What's new in Jamf Pro 10.32 Release

kaylee_carlson
Contributor
Contributor

Update: 

This release includes fixes for security vulnerabilities and it is recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. The following CVEs are addressed by this release: 
Please read the resolved issues section of the release notes for more information and additional details on the resolved vulnerabilities will be made available at a future date to allow for Jamf Pro instances to be patched before full disclosure.

 

Hi Jamf Nation,

Jamf is prepared to deliver same-day support for Apple’s latest releases as they become available. Compatibility and new feature support are based on testing with the latest Apple beta releases.

We’re also excited to deliver several improvements including enhancements to the Jamf Parent App, iOS updates and restrictions, macOS restrictions and inventory updates, and recovery lock for macOS. In addition, Jamf Setup and Jamf Reset 3.1.0 is available today! The enhancement includes:

  • Improved UI enhancements for iPad support
  • Bug fixes and performance improvements

Read the full release notes here.

Kaylee

 

Cloud Upgrade Schedule
Your Jamf Pro server, including any free sandbox environments, will be updated to Jamf Pro 10.32 based on your hosted data region below.

Need assistance identifying the Hosted Data Region of your Jamf Cloud instance? Check out this guide to find out how.

Hosted RegionBeginsEnds
ap-southeast-2Sept 17 at 1400 UTCSept 17 at 2300 UTC
ap-northeast-1Sept 17 at 1500 UTCSept 17 at 2300 UTC
eu-central-1Sept 17 at 2200 UTCSept 18 at 0800 UTC
eu-west-2Sept 17 at 2300 UTCSept 18 at 0500 UTC
us-east-1Sept 18 at 0400 UTCSept 18 at 1900 UTC
us-east-1 sandboxSept 18 at 0000 UTCSept 18 at 0900 UTC
us-west-2Sept 18 at 0700 UTCSept 18 at 1900 UTC

 

Next Steps

For real-time messages about your upgrade, subscribe to alerts.

For information on what's new in Jamf Pro 10.32, please review the release notes.

13 REPLIES 13

mschroder
Valued Contributor

I am very surprised to see that

- somewhere hidden in the release notes I see "It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server." This is really a very bad way of communicating a critical vulnerability.

- the installer suddenly requires 150 GB of disk space? Are you kidding? And the installer silently quits, and I need to search for the reason.

I have my database on an external server, so I certainly don't need 150GB of free disk space to update the jss. Can someone tell me were I can fix the installer so I can update my JSS and secure my server and all the devices it configures?

 

cbrewer
Valued Contributor II

It looks to me like it's only a recommendation to have 150GB free space. I successfully upgraded a test environment with only 40GB free.

grahamrpugh
Release Candidate Programs Tester

Regarding the security vulnerabilities, given that we run a service with an SLA, we require information about whether an emergency change is required. Otherwise we have a 2 week wait for any break in service. So I need concrete information about whether the vulnerability affects us before submitting an ECR. For example, can the vulnerability penetrate through a load balancer when the Jamf Pro Servers themselves are protected by firewall?

mikeindabush
New Contributor II

It looks like this release, according to the release notes, patches 3 serious security vulnerabilities. Why is that not addressed up-front either in this post or why was no notice sent out about the vulnerabilities like the notice that was sent for the 10.30.1 release?

mvanstone
New Contributor

Upgraded from 10.30.3 to 10.32, no issues.

All seems ok.

boberito
Valued Contributor

I'm not sure how an organization goes about getting CVEs and registered through that system, but I feel like Jamf is large enough and in enough critical locations they really need to be issuing CVEs and real disclosure of security issues like this. Comparing 1 product or company to another isn't always the best BUT other management tools such as Workspace One, BigFix, Maas360, and MobileIron issue CVEs and this type of information correctly when they have issues.

 

I really love Jamf and wave the flag, but they're no longer a small company with a niche market share, they're THE tool for macOS management. It's a publicly traded company. They can't continue acting like some small startup.

grahamrpugh
Release Candidate Programs Tester

I get why they aren't publicly releasing information yet. We need time to upgrade, and revealing the vulnerability in detail just makes that more urgent. 

However, I would like to be contacted privately with some details, like a severity score and whether it affects on-premises and/or cloud, if load balancers are any protection, and whether we should be blocking access until we can upgrade, etc. 

 

In fact, only one of our team were notified of the release of 10.32 by email at all, and the email was, according to my colleague, "very strange, in German, no images/logos, looked very much like spam". If he'd been on holiday I would possibly have no idea of the release. That's not good enough. 

Dealing with the Microsoft Exchange issues the past few months has been scary for me, servers getting hacked and loaded with ransomware.

Any Internet facing server with a vulnerability is a giant risk. I patched immediately I don’t want to find a web shell sitting on my jamf server.

These vulnerabilities should have a CVE score so people know how to react.

kaylee_carlson
Contributor
Contributor

Thank you for your patience as we make the CVE and CVSS information available. We continue to strive to get this information to the community as fast and safe as we are able to for medium or higher issues.

As mentioned above. It would be nice to know if this is a on-premise situation only or does it affect cloud customers as well. I can only guess it's on-premise as we are cloud and our upgrade 10.32 is not scheduled until this coming Friday. 😮

The CVEs mentioned above are applicable to on-prem and cloud environments. If a CVE is only relevant to a portion of our customers, that we clearly mark it as such.

 

To limit the chance of someone exploiting responsibly disclosed vulnerabilities while customer owned instances are still being patched, we restrict the full details on the CVE. In this particular case, Jamf Cloud customers aren't required to take any action in order to further safeguard their Jamf Pro instances. When you choose to host in Jamf Cloud we have additional mechanisms to ensure the security of your instances.

peternbevan
New Contributor III

Shouldn't this important announcement be pinned at the top? I just happened to come across it after a LOT of scrolling.  Now I've got to put a Change Request in process as soon as possible to get our system patched.

CasperSally5432
New Contributor II

I just logged in to read release notes and am seeing mention about the vuln there.  Was an email sent and this is another security related email I never got from jamf?  Customers shouldn't be expected to come to jamf.com to get info like this.

 

  • [PI-006352] This release fixes a security vulnerability with Jamf Pro. It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server. More details will be communicated via email and on Jamf Nation.