Hi Jamf Nation,
Jamf is prepared to deliver same-day support for Apple’s latest releases as they become available. Compatibility and new feature support are based on testing with the latest Apple beta releases.
We’re also excited to deliver several improvements including enhancements to the Jamf Parent App, iOS updates and restrictions, macOS restrictions and inventory updates, and recovery lock for macOS. In addition, Jamf Setup and Jamf Reset 3.1.0 is available today! The enhancement includes:
Read the full release notes here.
Cloud Upgrade Schedule
Your Jamf Pro server, including any free sandbox environments, will be updated to Jamf Pro 10.32 based on your hosted data region below.
Need assistance identifying the Hosted Data Region of your Jamf Cloud instance? Check out this guide to find out how.
|ap-southeast-2||Sept 17 at 1400 UTC||Sept 17 at 2300 UTC|
|ap-northeast-1||Sept 17 at 1500 UTC||Sept 17 at 2300 UTC|
|eu-central-1||Sept 17 at 2200 UTC||Sept 18 at 0800 UTC|
|eu-west-2||Sept 17 at 2300 UTC||Sept 18 at 0500 UTC|
|us-east-1||Sept 18 at 0400 UTC||Sept 18 at 1900 UTC|
|us-east-1 sandbox||Sept 18 at 0000 UTC||Sept 18 at 0900 UTC|
|us-west-2||Sept 18 at 0700 UTC||Sept 18 at 1900 UTC|
For real-time messages about your upgrade, subscribe to alerts.
For information on what's new in Jamf Pro 10.32, please review the release notes.
I am very surprised to see that
- somewhere hidden in the release notes I see "It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server." This is really a very bad way of communicating a critical vulnerability.
- the installer suddenly requires 150 GB of disk space? Are you kidding? And the installer silently quits, and I need to search for the reason.
I have my database on an external server, so I certainly don't need 150GB of free disk space to update the jss. Can someone tell me were I can fix the installer so I can update my JSS and secure my server and all the devices it configures?
Regarding the security vulnerabilities, given that we run a service with an SLA, we require information about whether an emergency change is required. Otherwise we have a 2 week wait for any break in service. So I need concrete information about whether the vulnerability affects us before submitting an ECR. For example, can the vulnerability penetrate through a load balancer when the Jamf Pro Servers themselves are protected by firewall?
I'm not sure how an organization goes about getting CVEs and registered through that system, but I feel like Jamf is large enough and in enough critical locations they really need to be issuing CVEs and real disclosure of security issues like this. Comparing 1 product or company to another isn't always the best BUT other management tools such as Workspace One, BigFix, Maas360, and MobileIron issue CVEs and this type of information correctly when they have issues.
I really love Jamf and wave the flag, but they're no longer a small company with a niche market share, they're THE tool for macOS management. It's a publicly traded company. They can't continue acting like some small startup.
I get why they aren't publicly releasing information yet. We need time to upgrade, and revealing the vulnerability in detail just makes that more urgent.
However, I would like to be contacted privately with some details, like a severity score and whether it affects on-premises and/or cloud, if load balancers are any protection, and whether we should be blocking access until we can upgrade, etc.
In fact, only one of our team were notified of the release of 10.32 by email at all, and the email was, according to my colleague, "very strange, in German, no images/logos, looked very much like spam". If he'd been on holiday I would possibly have no idea of the release. That's not good enough.
Dealing with the Microsoft Exchange issues the past few months has been scary for me, servers getting hacked and loaded with ransomware.
Any Internet facing server with a vulnerability is a giant risk. I patched immediately I don’t want to find a web shell sitting on my jamf server.
These vulnerabilities should have a CVE score so people know how to react.
The CVEs mentioned above are applicable to on-prem and cloud environments. If a CVE is only relevant to a portion of our customers, that we clearly mark it as such.
To limit the chance of someone exploiting responsibly disclosed vulnerabilities while customer owned instances are still being patched, we restrict the full details on the CVE. In this particular case, Jamf Cloud customers aren't required to take any action in order to further safeguard their Jamf Pro instances. When you choose to host in Jamf Cloud we have additional mechanisms to ensure the security of your instances.
I just logged in to read release notes and am seeing mention about the vuln there. Was an email sent and this is another security related email I never got from jamf? Customers shouldn't be expected to come to jamf.com to get info like this.
[PI-006352] This release fixes a security vulnerability with Jamf Pro. It is strongly recommended that you upgrade to Jamf Pro 10.32.0 as soon as possible. This vulnerability has the potential to impact the integrity and availability of your web server. More details will be communicated via email and on Jamf Nation.