Apple’s latest releases as they become available. Compatibility and new feature support are based on testing with the latest Apple beta releases.
We’re also excited to deliver several improvements including enhancements to the Jamf Parent App, iOS updates and restrictions, macOS restrictions and inventory updates, and recovery lock for macOS. In addition, Jamf Setup and Jamf Reset 3.1.0 is available today! The enhancement includes:
Read the full release notes here.
Cloud Upgrade Schedule
Your Jamf Pro server, including any free sandbox environments, will be updated to Jamf Pro 10.32 based on your hosted data region below.
Need assistance identifying the Hosted Data Region of your Jamf Cloud instance? Check out this guide to find out how.
|ap-southeast-2||Sept 17 at 1400 UTC||Sept 17 at 2300 UTC|
|ap-northeast-1||Sept 17 at 1500 UTC||Sept 17 at 2300 UTC|
|eu-central-1||Sept 17 at 2200 UTC||Sept 18 at 0800 UTC|
|eu-west-2||Sept 17 at 2300 UTC||Sept 18 at 0500 UTC|
|us-east-1||Sept 18 at 0400 UTC||Sept 18 at 1900 UTC|
|us-east-1 sandbox||Sept 18 at 0000 UTC||Sept 18 at 0900 UTC|
|us-west-2||Sept 18 at 0700 UTC||Sept 18 at 1900 UTC|
For real-time messages about your upgrade, subscribe to alerts.
For information on what's new in Jamf Pro 10.32, please review the release notes.
Posted on 09-07-2021 10:35 AM
I am very surprised to see that
- somewhere hidden in the release notes I see "It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server." This is really a very bad way of communicating a critical vulnerability.
- the installer suddenly requires 150 GB of disk space? Are you kidding? And the installer silently quits, and I need to search for the reason.
I have my database on an external server, so I certainly don't need 150GB of free disk space to update the jss. Can someone tell me were I can fix the installer so I can update my JSS and secure my server and all the devices it configures?
Posted on 09-08-2021 08:44 AM
It looks to me like it's only a recommendation to have 150GB free space. I successfully upgraded a test environment with only 40GB free.
Posted on 09-07-2021 11:35 AM
Regarding the security vulnerabilities, given that we run a service with an SLA, we require information about whether an emergency change is required. Otherwise we have a 2 week wait for any break in service. So I need concrete information about whether the vulnerability affects us before submitting an ECR. For example, can the vulnerability penetrate through a load balancer when the Jamf Pro Servers themselves are protected by firewall?
Posted on 09-07-2021 12:13 PM
It looks like this release, according to the release notes, patches 3 serious security vulnerabilities. Why is that not addressed up-front either in this post or why was no notice sent out about the vulnerabilities like the notice that was sent for the 10.30.1 release?
09-07-2021 01:04 PM - edited 09-07-2021 01:08 PM
Upgraded from 10.30.3 to 10.32, no issues.
All seems ok.
Posted on 09-08-2021 06:27 AM
I'm not sure how an organization goes about getting CVEs and registered through that system, but I feel like Jamf is large enough and in enough critical locations they really need to be issuing CVEs and real disclosure of security issues like this. Comparing 1 product or company to another isn't always the best BUT other management tools such as Workspace One, BigFix, Maas360, and MobileIron issue CVEs and this type of information correctly when they have issues.
I really love Jamf and wave the flag, but they're no longer a small company with a niche market share, they're THE tool for macOS management. It's a publicly traded company. They can't continue acting like some small startup.
Posted on 09-08-2021 08:23 AM
I get why they aren't publicly releasing information yet. We need time to upgrade, and revealing the vulnerability in detail just makes that more urgent.
However, I would like to be contacted privately with some details, like a severity score and whether it affects on-premises and/or cloud, if load balancers are any protection, and whether we should be blocking access until we can upgrade, etc.
In fact, only one of our team were notified of the release of 10.32 by email at all, and the email was, according to my colleague, "very strange, in German, no images/logos, looked very much like spam". If he'd been on holiday I would possibly have no idea of the release. That's not good enough.
Posted on 09-08-2021 08:35 AM
Dealing with the Microsoft Exchange issues the past few months has been scary for me, servers getting hacked and loaded with ransomware.
Any Internet facing server with a vulnerability is a giant risk. I patched immediately I don’t want to find a web shell sitting on my jamf server.
These vulnerabilities should have a CVE score so people know how to react.
Posted on 09-10-2021 12:20 PM
Thank you for your patience as we make the CVE and CVSS information available. We continue to strive to get this information to the community as fast and safe as we are able to for medium or higher issues.
Posted on 09-13-2021 05:33 AM
As mentioned above. It would be nice to know if this is a on-premise situation only or does it affect cloud customers as well. I can only guess it's on-premise as we are cloud and our upgrade 10.32 is not scheduled until this coming Friday. 😮
Posted on 09-13-2021 10:39 AM
The CVEs mentioned above are applicable to on-prem and cloud environments. If a CVE is only relevant to a portion of our customers, that we clearly mark it as such.
To limit the chance of someone exploiting responsibly disclosed vulnerabilities while customer owned instances are still being patched, we restrict the full details on the CVE. In this particular case, Jamf Cloud customers aren't required to take any action in order to further safeguard their Jamf Pro instances. When you choose to host in Jamf Cloud we have additional mechanisms to ensure the security of your instances.
Posted on 09-13-2021 09:07 AM
Shouldn't this important announcement be pinned at the top? I just happened to come across it after a LOT of scrolling. Now I've got to put a Change Request in process as soon as possible to get our system patched.
Posted on 09-17-2021 05:21 AM
I just logged in to read release notes and am seeing mention about the vuln there. Was an email sent and this is another security related email I never got from jamf? Customers shouldn't be expected to come to jamf.com to get info like this.
[PI-006352] This release fixes a security vulnerability with Jamf Pro. It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server. More details will be communicated via email and on Jamf Nation.