Jamf Pro Documentation 11.1.

PDF Generated: 01/02/24

This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

Contents
Jamf Pro Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Overview of Technologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Applications and Utilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Jamf Pro System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Components Installed on Managed Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Components Installed on Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Setting Up Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
The Jamf Pro Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Jamf Pro Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Jamf Pro Keyboard Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
System Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Jamf Pro User Accounts and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
API Roles and Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
LDAP Directory Service Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Cloud Identity Providers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Google Secure LDAP Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Microsoft Entra ID Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Testing Cloud Identity Provider Attribute Mappings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Single Sign-On (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
SMTP Server Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Email Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Activation Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Change Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
SSL Certificate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Log Flushing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Maintenance Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Jamf Pro Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Jamf Pro Server Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Jamf Pro Health Check Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Global Management Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Push Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Jamf Push Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
GSX Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Inventory Preload. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
User-Initiated Enrollment Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

2
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

Automated Device Enrollment Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Enrollment Customization Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Re-enrollment Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Jamf Pro URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
MDM Profile Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
PKI Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Volume Purchasing Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Categories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Event Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Webhooks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
AirPlay Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Conditional Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Google BeyondCorp Enterprise Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Cloud Services Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Device Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Jamf Application Integrations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Jamf Parent Integration with Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Jamf Teacher Integration with Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Jamf Protect Integration with Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Jamf Connect Integration with Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Jamf Self Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Jamf Self Service for macOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Jamf Self Service for macOS Installation Methods. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
macOS Onboarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Jamf Self Service for macOS User Login Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Jamf Self Service for macOS Configuration Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Jamf Self Service for macOS Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Jamf Self Service for macOS Branding Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
Bookmarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Items Available to Users in Jamf Self Service for macOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Jamf Self Service for macOS URL Schemes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Jamf Self Service for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Jamf Self Service for iOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Jamf Self Service for iOS Branding Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
App Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Jamf Self Service for iOS URL Schemes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Server Infrastructure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
About Distribution Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
File Share Distribution Points. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Cloud Distribution Point. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Software Update Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Jamf Infrastructure Manager Instances. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

3
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

LDAP Proxy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Healthcare Listener. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Network Organization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Buildings and Departments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Network Segments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
iBeacon Regions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Network Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Enrollment for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Automated Device Enrollment for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Device Enrollment for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Enabling Device Enrollment for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Providing an Enrollment URL for Device Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Sending a Computer Enrollment Invitation via Email. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Device Enrollment Experience for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Enrollment for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Automated Device Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Device Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Enabling Device Enrollment for Mobile Devices in Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Setting up Account-Driven Device Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Device Enrollment with Apple Configurator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Enrollment URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Enrollment Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
User Enrollment for BYOD. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Enabling User Enrollment for Mobile Devices in Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Setting up Account-Driven User Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Enrollment Single Sign-on (SSO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Providing an Enrollment URL for Profile-Driven User Enrollment. . . . . . . . . . . . . . . . . . . . . . . . . 269
Declarative Device Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Managing Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Building the Framework for Managing Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Recurring Check-in Frequency. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Startup Script. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Login Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Security Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Inventory for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Computer Inventory Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Computer Inventory and Criteria Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Computer Inventory Collection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

4
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

Computer Extension Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Computer Inventory Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Simple Computer Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Advanced Computer Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Computer Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Mass Actions for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Computer Management Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Computer History Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Renaming a Computer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Deleting a Computer from Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Execution Frequency for Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Policy Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Policy Payload Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
User Interaction with Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Packages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Package Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Package Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Software Title Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
Patch Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Patch Sources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Patch Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Patch Policy Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Configuring a Patch Management Software Title. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Associating a Package to a Patch Management Software Title. . . . . . . . . . . . . . . . . . . . . . . . 346
Patch Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
App Installers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Settings and Security Management for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Computer Configuration Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Best Practices for Computer Configuration Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Remote Commands for Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Scripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Printers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Dock Items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Local Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
MDM-Enabled Local User Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Management Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Directory Bindings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
FileVault Encryption. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Preparation for FileVault Enablement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
Recovery Key Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
Creating and Exporting an Institutional Recovery Key. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

5
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

FileVault Enablement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Enabling FileVault Disk Encryption Using a Configuration Profile. . . . . . . . . . . . . . . . . . . . . . 397
Enabling FileVault Disk Encryption Using a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
FileVault Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Setting or Removing an EFI Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
Remote Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Jamf Remote Assist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
TeamViewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
TeamViewer Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Screen Sharing Using TeamViewer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
License Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Licensed Software Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
License Compliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Viewing License Usage Matches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Application Usage for Licensed Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Usage Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Application Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Computer Usage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Restricted Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
Unmanaging Computers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
Managing Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Inventory for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Mobile Device Inventory Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Mobile Device Inventory and Criteria Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Mobile Device Inventory Collection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Mobile Device Extension Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Mobile Device Inventory Display Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Simple Mobile Device Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Advanced Mobile Device Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Mobile Device Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Mass Actions for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Mobile Device Management Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Mobile Device History Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Deleting a Mobile Device from Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Settings and Security Management for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Mobile Device Configuration Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Best Practices for Mobile Device Configuration Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
Remote Commands for Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Best Practices for Mobile Device Remote Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
Supervision. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
Supervision Identities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
Supervising Mobile Devices with Apple Configurator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

6
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

Unmanaging Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489

Managing Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
About User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Inventory for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
User Inventory Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
User Inventory and Criteria Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
User Assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
User Extension Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Simple User Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Advanced User Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
User Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
Mass Actions for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Manually Adding a User to Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Deleting a User from Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502
Group Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Smart Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Static Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Managing Apple OS Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
macOS Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
(Beta) Updating macOS Using Managed Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
iOS, iPadOS, and tvOS Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
(Beta) Updating iOS, iPadOS, and tvOS Using Managed Software Updates. . . . . . . . . . . . . . . . . . 512
Updating iOS, iPadOS, and tvOS Using a Mass Action Command. . . . . . . . . . . . . . . . . . . . . . . . . . 514
Deferring Availability of iOS, iPadOS, and tvOS Updates with a Configuration Profile. . . . . . . . . . . 516
Viewing OS Update Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Content Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Content Distribution Methods using Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Managed Content in Jamf Pro. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Volume Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Device-Assigned Managed Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
User-Assigned Managed Distribution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Volume Purchasing Registration for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
Volume Assignments for Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
VPP Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Apps Purchased in Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
App Store App Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Books Purchased in Volume. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 542
Simple Volume Content Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
Advanced Volume Content Searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Volume Content Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
In-House Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
Hosting Locations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549

7
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Contents

Provisioning Profiles for In-House Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

In-House Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
In-House App Maintenance Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
In-House Books. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
Classroom Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Apple Education Support Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
Apple School Manager Integration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
Classes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567
Student Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
Copyright and Trademarks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

8
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Pro Documentation

Jamf Pro Documentation

The Jamf Pro Documentation (formerly the Jamf Pro Administrator's Guide) contains overviews about Jamf
Pro features and instructions for performing administrative tasks using Jamf Pro.

Before using the instructions in this guide:

• If hosted on-premise, the Jamf Pro server must be installed.

• If hosted in Jamf Cloud, your cloud instance must be set up and accessible.

Additional Resources
Technical Articles

Technical Articles address frequently asked questions and common issues.

Getting Started with Jamf Pro

The Jamf Pro Getting Started Guide provides instructions to help you complete Jamf Pro setup and integration
with Apple Business Manager or Apple School Manager.

Other Resources

For access to other Jamf Pro-related resources, visit the following webpages:

Jamf Developer Portal

The developer portal contains additional documentation for the Jamf Pro API and the Classic API,
including development guides and code samples.
Jamf Nation Community

Jamf Nation allows community members to engage with Jamf.

Jamf 100 Course

The Jamf 100 Course offers a self-paced introduction to Jamf Pro and an enterprise-focused foundation
of the macOS and iOS platforms.

Jamf Online Training Catalog

The Jamf Online Training catalog provides self-paced modules to help you learn Apple device
management with Jamf Pro. This resource is available for free to all Jamf customers.

9
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Pro Documentation

Jamf Training and Support Videos

Jamf Shorts for Jamf Pro provide brief overviews of common workflows and updates on new releases.

Jamf Marketplace

The Jamf Marketplace is a central location for you to find, learn about, and utilize valuable tools to
integrate with and extend the Jamf platform.

10
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Overview of Technologies
Applications and Utilities
This section provides an overview of the applications and utilities that make up Jamf Pro.

Jamf Pro Web Application

The Jamf Pro web application is the administrative core of Jamf Pro. The Jamf Pro web app allows you to
perform inventory, remote management, and configuration tasks on enrolled computers and mobile devices.

To access the Jamf Pro web app, navigate to your organization's instance URL and log in.

• Cloud-hosted—https://JAMF_PRO_URL.jamfcloud.com
• On-premise—https://JAMF_PRO_URL.com:8443

End User Apps

End user apps extend Jamf Pro's device management workflows and customize the end user experience.
These apps are not automatically installed and must be configured and distributed by an administrator using
Jamf Pro.

Jamf Self Service for macOS

Jamf Self Service for macOS allows users to browse and install configuration profiles, Mac App Store
apps, and books. Users can also run policies and third-party software updates via patch policies, as well
as access webpages using bookmarks.

For more information, see Jamf Self Service for macOS.

Jamf Self Service for Mobile Devices

Jamf Self Service allows users to browse and install mobile device configuration profiles, apps, and
books on managed mobile devices. Users can tap their way through Self Service using an intuitive
interface.

For more information, see Jamf Self Service for Mobile Devices.

11
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Jamf Setup

Jamf Setup is a mobile device app that enables end users to quickly setup and configure a mobile
device. You can configure and customize Jamf Setup using Jamf Pro with Managed App Configuration.
Users can then select a configuration without having to log in or contact IT.

For more information, see the Jamf Setup and Reset Configuration Guide.

Jamf Reset

Jamf Reset is a mobile device app that enables users to quickly reset a device to the original factory
settings using Jamf Pro. This process simplifies the necessary steps to wipe a device and logs each time
a device is wiped in Jamf Pro.

For information, see the Jamf Setup and Reset Configuration Guide.

Jamf Teacher

Jamf Teacher is a free mobile device, computer, and web application that teachers can use to manage
student devices in the classroom.

For more information, see the Jamf Teacher Configuration Guide.

Jamf Parent

Jamf Parent is a free app that allows parents to manage their children's school-issued devices by
allowing and restricting apps and device functionality.

For more information, see the Jamf Parent Configuration Guide.

Jamf Pro Administrator Apps

The following macOS-only administrator apps can be downloaded from the Jamf Pro Apps DMG on the Jamf
Account portal:

Composer

The Composer application allows you to build and edit packages of software, applications, preference
files, or documents.

For more information, see the Composer User Guide.

Jamf Admin

Disclaimer:

12
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal
date: 19 March 2024). Jamf is committed to finding alternative solutions for key workflows from
Jamf Admin.

The Jamf Admin application is a repository that allows you to add and manage common settings for
computers.

For more information about tasks you can perform with Jamf Admin, see the following:

• Package Management
• Scripts
• Printers
• Dock Items
• Categories
• File Share Distribution Points

Utilities
The following utilities are installed on computers enrolled with Jamf Pro and perform management tasks and
background processes:

jamf agent

The jamf agent collects application usage data and restricts software on enrolled computers.

The jamf agent is installed and updated on enrolled computers automatically. It is installed in the
following location:

/usr/local/jamf/bin/jamfAgent

Jamf Application Bundle

The Jamf application bundle (Jamf.app) contains the following management framework components:

• JamfDaemon—Background process that runs continuously and handles various administrative

functions
• JamfAAD — Integrates Jamf Pro with Microsoft Entra ID (formerly Azure AD) to grant conditional
access
• JamfManagementService—Executes external commands, such as policies

The Jamf application bundle is installed, updated, and run on enrolled computers automatically. It is
stored in the following location on enrolled computers:

13
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

/Library/Application Support/JAMF/Jamf.app

jamf binary

The jamf binary is a command-line application that executes most Jamf Pro tasks. The app is installed,
updated, and run on enrolled computers automatically, and you can also use it to manually execute
commands. It is stored in the following location on computers:

/usr/local/jamf/bin/jamf

To learn about commands you can execute with the jamf binary, execute the following command:

jamf -help

Jamf Helper

The Jamf Helper (jamfHelper.app) displays messages to users. It is stored in the following location
on enrolled computers:

/Library/Application Support/JAMF/bin/jamfHelper.app

Jamf Management Action

The Jamf Management Action application displays policy User Interaction messages in the Notification
Center. It is stored in the following location on enrolled computers:

/Library/Application Support/JAMF/bin/Management Action.app

Depending on what level of compatibility the macOS version of the computer falls under, the following Jamf
Pro utility versions will be installed:

macOS Version Jamf Pro Utilities Version Installed

macOS 10.15 or later Latest version

macOS 10.14.4 10.42.0

macOS 10.13 10.31.0

macOS 10.12 10.21.0

14
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Jamf Pro Server Tools

Jamf Pro Server Tools allows you to perform, schedule, and restore database backups, as well as manage
settings for the database connection, Apache Tomcat, and MySQL. You can also use Jamf Pro Server Tools to
convert the MySQL database storage engine from MyISAM to InnoDB.

Jamf Pro Server Tools is installed automatically when you run the Jamf Pro installer. In addition, you can
download the latest version using other methods, including package managers.

Jamf Pro Server Tools is available as a GUI and a command-line interface (CLI).

The following components are included:

• server-tools.jar —The GUI to jamf-pro

• jamf-pro —The CLI for executing command-based tasks

For more information, see the following articles:

• Jamf Pro Server Tools Overview

• The Jamf Pro Server Tools Command-Line Interface

Security
This section explains the primary security measures in Jamf Pro:

• Passwords
• Communication protocols
• Public key infrastructure
• Signed applications

Related Content

• Network Ports Used by Jamf Pro

Passwords
Jamf Pro allows you to store individual accounts for managed computers and reset the passwords if
necessary.

Passwords stored in the database are encrypted using a standard 256-bit AES encryption algorithm.

15
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Communication Protocols
Jamf Pro has security built into its design. Connections between the Jamf Pro server, the other Jamf Pro apps,
and mobile devices take place over Secure Sockets Layer (SSL) using Transport Layer Security (TLS).

Secure Shell (SSH)

SSH is a network security protocol built into macOS. For more information, go to: http://openssh.com/

Transport Layer Security (TLS)

TLS is a security protocol for internet communication. For more information, go to: https://tools.ietf.org/html/
rfc5246

Public Key Infrastructure

A public key infrastructure (PKI) is the design by which digital certificates are obtained, managed, stored, and
distributed to ensure a secure exchange of data over a public network.

Certificate Authority

A certificate authority (CA) is a trusted entity that signs and issues the certificates required for certificate-based
authentication. It is the central component of the PKI.

In Jamf Pro, you can choose to use a built-in CA, integrate with a trusted third-party CA (DigiCert, Venafi, or
Active Directory Certificate Services), or configure your own PKI if you have access to an external CA that
supports the Simple Certificate Enrollment Protocol (SCEP). The certificate authorities can be used to issue
certificates to both computers and mobile devices.

Note: An external CA can also be used to issue certificates to computers, but this is not enabled by
default. For more information, contact your Jamf account representative.

For more information on certificate authorities in Jamf Pro, see PKI Certificates.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) obtains certificates from the CA and distributes them to
managed mobile devices, providing a simplified way of handling large-scale certificate distribution. If you do
not want computers or mobile devices to communicate directly with a SCEP server, you can configure settings
that enable Jamf Pro to proxy the communication between a SCEP server and the computers and mobile
devices in your environment. This allows Jamf Pro to communicate directly with a SCEP server to obtain
certificates and install them on the device. For more information, see the Enabling Jamf Pro as SCEP Proxy
technical paper.

16
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

The CA hosted by Jamf Pro (the “built-in CA”) supports SCEP. If you plan to use an external CA hosted by
your organization or by a third-party vendor, this CA must support SCEP as well.

Certificates

Jamf Pro uses the following certificates to ensure security:

• SSL Certificate— Jamf Pro requires a valid SSL certificate to ensure that computers and mobile devices
communicate with the Jamf Pro server and not an imposter server. The SSL certificate that you can create
from the built-in CA secures communication using a 2048-bit RSA encryption.
• Device Identity Certificates— Device identity certificates allow Jamf Pro to verify the identity of computers
and mobile devices each time they communicate with the Jamf Pro server.
• Device Certificates— Device certificates are stored in the JAMF.keychain that is used by the Jamf
management framework to secure communication between Jamf Pro and a managed computer.
• CA Certificate— This certificate establishes trust between the CA and computers, and between the CA and
mobile devices.
• Signing Certificate— This certificate is used to sign messages passed between the Jamf Pro server and
Mac computers, and between the Jamf Pro server and mobile devices.
• Push Certificate— Jamf Pro requires a valid push certificate to communicate with Apple Push Notification
service (APNs).
• Anchor Certificate— This certificate allows mobile devices and computers to trust the SSL certificate.

Signed Applications
The following applications are signed by Jamf:

• Composer
• Jamf Admin
• jamf binary
• Jamf Helper
• Jamf Self Service

Jamf Pro System Requirements

Updated 05 December 2023

Jamf Pro Server Environment:

• MySQL 8.0.33 on Amazon RDS has been added to Recommended as a database configuration.

17
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

• Amazon Aurora (MySQL 8.0 compatible) has been added to Recommended as a database
configuration.
• MySQL 5.7.37 or later has been moved from Recommended to Minimum Supported as a database
configuration.
• Amazon Aurora (MySQL 5.7 compatible) has been moved from Recommended to Minimum
Supported as a database configuration.

Changes in Jamf Pro 11.1.0

Computer and Mobile Device Management:

• macOS 13.x has been moved from Recommended to Minimum Supported compatibility.
• iOS 16.x, iPadOS 16.x, and tvOS 16.x have been moved from Recommended to Minimum Supported
compatibility.
• macOS 10.15.x has been moved from Minimum Supported to Untested compatibility.
• iOS 13.x and tvOS 13.x have been moved from Minimum Supported to Untested compatibility.

Jamf Pro Server Environment:

• Ubuntu Server 18.04 LTS has been removed from Minimum Supported as a server OS for hosting
Jamf Pro in on-premise environments.
• Windows Server 2012 R2 has been removed from Minimum Supported as a server OS for hosting
Jamf Pro in on-premise environments.

Levels of Compatibility
The following table provides descriptions of the levels of compatibility for Jamf Pro testing and product issue
support:

Compatibility Level Testing Product Issue Support

Recommended Full compatibility Full Jamf is committed to fixing

Jamf targets development and testing product issues that arise at
resources to configurations at this level. this level.

Minimum Supported High compatibility Partial Jamf will attempt to fix

Most configurations at this level were product issues that arise at
previously recommended and are likely to this level.
work.

Computer and Mobile Device Management Only

18
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Compatibility Level Testing Product Issue Support

Untested Limited compatibility None Jamf will not fix product

Product is not actively removed, and issues that arise at this
devices should continue to be maintained level.
after upgrading. Some features may not be
available or may no longer work.

Support Removed No compatibility None Jamf will not fix product

Product capabilities are actively removed, issues that arise at this
and most devices can no longer be level.
maintained after upgrading.

Computer and Mobile Device Management

Jamf compatibility with Apple operating system (OS) releases for devices is generally based on an N-3 support
policy. This means that Jamf will support the current major version ("N") and the three previous major versions
("-3") within either the Recommended or Minimum Supported compatibility levels. When a new Apple OS
version is made available and added to Recommended, the oldest release will be moved from the Minimum
Supported to Untested level.

The following table lists Apple OS compatibility requirements for managed computers and mobile devices:

macOS1 iOS iPadOS tvOS

Recommended macOS 14.x iOS 17.x iPadOS 17.x tvOS 17.x

Minimum macOS 13.x iOS 16.x iPadOS 16.x tvOS 16.x

Supported
macOS 12.x iOS 15.x iPadOS 15.x tvOS 15.x

macOS 11.x iOS 14.x iPadOS 14.x tvOS 14.x

Untested2,3 macOS 10.15.x iOS 13.x tvOS 13.x

macOS 10.14.x iOS 12.x tvOS 12.x

macOS 10.13.x iOS 11.x tvOS 11.x

macOS 10.12.x iOS 10.x tvOS 10.x

macOS 10.11.x iOS 9.x

Support Removed macOS 10.10.x and iOS 8.x and earlier tvOS 9.x and earlier
earlier

1 Also indicates macOS versions required to run Composer on Mac computers.

19
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

macOS1 iOS iPadOS tvOS

2It is strongly recommended that you test management workflows in a non-production environment prior to upgrading
Jamf Pro.
3Legacy versions of the Jamf management framework and Jamf Self Service may be installed on devices at this level,
depending on OS version. For more information, see the following sections in the Jamf Pro Documentation:
• Applications and Utilities
• Jamf Self Service for macOS Installation Methods
• Jamf Self Service for iOS

Web Browsers
The following table lists the browser requirements for enrollment and access to web applications:

macOS iOS Windows Linux

Recommended Safari Safari Chrome

Minimum Supported Chrome Firefox Chrome

Firefox Microsoft Edge

Jamf Pro Server Environment

The following table lists the server and related services requirements for Jamf Pro on-premise environments
and the Jamf Pro installers.

Server OS1 Database Configuration2,3 Java

Recommende • Windows Server 2022 • MySQL 8 series: OpenJDK 11

d • Windows Server 2019 ◦ 8.0.33
• Ubuntu Server 22.04 LTS ◦ 8.0.33 on Amazon RDS
• Ubuntu Server 20.04 LTS ◦ Amazon Aurora (MySQL 8.0
• Red Hat Enterprise Linux 7.x compatible)

Minimum • Windows Server 2016 • MySQL 5 series: Oracle Java 11

Supported
◦ 5.7.374

◦ 5.7.8 on Amazon RDS4

◦ Amazon Aurora (MySQL 5.7
compatible)5

20
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Server OS1 Database Configuration2,3 Java

1 All compatible operating systems are 64-bit only.

2 All compatible database configurations utilize InnoDB as a storage engine.
3 The Jamf Pro database does not support MySQL clustering.
4 Support for MySQL 5.7 as a database configuration will end on 29 February 2024.
5 Support for Amazon Aurora (MySQL 5.7 compatible) as a database configuration will end in October 2024.

Tomcat Version Installed

Tomcat 8.5.95 is included in the Jamf Pro installers for this release. For a historical list of the Tomcat
versions installed with each release, see the Apache Tomcat Versions Installed by the Jamf Pro
Installer article.

Components Installed on Managed

Computers
Jamf Apps and Binaries
• /usr/local/jamf/bin/jamf—The binary used to execute most tasks for Jamf Pro.
• /usr/local/bin/jamf—Symbolic link to the jamf binary so it can be found in the default search paths.
• /usr/local/bin/jamfagent—Symbolic link to the jamf agent binary. This is no longer in use.
• /Library/Application Support/JAMF/Jamf.app—App bundle that groups together components of
the management framework.
• /Library/Application Support/JAMF/JAMF.app/Contents/MacOS/Jamf Conditional
Access.app—App bundle used for integration with Microsoft Entra ID.
• /Library/Application Support/JAMF/JAMF.app/Contents/MacOS/JamfDaemon.app—App
bundle containing the jamf launch daemon. This process will be launched during the macOS startup to
perform tasks for the Jamf management framework (e.g., coordinating policy execution for Self Service,
monitoring for restricted software, and monitoring application usage).
• /Library/LaunchAgents/com.jamf.management.agent.plist—Used to monitor user login
events.
• /usr/local/jamf/bin/jamfAAD—Symbolic link to /Library/Application Support/JAMF/
Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/Jamf Conditional Access.

21
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

LaunchDaemons and Agents

• /Library/LaunchDaemons/com.jamfsoftware.task.1.plist—Manages the recurring check-in to
the Jamf Pro server.
• /Library/LaunchDaemons/com.jamfsoftware.startupItem.plist—Used to call the
StartupScript.sh management framework check-in script once during the macOS startup.
• /Library/LaunchAgents/com.jamfsoftware.jamf.agent.plist—No longer in use.
• /Library/LaunchDaemons/com.jamf.management.daemon.plist—Used for Application Usage,
Network State Changes, iBeacons, FileVault information sent to the Jamf Pro server, Restricted Software,
and Self Service-related tasks.
• /Library/LaunchAgents/com.jamf.management.jamfAAD.agent.plist—Launch file only
present when macOS Intune Integration is enabled on the server; used to start the Jamf Conditional
Access.app process.
• /Library/Preferences/com.jamf.management.jamfAAD.plist—Stores user's Entra ID
preferences.
• /Library/LaunchAgents/com.jamf.management.jamfAAD.clean.agent.plist—Used to
delete an Entra ID ID token from the user’s login keychain and a user's Entra ID preferences for users that
are not currently logged in to the computer.

Property List
/Library/Preferences/com.jamfsoftware.jamf.plist—Defines settings for the Jamf management
framework (e.g., the Jamf Pro server URL, Management Framework Change ID, and security settings).

Jamf Application Support Directory

• /Library/Application Support/JAMF/.jmf_settings.json—Contains settings used by the
JamfDaemon.app (e.g., the restricted software list).
• /Library/Application Support/JAMF/.userdelay.plist—Contains policies that have been
deferred.
• /Library/Application Support/JAMF/bin/jamfHelper.app—Application used to display
messages to an end user.
• /Library/Application Support/JAMF/bin/Management Action.app—Application used to
display messages to an end user in the macOS Notification Center.
• /Library/Application Support/JAMF/Composer/—Contains working directory for Composer to
save package sources.
• /Library/Application Support/JAMF/Config/—Contains Jamf Pro server-defined iBeacons.

22
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

• /Library/Application Support/JAMF/Downloads/—Temporary storage for downloaded

packages.
• /Library/Application Support/JAMF/JAMF.keychain—Enables certificate-based authentication
with the Jamf Pro server.
• /Library/Application Support/JAMF/ManagementFrameworkScripts/StartupScript.sh—
Script that is called by the com.jamfsoftware.startupItem.plist to enable a check-in to the Jamf Pro server at
startup.
• /Library/Application Support/JAMF/Offline Policies/—Contains the contents of the policies
marked to be Available Offline.
• /Library/Application Support/JAMF/Receipts/—Contains receipts for all packages installed by
Jamf Pro.
• /Library/Application Support/JAMF/tmp/—Contains temporary storage for logs and other files.
• /Library/Application Support/JAMF/usage_reports/—Contains the application usage data to
be sent to the Jamf Pro server.
• /Library/Application Support/JAMF/Waiting Room/—Contains temporary storage for Cached
Packages.

Jamf Client Logging

• /var/log/jamf.log—Contains log messages written by the jamf binary.

Note: Other logging can be accessed via macOS logging commands. To view debug logging for the
JamfDaemon, execute the following command:

log stream --level debug --predicate 'subsystem BEGINSWITH "com.jamf.managemen

t.daemon"' --style compact

Removing Jamf Components from Computers Enrolled Using a

PreStage Enrollment
This removes all Jamf-related components from computers that have been managed by Jamf Pro and all
package sources created with Composer.

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
For more information, see the Simple Computer Searches or Advanced Computer Searches sections in the
Jamf Pro Documentation.

23
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

3. Click the computer you want to remove the components from.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the Management tab, and then click Remove MDM Profile.
5. Open Terminal on the computer you want to remove the components from.
6. Execute the following command:

/usr/local/bin/jamf removeFramework

All Jamf-related components are removed from the computer.

Removing Jamf Components from Computers Without an MDM

Profile
This removes all Jamf-related components from computers that have been managed by Jamf Pro and all
package sources created with Composer.

1. Open Terminal on the computer you want to remove the components from.
2. Execute the following command:

/usr/local/bin/jamf removeFramework

All Jamf-related components are removed from the computer.

Components Installed on Mobile Devices

The following components are installed on mobile devices during enrollment:

• MDM Profile—This profile includes a SCEP enrollment request and an MDM enrollment request.
• Trust Profile—This profile contains the CA certificate. The CA certificate establishes trust between the
certificate authority (CA) and mobile devices. If you enrolled mobile devices using a PreStage enrollment, or
using Apple Configurator and an enrollment URL, the Trust Profile is not a separate profile and it is
contained within the MDM Profile.
• Device certificate—This certificate verifies the identity of managed mobile devices each time they
communicate with Jamf Pro.
• Jamf Self Service for iOS—Jamf Self Service for iOS allows you to distribute iOS configuration profiles,
apps, and books to mobile devices for users to install. Users tap the app to browse and then install items
using an interface similar to the App Store.

24
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Overview of Technologies

Note: Jamf Self Service for iOS is not installed on Apple TV devices or personally owned devices.

25
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

Before You Begin

Setting Up Jamf Pro
The first time you connect to the Jamf Pro server, the Jamf Pro Setup Assistant guides you through the
following setup tasks:

• Accept the license agreement.

• Enter your activation code.
• Create your first Jamf Pro user account.
• Enter your Jamf Pro URL. The Jamf Pro URL is the URL that client applications, computers, and mobile
devices will connect to when communicating with the Jamf Pro server.

After you complete the Jamf Pro Setup Assistant, you can click the setup tips that are displayed onscreen to
start configuring commonly used settings.

You may also want to make changes to the following preconfigured settings to ensure they meet the needs of
your organization. These settings are important because, over time, they can significantly affect the size of
your database and your levels of network traffic:

• “Update Inventory” policy—Determines how often computers submit inventory to Jamf Pro. For more
information, see Computer Inventory Information.
• Recurring check-in frequency—Determines the interval at which computers check in with Jamf Pro for
available policies. For more information, see Recurring Check-in Frequency.
• Mobile device inventory collection frequency—Determines how often mobile devices submit inventory
to Jamf Pro. For more information, see Mobile Device Inventory Collection Settings.

Related Content

• Network Ports Used by Jamf Pro

The Jamf Pro Dashboard

The Jamf Pro Dashboard is the first page you see after you log in to Jamf Pro. The dashboard is a helpful tool
for monitoring the status and progress of important Jamf Pro objects you have created, such as smart groups
and policies. You can customize the dashboard by adding widgets that display the information that is most
important to you.

26
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

The following image shows how a customized dashboard might appear. It displays widgets for smart groups
and policies, and one setup task remains to be completed.

To add widgets to the Jamf Pro Dashboard, select the Show in Jamf Pro Dashboard checkbox that is
displayed after you create any of the following objects:

27
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

• Configuration profiles (computers and mobile devices)

• Licensed software
• Patch management (reports and policies)
• Policies
• Smart groups (computers, mobile devices, and users)
• Third-party PKI certificate authorities

After you add a widget to the dashboard, you can interact with the displayed data. For example, you can click a
widget's heading to view the specific object in Jamf Pro.

Common setup tasks are displayed at the bottom of the dashboard until you complete each task.

You can access the Jamf Pro Dashboard at any time by clicking Dashboard in the sidebar or by clicking
the Jamf Pro logo in the top-left corner of the page.

Note: You must manually refresh the Jamf Pro Dashboard to display updated information. The
dashboard data does not automatically refresh.

Jamf Pro Objects

Jamf Pro objects are the building blocks for performing administrative tasks in Jamf Pro. Essentially, an object
is anything that you can create in Jamf Pro. For example, when you create a configuration profile to define
settings for devices, you have created an object. Common actions that can be taken on Jamf Pro objects are
cloning, editing, deleting, and viewing history.

Note: Available actions are dependent on the particular Jamf Pro object. (For example, a package
cannot be cloned, so the Clone button is not displayed for the Packages object.) In addition, an action is
not available if the required privileges have not been granted for that Jamf Pro object.

Some of the most frequently used object types are:

• Configuration profiles—XML files (.mobileconfig) that provide an easy way to define settings and
restrictions for devices, computers, and users. See Computer Configuration Profiles or Mobile Device
Configuration Profiles.
• Extension attributes—Custom attributes used to collect extra inventory information about computers,
mobile devices, or users. See Computer Extension Attributes, Mobile Device Extension Attributes, or User
Extension Attributes.

28
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

• Mac Apps—The area of Jamf Pro (Computers > Mac Apps) where you can distribute macOS apps that
you purchased in volume, macOS apps from the App Store, or third-party macOS apps from the Jamf App
Catalog. See Apps Purchased in Volume and App Installers.
• Packages—Jamf uses the term "Package" to refer to Apple Installer packages (PKGs) and disk images
(DMGs) that are used to deploy software and files to computers. See Packages.
• Patch policies—Instructions to computers for distributing and installing updates to third-party macOS
software titles. See Patch Policies.
• Policies—Task sequences of one or more actions, such as installing packages, running scripts, creating
user accounts, and updating inventory, that are implemented automatically on computers by the Jamf
management framework. See Policies.
• Smart groups—Saved groups of managed computers, mobile devices, or users that automatically collect
inventory information. See Smart Groups.

For detailed information about a specific Jamf Pro object, including instructions for navigating to the Jamf Pro
object, see the appropriate section in this guide.

Cloning a Jamf Pro Object

1. In Jamf Pro, navigate to the object you want to clone.
2. Click Clone and make changes as needed.
3. Click Save .

Editing a Jamf Pro Object

1. In Jamf Pro, navigate to the object you want to edit.
2. Click Edit .
3. Make changes as needed.
4. Click Save .

Deleting a Jamf Pro Object

1. In Jamf Pro, navigate to the object you want to delete.
2. Click Delete .
3. Click Delete again to confirm.

Viewing the History of a Jamf Pro Object

Jamf Pro allows you to view the history of each Jamf Pro object. The information you can view includes:

• The date/time the Jamf Pro object was created or edited

• The username of the administrator who made the change

29
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

• Notes associated with the changes

• Details about a change

1. In Jamf Pro, navigate to the object you want to view the history of.
2. Click History .
3. (Optional) Click Add Note to add a note to the history record.
4. (Optional) Click Details to view details about a change.

Jamf Pro Keyboard Shortcuts

Jamf Pro allows you to use keyboard shortcuts to perform common functions.

Note: All keyboard shortcuts use a modifier key. The modifier key on Mac is Control. The modifier key
on Windows and Linux is Alt.

The following keyboard shortcuts are available in Jamf Pro:

Shortcut Action

Control-N New (from a list view)

Control-E Edit

Control-B Back

Control-L Logs

Control-C Cancel

Control-D Delete

Control-S Save

Control-V View

Control-H History

Control-Shift-L Jamf Pro Logs

Control-Shift-N Clone

Control-1 Go to Jamf Pro Dashboard

Control-2 Go to Computers tab

30
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Before You Begin

Shortcut Action

Control-3 Go to Devices tab

Control-4 Go to Users tab

Control-5 Go to Settings

Control-9 Open Notifications

31
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

System Settings
Jamf Pro User Accounts and Groups
Jamf Pro is a multi-user application. Jamf Pro user accounts and groups allow you to grant different privileges
and levels of access to each user.

When configuring a Jamf Pro user account or group, you can grant access to the full Jamf Pro or to a specific
site. You can grant privileges by choosing one of the following privilege sets:

• Administrator—Grants all privileges.

• Auditor—Grants all read privileges.
• Enrollment Only—Grants all privileges required to enroll computers and mobile devices.

Note: This includes privileges to do the following:

◦ Log in to the Jamf Pro interface
◦ Read, create, and delete enrollment invitations
◦ Read and delete computer and mobile device records via the Jamf Pro API

• Custom—Requires you to grant privileges manually. For a Custom user account or group to have access to
a particular function, privileges may need to be granted for multiple objects. For example, to create a mobile
device configuration profile, the user needs privileges for both “Mobile Devices” and “Mobile Device
Configuration Profiles”.

If there are multiple users that should have the same access level and privileges, you can create a group with
the desired access level and privileges and add accounts to it. Members of a group inherit the access level and
privileges from the group. Adding an account to multiple groups allows you to grant a user access to multiple
sites.

There are two ways to create Jamf Pro user accounts and groups: you can create standard accounts or
groups, or you can add them from a Directory Service.

Important: Jamf recommends that you have at least one account that is not from a Directory Service in
case the connection between the Jamf Pro server and the Directory Service server is interrupted.

The Jamf Pro User Accounts and Groups settings also allow you to do the following:

32
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• Configure account preferences for each Jamf Pro user account.

• Configure the password settings in the Password Policy for all standard Jamf Pro user accounts.
• Unlock a Jamf Pro user account that is locked.

Important: Jamf recommends that you create multiple accounts with administrator privileges. This is
because each Jamf Pro instance has its own authentication authority, and multiple administrator
accounts will allow an administrator to easily log back into an account should the password for one
account be lost.

Related Content

• Sites

Creating a Jamf Pro User Group

Requirements
To add accounts or groups from a directory service, you need an LDAP server or a cloud identity provider
set up in Jamf Pro.

For more information, see Entra ID Migration Assistant and LDAP Directory Service Integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click User accounts & groups .

3. Click New.
4. Do one of the following:
◦ To create a standard Jamf Pro user group, select Create Standard Group and click Next.
◦ To add a Jamf Pro user group from a Directory Service, select Add LDAP Group and click Next. Then
follow the onscreen instructions to search for and add the group.
5. Use the Group pane to configure basic settings for the group.
6. If you chose "Custom" from the Privilege Set pop-up menu, click the Privileges tab and select the
checkbox for each privilege that you want to grant the group.
7. Click Save .

33
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Creating a Jamf Pro User Account

Requirements
To add accounts or groups from a directory service, you need an LDAP server or a cloud identity provider
set up in Jamf Pro.

For more information, see LDAP Directory Service Integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click User accounts & groups .

3. Click New.
4. Do one of the following:
◦ To create a standard Jamf Pro user account, select Create Standard Account and click Next.
◦ To add a Jamf Pro user account from a Directory Service, select Add LDAP Account and click Next.
Then follow the onscreen instructions to search for and add the account.
5. On the Account pane, enter information about the account as needed.
6. Choose an access level from the Access Level pop-up menu:
◦ To grant full access to Jamf Pro, choose "Full Access".
◦ To grant access to a site, choose "Site Access".

Note: The "Site Access" option is only displayed if there are sites in Jamf Pro.

◦ To add the account to a standard group, choose "Group Access".

Note: The "Group Access" option is only displayed if there are standard groups in Jamf Pro.

7. Do one of the following:

◦ If you granted the account full access or site access, choose a privilege set from the Privilege Set pop-
up menu. Then, if you chose "Custom", click the Privileges tab and select the checkbox for each
privilege that you want to grant the account.
◦ If you added the account to a group, click the Group Membership tab and select the group or groups
you want to add the account to.

8. Click Save .

34
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Configuring Account Preferences

You can configure language & region, search, and interface preferences for each Jamf Pro user account.
Language & region preferences allow you to configure settings such as date format and time zone. Search
preferences allow you to configure settings for computer, mobile device, and user searches. Interface
preferences allow you to configure various settings for the Jamf Pro interface.

1. Log in to Jamf Pro.

2. At the top of the page, click the account settings icon and then click Account Preferences.
3. Click the Language & Region tab and use the pop-up menus to configure language and region
preferences.
4. Click the Search Preferences tab and use the pop-up menus to configure search preferences.

Note: The default search preference is "Exact Match". For most items, the option can be changed to
either "Starts with" or "Contains".

5. Click the Interface Preferences tab and configure settings as desired.

6. Click Save .

Configuring the Password Policy

The Password Policy in Jamf Pro allows you to configure the password settings. The Password Policy applies
to all standard Jamf Pro user accounts.

Note: All new Jamf Pro instances are configured with a ten-character minimum password policy for the
first administrator account. This criterion is displayed on the Create Account page in the Jamf Pro Setup
Assistant.

You can configure the following password settings:

• Number of login attempts allowed before a Jamf Pro user is locked out of the account
• Password length and age
• Password reuse limitations
• Password complexity
• Settings to allow a user to unlock their own account

35
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Note: Password Policy applies only to local user accounts created within Jamf Pro User Accounts &
Groups. It does not affect accounts authenticated against external directory services connected through
single sign-on, Directory Service servers, or cloud identity providers.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click User accounts & groups .

3. Click Password Policy.
4. Click Edit .
5. Use the settings on the pane to specify the password settings.
6. Click Save .
7. When prompted, choose to save your changes or save and force a password reset for all user accounts in
your instance the next time the user logs in. This will also force a password reset for the admin configuring
the password policy.

The settings are applied immediately.

Unlocking a Jamf Pro User Account

A Jamf Pro user could be locked out of their account if they exceed the specified number of allowed login
attempts. If the Password Policy is configured to allow the user to unlock their account, the user can reset their
password to unlock their account. In this case, an email is immediately sent to the email address associated
with the account in Jamf Pro allowing the user to unlock their account by resetting their password. In addition,
a Jamf Pro user account that is locked can be manually unlocked from Jamf Pro by another Jamf Pro user with
the Administrator privilege set.

The access status of the account is displayed as “Disabled” in Jamf Pro until the account is unlocked.

Requirements
For a password reset email to be sent to locked accounts, an SMTP server must be set up in Jamf Pro. For
more information, see SMTP Server Integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click User accounts & groups .

3. Click the Jamf Pro user account that has an access status of “Disabled”, which means the account is
locked.
4. Click Edit .

36
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

5. Choose "Enabled" from the Access Status pop-up menu to unlock the account.
6. Click Save .

The Jamf Pro user account is unlocked immediately.

API Roles and Clients

The API Roles and Clients functionality in Jamf Pro provides a dedicated interface for controlling access to the
Jamf Pro API and the Classic API. You can create custom privilege sets as API roles and then assign them as
needed, ensuring API clients have only the necessary capabilities for their tasks. Roles can also be shared
between clients or assigned more than one to a client, allowing you to manage and reuse privilege sets for
various purposes in a convenient and granular way.

Creating an API Role

To grant privileges to an API client in Jamf Pro, you must first create an API role that defines a privilege set.
One or more of these roles can then be assigned to a client to grant their cumulative privileges.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click API Roles and Clients .
3. Click the API Roles tab at the top of the pane.
4. Click New .
5. Enter a display name for the API role.
6. In the Jamf Pro API role privileges field, begin typing the name of a privilege you want to assign, and
then select it from the pop-up menu.

37
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Continue adding privileges this way until you are finished.

7. Click Save .

Note: If you are using Jamf Setup, Jamf Reset, Jamf Parent, or Jamf Teacher in your environment, you
may notice there are API roles already created and in use by these applications. These roles can be
reused safely with other API clients that require similar privileges, but Jamf does not recommend editing
these roles, as it could interfere with the functionality of those apps. Jamf Pro will not allow any API
roles to be deleted while in use.

Creating an API Client

You can create an API client in Jamf Pro to generate a client secret, which can then be used by the Jamf Pro
API to generate access tokens.

Requirements
At least one API role created in Jamf Pro

38
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click API roles and clients.
3. Click the APl Clients tab at the top of the pane.
4. Click New .
5. Enter a display name for the API client.
6. In the API Roles field, add the roles you want to assign to the client.
The client will have the cumulative privileges of all assigned roles.
7. Under Access Token Lifetime, enter the time in seconds that you want access tokens to be valid for.

Note: Changing the Access Token Lifetime value at a later time does not affect any access
tokens previously generated from the API client. Similarly, deleting or disabling a client does not
disallow access for previously generated access tokens that are still valid. Changes made to any
API roles assigned to a client, however, will affect all access tokens immediately.

8. Click Save .
9. Click Edit .
10. Click Enable API Client to allow the client to be used to generate a client secret.
11. Click Save .

Generating a Client Secret

After you have created an API client and assigned it one or more roles, you can generate a client secret which
can then be used to generate access tokens.

Requirements
An API client created in Jamf Pro with at least one role assigned to it

1. In Jamf Pro, navigate to the API client you want to generate an access token from.
2. Click Generate Client Secret.
A confirmation dialog appears.
3. Click Create Secret.

A pop-up window appears with the client secret.

39
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Note: The client secret will only be displayed once. Make sure you save it to a secure location before
dismissing the dialog.

After you have generated a client secret, it can be used by the /api/oauth/token endpoint of the Jamf Pro
API to generate an access token.

The following is an example of what a request to the /api/oauth/token endpoint might look like in a script.

curl --location --request POST 'https://localhost:8443/api/oauth/token' \

--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id=6cabf059-21c9-44d6-bbde-02898f7430dd' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_secret=dzmsPks-FwXpks80jhQGZZrAV3H2_ER0NAk91RE-xOBZvfghd98EM1
hF9msfkanl'

In this example, the Jamf Pro API sends back this response to the above request:

{
"access_token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI2Y2FiZjA1OS0yMWM5LTQ0ZDYtYmJkZS0w
Mjg5OGY3NDMwZGQiLCJhdWQiOiI2Y2FiZjA1OS0yMWM5LTQ0ZDYtYmJkZS0wMjg5OGY3NDMwZGQiLCJuYmYiOj
E2ODgwNjc2NDMsInRva2VuLXV1aWQiOiIyYzZlYzYzZi02YmQ4LTRiOGQtOWNjYS00OWQ0MjMzMjY4NzAiLCJz
dWJqZWN0LXR5cGUiOiJSRUdJU1RFUkVEX0NMSUVOVF9JRCIsImF1dGhlbnRpY2F0aW9uLXR5cGUiOiJDTElFTl
RfQ1JFREVOVElBTFMiLCJzY29wZSI6WyJhcGktcm9sZToyIl0sImlzcyI6Imh0dHBzOi8vbG9jYWxob3N0Ojg0
NDMiLCJleHAiOjE2ODgwNjgyNDMsImlhdCI6MTY4ODA2NzY0M30.2QGGXfVo8KgTGoZBIuE1d4bdnN0JqiZ5KX
PO0pOkd9U",
"scope": "api-role:2",
"token_type": "Bearer",
"expires_in": 599
}

The access token contained in this response can then be used by a script or another application to access
Jamf Pro and perform any action within the privileges of the roles assigned to the client.

Rotating a Client Secret

You can rotate a client secret to generate a new secret for an API client. This invalidates the previous secret,
which can then no longer be used to generate access tokens.

1. In Jamf Pro, navigate to the API client you want to generate a new client secret for.
2. Click Rotate Client Secret.
A confirmation dialog appears.

40
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

3. Click Rotate Secret.

The previous client secret is invalidated and can no longer be used to generate an access token. A new client
secret is created.

Disabling an API Client

You can disable an API client that you no longer want to use to generate access tokens for Jamf Pro.

Note: Deleting or disabling a client does not disable access for previously generated access tokens that
are still valid.

1. In Jamf Pro, navigate to the API client you want to disable.

2. Click Disable API Client.

The client can no longer be used to generate access tokens for Jamf Pro.

LDAP Directory Service Integration

Integrating with an LDAP directory service allows you to do the following:

• Look up and populate user information from an LDAP directory service for inventory purposes.
• Add Jamf Pro user accounts or groups from an LDAP directory service.
• Require users to log in to Self Service or the enrollment portal using their LDAP directory accounts.
• Require users to log in during mobile device setup using their LDAP directory accounts.
• Base the scope of remote management tasks on users or groups from the directory service.

Note: Jamf Pro may experience performance issues if too many LDAP groups are included in the scope
of an object. If you need to use multiple LDAP criteria within a scope, consider creating a smart group
with those criteria, and then scope to that smart group instead.

To integrate with LDAP directory service, you need to add the LDAP server to Jamf Pro. There are two ways to
add LDAP servers to Jamf Pro: using the LDAP Server Assistant or manually.

The LDAP Server Assistant guides you through the process of entering information about the LDAP server and
ensuring that LDAP attributes are mapped properly. It allows you to integrate with the following directory
services:

41
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• Apple’s Open Directory

• Microsoft’s Active Directory
• NetIQ eDirectory

Note: When your configuration uses SSL, the LDAP server must be configured to issue the server
certificate when Jamf Pro requests an SSL connection. If the server certificate is not natively trusted, in
Jamf Pro, you need to add the trusted root certificate of the CA that issued the server certificate.

Manually adding an LDAP server involves entering detailed information about the LDAP server and manually
configuring attribute mappings. This allows you to integrate with additional Directory Services. If manually
configuring LDAP server settings for Active Directory, see the LDAP Attribute Mappings Reference article for
information on configuration settings and example attribute values.

Related Content

• LDAP Proxy

• Configuring Jamf Pro to Use LDAP Over SSL When Authenticating with Active Directory

Adding an LDAP Server Using the LDAP Server Assistant

1. In Jamf Pro, click Settings in the sidebar.
2. In the System section, click LDAP servers .
3. Click New.
4. Follow the onscreen instructions to add the LDAP server.

Manually Adding an LDAP Server

Before manually adding an LDAP server, it is important that you are familiar with search bases, object classes,
and attributes. If you are not familiar with these concepts, use the LDAP Server Assistant to ensure that
attributes are mapped correctly.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click LDAP servers .
3. Click New.
4. Select Configure Manually and click Next.
5. Use the Connection pane to configure how Jamf Pro connects to the LDAP server.
6. Use the Mappings pane to specify object class and search base data, and map attributes.
7. Click Save .

42
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Testing LDAP Attribute Mappings

You can test the following LDAP attribute mappings:

• User mappings
• User group mappings
• User group membership mappings

If Jamf Pro returns the appropriate information, the attributes are mapped correctly.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click LDAP servers .
3. Click the LDAP server you want to test.
4. Click Test .
5. Click the appropriate tab and enter information in the fields provided.
6. Click Test again.

Cloud Identity Providers

Integrating Jamf Pro with a cloud identity provider allows you to access user data stored in the provider's
configuration in an easy and secure way. You can do the following:

• Look up and populate user information for inventory purposes.

• Add Jamf Pro user accounts or groups from the cloud identity provider.
• Require users to log in to Self Service or the enrollment portal using their directory accounts.
• Require users to log in during mobile device setup using their directory accounts.
• Base the scope of remote management tasks on users or groups from the cloud identity provider.

Google Secure LDAP Integration

When integrating Jamf Pro with Google's Secure LDAP, consider the following:

• Jamf Pro allows you to integrate with Google's secure LDAP service that is a part of G Suite Enterprise and
Cloud Identity Premium. The service can be used with Jamf Pro for user authentication and group syncing.
Cloud Identity Free or G Suite Basic/Business assigned users display in user lookup results and you can
add them as Jamf Pro LDAP accounts.

Note: Users assigned to Cloud Identity Free or G Suite Basic/Business licenses are not allowed to
authenticate in Jamf Pro. When such a user tries to authenticate, the

43
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

INSUFFICIENT_ACCESS_RIGHTS (50) error code is displayed in Jamf Pro logs. For information on
Secure LDAP service error codes, see the following documentation from Google: https://
support.google.com/a/answer/9167101.

• Google's secure LDAP service requires a different configuration than standard LDAP servers. For
instructions about how to add Jamf Pro as an LDAP client to the secure LDAP service, configure access
permissions, and download the generated certificate, see the following documentation from Google: https://
support.google.com/cloudidentity/answer/9048516
• After you have added Jamf Pro as an LDAP client, you need to generate the .p12 keystore file. For more
information, see the Generating the PKCS12 Keystore File When Integrating Google Cloud Identity Provider
with Jamf Pro article.

Configuring a Google Cloud Identity Provider Connection

When a server connection is added, it is enabled by default. You can configure multiple connections and
choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this
server. This means you can add a different configuration without deleting the current connection. To disable
the connection, use the switch.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Cloud identity providers .
3. Click New.
4. Choose Google and click Next.
5. Configure the settings on the tab. Consider the following limitations:
◦ The display name for the configuration must be unique.
◦ The Domain name value automatically populates the Search Base dc values on the User Mappings and
User Groups Mapping tabs.
6. Use the Mappings tab to specify object class and search base data, and map attributes. When configuring
the search base, structure the server query in the order that reflects the hierarchical structure of your
directory tree to ensure the search returns correct results. See the "Default Attribute Mappings for Google
Secure LDAP" section below for default mappings reference and use it while troubleshooting the
connection.

Note: You can configure cloud identity provider attribute mappings using the Jamf Pro API. For
more information, see the Configuring Cloud Identity Provider Attribute Mappings Using the Jamf
Pro API article.

7. Click Save .

44
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Saving a server connection triggers automatic verification of the hostname, port, and domain. The verification
process must succeed before the connection is ready to use.

Important: In large environments, the verification process for valid configurations may fail. Ensure the
values in the form are correct and try saving the configuration again.

After your configuration is saved, you can test the mappings. For more information, see Testing Cloud Identity
Provider Attribute Mappings.

To troubleshoot a failed connection, navigate to Reports in your Google Admin console, and check the LDAP
audit log.

Default Attribute Mappings for Google Secure LDAP

The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider
attributes:

Jamf Pro Attribute Mapping Name Cloud Identity Provider Attribute Mapping Value

objectClassLimitation ANY_OBJECT_CLASSES

objectClasses inetOrgPerson

searchBase ou=Users

searchScope ALL_SUBTREES

additionalSearchBase

userID mail

username uid

realName displayName

emailAddress mail

department departmentNumber

building

room

phone

position title

45
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Jamf Pro Attribute Mapping Name Cloud Identity Provider Attribute Mapping Value

userUuid uid

objectClassLimitation ANY_OBJECT_CLASSES

objectClasses groupOfNames

searchBase ou=Groups

searchScope ALL_SUBTREES

groupID cn

groupName cn

groupUuid gidNumber

groupMembershipMapping memberOf

groupMappings

objectClassLimitation ANY_OBJECT_CLASSES

For more information on the Secure LDAP schema, see the following documentation from Google: Secure
LDAP schema.

Microsoft Entra ID Integration

Integrating Jamf Pro with Microsoft Entra ID as a cloud identity provider allows for the following directory-based
workflows:

• Look up all users and groups for inventory purposes

• Performing user membership lookups and use them to map privileges to relevant accounts in Jamf Pro
• Configuring user authentication and scoping

When integrating Jamf Pro with Entra ID, consider the following:

• Your Jamf Pro instance needs to be hosted in Jamf Cloud.

Note: This integration uses the Cloud Connector to establish the integration with Entra ID. The Cloud
Connector is currently not available for Jamf Premium Cloud Plus customers.

46
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• You need Global Administrator Entra ID privileges to manage consent requested by the Jamf Pro Entra ID
Connector enterprise app.
• User groups added in Jamf Pro have the same name as groups configured in Entra ID. Accounts and
groups added in Jamf Pro must be the standard type.
• When working with directory-related workflows (e.g., adding scope limitations and exclusions), Entra ID
cloud identity items are listed under the Directory Service headings.

Entra ID as a cloud IdP integration uses Microsoft Graph API and connections to the https://
graph.microsoft.com domain. Together with the consent granted by the administrator via the Cloud Connector,
this ensures the directory data are automatically passed and used in the directory workflows in Jamf Pro. No
actions other than reading data are performed in Entra ID.

When setting up the Graph API connection between Jamf Pro and Entra ID, Global Administrator user
privileges are required to authenticate. After successful authentication, an application for Jamf Pro is
automatically added in Entra ID to use the Graph API. This means that the application in Entra ID does not
need to be manually created. After the application is added, the session is terminated. When Jamf Pro is
performing lookups in Entra ID, it is in a read-only state. Jamf Pro cannot write data back to Entra ID.

The following diagram shows the typical Jamf Pro and Entra ID IdP integration workflow:

47
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

After receiving the consent, the Cloud Connector Web application performs authorization of a given client
identifier and the received tenant identifier against the Entra ID authorization endpoint. As a result, Entra ID
responds with an authorization code. This code is passed with the tenant identifier back to Jamf Pro. After
Jamf Pro receives the set of data from the Cloud Connector Web application, it verifies the received
authorization code. If there are no issues in the data set, the configuration is saved. This approach ensures
Jamf Pro limits the usage of your Entra ID tenant data only to the allowed client/application.

The TLS version used for securing data in transit is 1.2 or higher with Perfect Forward Secrecy (PFS). Jamf
Pro will always attempt to negotiate the highest protocol first.

To create the connection, the following set of permissions is required for the Jamf Pro application:

• Sign in and read user profile

• Read directory data

The following set of permissions is required for the application:

48
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

User.Read
Allows users to be able to sign in to the app. This is necessary for registration workflows.
Directory.Read.All
Allows the app to read data in your organization's directory, such as users, groups and apps. Users may
consent to applications that require this permission if the application is registered in their own
organization's tenant.

When the connection to Entra ID is enabled, Jamf Pro can query the directory information from Entra ID. The
following diagram shows the typical flow for directory data lookups:

When the administrator initializes the directory lookup, Jamf Pro requests an access token from Entra ID using
the Client Credentials Flow. After the token is granted, Jamf Pro queries the directory data via the Microsoft
Graph API. After successful client verification, a data set is returned. Jamf Pro maps this data to an object that
can then be used in directory workflows in Jamf Pro. For information about Microsoft Graph REST API, see
Microsoft Graph REST API v1.0 reference.

Related Content

• Five steps for integrating all your apps with Azure AD

• Azure Active Directory (Azure AD) identity provider for External Identities

Configuring an Entra ID Cloud Identity Provider Connection

Important: If Jamf Pro already integrates with an Microsoft Entra ID Domain Services or Microsoft’s
Active Directory LDAP configuration that you plan to migrate to an Entra ID instance, do not add this
Entra ID instance as a cloud identity provider in Jamf Pro until you are ready to migrate your

49
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

configuration. To ensure your existing LDAP workflows (e.g., scoping or user accounts and groups)
continue to work correctly, you will need to migrate your configuration. For more information, see
Migrating an LDAP Server to an Entra ID Cloud Identity Provider Instance. Adding and using data from
the Entra ID integration prior to migration may break your environment.

When a server connection is added, it is enabled by default. You can configure multiple connections and
choose which configuration to use. Disabling the connection prevents Jamf Pro from querying data from this
server. This means you can add a different configuration without deleting the current connection. To disable
the connection, use the switch.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Cloud identity providers .
3. Click New.
4. Choose Azure and click Next. You are redirected to the administrator consent page in Microsoft.
5. Enter your Microsoft Entra ID credentials and follow the onscreen instructions to grant the permissions
requested by the Jamf Pro Entra ID Connector application.
6. After the request completes, in Jamf Pro configure the settings on the Server Configuration tab. Consider
the following:
◦ The display name for the configuration must be unique.
◦ The Tenant ID value is pre-populated with information from Microsoft.
◦ When single sign-on (SSO) with Entra ID is configured in Jamf Pro, select Transitive groups for SSO
to enforce transitive membership lookups in the user and group directory. This ensures that all Entra ID
groups that a group is a member of are included in a directory lookup. There is no need to run recursive
queries to list groups for which a user is a member of. You can configure a specific user mapping in the
User Mapping from the SAML Assertion field. This allows you to adjust username mapping during
transitive membership requests and match the user identifier from the SAML single sign-on settings in
the Entra ID configuration.
◦ Select Transitive membership lookups to enforce membership lookups for directory workflows that
include all groups that a user or group is a member of. This is recursive and checks more than only the
direct membership.
◦ It is recommended to set the Connection Timeout value to 5.
7. Use the Mappings tab to specify user attribute mappings and group attribute mappings. See the "Default
Attribute Mappings for Entra ID as a Cloud Identity Provider" section below for default mappings reference
and use it while troubleshooting the connection.

Important: To ensure the configuration works as expected, consider the following:

◦ The values for the User Id mapping must support the $filter parameter in Entra ID.

50
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

◦ The value for the Group Id mapping defaults to "id" and cannot be changed.

Note: You can configure cloud identity provider attribute mappings using the Jamf Pro API. For
more information, see the Configuring Cloud Identity Provider Attribute Mappings Using the Jamf
Pro API article.

8. Click Save .

Saving a server connection triggers an automatic verification process. After your configuration is saved, you
can test the mappings. For more information, see Testing Cloud Identity Provider Attribute Mappings.

Multi-factor Authentication
When Entra ID with multi-factor authentication (MFA) enabled is added as the cloud identity provider, some
authentication workflows in Jamf Pro (e.g., Self Service login and enrollment login) do not work for Entra ID
user groups and accounts. To allow users to use the workflows, you must configure single sign-on (SSO) with
Entra ID. For information on how to configure SSO in Jamf Pro, see Single Sign-On (SSO).

Important: Self Service for mobile devices does not support single sign-on workflows.

The following table summarizes how multi-factor authentication (MFA) status in Entra ID affects Jamf Pro
authentication workflows for Entra ID cloud IdP:

With MFA Enabled in

With MFA Disabled in With MFA Enabled in Entra ID and SSO with
Type of Workflow
Entra ID Entra ID Entra ID Configured in
Jamf Pro

Jamf Pro login Supported (standard login Not supported Supported (Microsoft login
page) screen)

Enrollment login (User- Supported (enrollment login Not supported Supported (Microsoft login
initiated enrollment and page and the Directory page/the SSO
Enrollment Customization) Service Authentication pane Authentication pane in
in Enrollment Enrollment Customization)
Customization)

Jamf Pro Applications (e.g., Supported (standard login Not supported Not supported
Jamf Admin) window)

51
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

With MFA Enabled in

With MFA Disabled in With MFA Enabled in Entra ID and SSO with
Type of Workflow
Entra ID Entra ID Entra ID Configured in
Jamf Pro

Self Service for macOS Supported (standard login Not supported Supported (Microsoft login
login window) screen)

Self Service for Mobile Supported (standard login Not supported Not supported
Devices login window)

Default Attribute Mappings for Entra ID as a Cloud Identity Provider

The following table lists the default Jamf Pro mappings and the corresponding cloud identity provider
attributes:

Note: The following attribute mappings are pre-configured defaults, you can change them at any time to
suit your organization's needs.

Jamf Pro Attribute Mapping Name Cloud Identity Provider Attribute Mapping Value

userId id

userName userPrincipalName

realName displayName

email mail

department department

building

room

phone mobilePhone

position jobTitle

groupId id

groupName displayName

For more information on mapping sets, see the following documentation from Microsoft:

52
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• User resource type properties

• Group resource type properties

Microsoft Entra ID Migration Assistant

The Entra ID migration assistant helps you move away from on-premise active directories to the cloud using
Entra ID. Entra ID can replace Active Directory LDAP services in Microsoft environments or synchronize Active
Directory data with Entra ID. Entra ID allows on-premise components to continue to use LDAP services, while
cloud applications can use the same data from Entra ID. Integrating Jamf Pro with Microsoft Active Directory's
LDAP services enables the following:

• Authentication of administrators logging in to Jamf Pro and users logging in to enroll devices, or to Self
Service.
• Lookups for the user and group data to allow for the following:
◦ Listing inventory information
◦ Scoping of apps, content, policies, and profiles
◦ Configuring Jamf Pro Administrator groups

Migrating an LDAP Server to an Entra ID Cloud Identity Provider Instance

You can migrate your LDAP server in Jamf Pro to use Entra ID data. The testing features of the Entra ID
migration allow you to verify values for user and group mappings and ensure your directory workflows continue
to work correctly after the migration completes.

Note: Once the migration is complete, the mappings selected in the Entra ID migration assistant will
overwrite the mappings currently configured for Entra ID cloud IdP.

Important:

• The current version of the migration assistant does not verify the computer Login Window payload.
If a configuration profile with the Login Window payload exists in your environment, you will need to
configure it again after migration.
• The LDAP server to Entra ID migration is a one-direction process and cannot be undone.
• Migrating an LDAP server integration's workflows to an Entra ID cloud identity provider means that
your source LDAP server configuration will be disabled and will be marked as Migrated. It will not be
queried for data.
• Communication to the LDAP Proxy is disabled once the Entra ID migration is complete.

53
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Requirements
• Before beginning the migration, create and enable Entra ID integration in Jamf Pro.
• Your environment must be cloud-hosted.
• You must have familiarity with your Entra ID infrastructure.
• Before beginning the migration, your Entra ID directory needs to be synchronized with your LDAP
directory using Entra ID Connect.
• Ensure your Entra ID cloud IdP connection is enabled so Jamf Pro can query the server for directory
data.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Cloud identity providers .
3. Click the Entra ID instance you want to migrate your directory configuration to.
4. Click Migrate.
5. Select the existing source LDAP configuration.
The migration assistant shows the currently selected Transitive membership lookups setting for your
Entra ID configuration. A warning displays if the transitive membership lookup setting does not match the
recursive groups search setting from LDAP as this will affect membership results for nested groups.
6. Click Next.
7. Enter a username of a user in your source directory in the "Username from source LDAP" field.
8. Enter a username of a user in Entra ID in the "Username from Azure AD" field.
9. Click Test.
10. Verify the information in the Status column for data match. The following table describes the statuses you
may see during testing:

Status Description

Match The Values returned for mappings are the same. Workflows that use them will not be
affected.

New Entra ID mapping returned a value that has not been used in the source configuration.
Review the settings for your environment to ensure the directory-related workflows will not be
affected.

Conflict Values returned for mappings are different. Workflows that use them will be affected and
may fail to complete.

Case Conflict Values returned for group attributes are case-sensitive and do not match. Workflows that use
them will be affected and may fail to complete.

54
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Status Description

Mismatch Values returned for mappings are different. Internal Jamf Proworkflows that use them will not
be affected. Likely causes include case differences or mismatches around duplicates within
the multi-value extension attributes.

Note: Jamf pro after a migration will not be affected, but a mismatch may impact
systems that depend on Jamf Pro's data for their workflows. This differs from a Case
Conflict, where a change of case can impact internal Jamf Pro workflows.

Empty Entra ID mappings do not return values. Review the settings for your environment to ensure
the directory-related workflows will not be affected.

If the key data does not match as expected, edit Entra ID attributes until the values work in your
environment.

Note: The values must be the same for source and target configurations, except for the ID which is
unlikely to match. Jamf recommends testing different Entra ID mappings to reduce the amount of
conflicts and mismatches.Jamf recommends testing at least three users and three groups. You can
generate an optional report with the migration summary, including the location data. This allows you
to review the settings and verify how values for users and groups in the new configuration are
mapped. Access the report in the History details of your Entra ID instance or in Jamf Pro
Notifications.

11. Click Next.

12. Enter the name of a group in your source directory in the "Group Name from Source LDAP" field.
13. Enter the name of a group from Entra ID in the "Group Name from Azure AD" field.
14. Click Test.
15. Verify the information in the Status column for data match.
If the key data does not match as expected, edit the Entra ID attributes until the values are sufficient for
your environment.

Note: Having transitive groups for SSO enabled under the Entra ID integration can impact access
for users. If you used Entra ID SSO before migrating and have Transitive Groups for SSO enabled,
verify that group based privileges granted before the migration are still correct.

16. Click Next to test extension attribute mappings.

55
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Note: If you do not want to test extension attributes, click Skip and proceed to step 21.

17. Enter a username of a user in your source directory in the "Username from source LDAP" field.
18. Enter a username of a user in Entra ID in the "Username from Azure AD" field.
19. Click Test.

Note: The user data is based on the most recent check-in of the user's single device. Jamf Pro
stores user extension attributes within a device entry and the migration assistant displays the data
for the user's device that has checked-in most recently, ensuring that the latest user data is
compared.

20. Click Next.

Note: The mappings used for users and groups will be saved to the Entra ID integration history. If
you navigate away from the navigation assistant, these mappings will need to be retrieved from the
Entra ID integration history and manually applied for future use.

21. (Optional) Click Generate to create a report that summarizes data mapped after the migration assistant is
complete.
A dialog window appears while the report is generating.

Best Practice:
While reviewing the report, consider the following:
◦ The front sheet of the report (CSV file) provides information to help you interpret the data.
◦ The report only lists problematic entries. Empty tabs and fewer rows in the available sheets
means higher probability that the migration will be successful.
◦ Columns come in pairs and represent LDAP-based data in Jamf Pro and data found in Entra ID.
◦ Objects are color-coded according to severity, with red items indicating a mismatch that affects
Jamf Pro and yellow items indicating a mismatch that does not affect Jamf Pro. Objects in white
indicate a match, but there are data mismatches elsewhere in the row.

22. Click Save and migrate.

23. Click Migrate.
After the migration process completes, your source LDAP server configuration is marked as Migrated.

56
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Note: Having transitive groups for SSO enabled under the Entra ID integration can impact access for
users. If you used Entra ID SSO before migrating and have Transitive Groups for SSO enabled, verify
that group based privileges granted before the migration are still correct.

Testing Cloud Identity Provider Attribute Mappings

You can test the following attribute mappings:

• User mappings
• User group mappings
• User group membership mappings

If Jamf Pro returns the appropriate information, the attributes are mapped correctly.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Cloud identity providers .
3. Click the instance name you want to test.
4. Click Test .
5. For Google Secure LDAP:
a. In the Search Criteria area, enter full or partial names in the Username Search String and Group
Name Search String fields.
b. Click Search or press the Return key.
The results will be displayed in the Search Results area.
c. In the Search Results area, click the Username and Group Name pop-up menus to select results and
validate user, group, and membership information.
6. For Entra ID:
a. Click the appropriate tab and enter information in the fields provided.
b. Click Test.

Single Sign-On (SSO)

You can integrate with a third-party identity provider (IdP) to enable single sign-on (SSO) for portions of Jamf
Pro. When SSO is configured and enabled, users are automatically redirected to your organization's IdP login
page. After authentication, users obtain access to the resource they were attempting to access.

SSO with Jamf Pro can be enabled for the following:

57
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• Jamf Pro server—Every time an unauthenticated user attempts to access the Jamf Pro server, they will be
redirected to the IdP login page unless the Allow users to bypass the Single Sign-On authentication
checkbox is selected in Jamf Pro's Single Sign-On settings.
• User-Initiated Enrollment (iOS and macOS)—Users must authenticate with an IdP to complete User-
initiated Enrollment. The username entered during SSO authentication will be used by Jamf Pro to populate
the Username field in the User and Location category during an inventory update.
• Jamf Self Service for macOS—Users must authenticate with an IdP to access Self Service. The username
entered during SSO authentication will be used by Jamf Pro for scope calculations. Self Service is able to
access any existing usernames from the IdP.

Note:

• Using SSL (HTTPS) endpoints and the POST binding for transmission of the SAML protocol is
recommended.
• When configuring your IdP settings, using a SHA-256 or higher signature for SAML assertions is
recommended.

Related Content

• LDAP Directory Service Integration

• Jamf Pro User Accounts and Groups
• Jamf Self Service
• Device Enrollment for Computers
• Device Enrollment for Mobile Devices

Single Sign-On and Directory Service

If Directory Services is also integrated with Jamf Pro, keep the following in mind when configuring SSO:

• If using Directory Service users or groups for SSO, they should first be added as standard Jamf Pro users or
groups in the Jamf Pro User Accounts and Groups settings.
• If Directory Service is integrated with Jamf Pro, Directory Service limitations and exclusions can be used.
They will be calculated by matching the username entered into the IdP during Self Service user login with
the username from the integrated Directory Service.
• If Directory Service is not integrated with Jamf Pro, targets and exclusions for a username will be calculated
by matching the username entered into the IdP during Self Service user login with Jamf Pro users accounts
and groups.

58
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Single Logout
Jamf Pro uses IdP-initiated SAML Single Logout (SLO) during enrollment to ensure users can end all sessions
started with Jamf Pro and the IdP. Afters users complete the enrollment process, a Logout button is available.
Use the Messaging pane in User-Initiated Enrollment settings to customize the text displayed during the
enrollment experience.

SLO is not available in the following scenarios:

• Your IdP does not provide any SLO endpoints in the metadata.
• A Jamf Pro Signing Certificate is not set up.

When SLO is not available, a message stating that the IdP session may still be active is displayed to users.
This is important for Jamf Pro administrators who cannot completely log out after performing the enrollment
process for other users.

Note: To support uncommon IdP configurations, the GET binding (less secure than POST) can be used
for SAML Single Logout.

Enabling Single Sign-On in Jamf Pro

To enable single sign-on (SSO), you must configure settings in both your IdP's console and Jamf Pro.

Configuring settings for your IdP must be completed before you enable SSO in Jamf Pro. In some
environments, simultaneous configuration between your IdP and Jamf Pro is required.

Note: Enabling SSO for Jamf Pro services and applications prevents users from authenticating with all
other user credentials. Jamf recommends that you notify users about changes to the authentication
experience in your organization, when enabled.

Requirements
• Integration with an identity provider (IdP) that supports SAML 2.0 protocols. For more information, see
the following:
◦ Single Sign-On articles for Active Directory Federation Services, Centrify, Google Workspace, Okta,
OneLogin, PingOne, and Shibboleth
◦ Tutorial: Azure Active Directory SSO integration with Jamf Pro documentation from Microsoft
◦ Integrate Jamf Pro documentation from Entrust

59
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• Two-way communication on TCP ports between the IdP and the Jamf Pro server
• Jamf Pro user accounts or groups with matching IdP usernames or groups
• Administrator privileges to Jamf Pro and your IdP
• If leveraging the failover URL for local account access, and SSO is enabled, the configured Jamf Pro
account will need both read and update privileges for SSO

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Single sign-on .
3. Click Edit .
4. Click the Enable Single Sign-On Authentication switch to enable the configuration.

Note: In the Failover Login URL box, click Copy to clipboard, and then save the failover login
URL to a secure location. This URL will allow you to log in using your Jamf Pro credentials after
SSO is configured and enabled. If you have created an SSO integration prior to 10.45.0, the failover
login URL will remain unchanged until you click the Regenerate button.

5. Choose your IdP from the Identity Provider pop-up menu.

If your IdP is not listed, choose "Other" and enter your IdP's name in the Other Provider field. The Entity
ID field is pre-populated by default (e.g., "https://JAMF_PRO_URL.jamfcloud.com/saml/metadata").

Note: For most IdPs, the Entity ID value should match the Audience URI value in the IdP's
configuration settings.

6. Click an option to configure the Identity Provider Metadata Source setting:

◦ Metadata File—Allows you to upload a metadata file in .xml format.
◦ Metadata URL—You must obtain this URL from your IdP's configuration settings (e.g., the "Audience
URI" or "Audience Restriction").
7. (Optional) Enable the Token Expiration Time Override if you need to override the default token
expiration period specified by your IdP.
When enabled, the value in minutes determines the amount of time before the SAML token expires. The
field is pre-populated with the default value determined by your selected IdP. If you override the default
value, you must ensure the new value matches the token expiration settings configured in your IdP.
The Token Expiration Time Override setting is set to Disabled by default. This means the default
expiration time provided by your IdP is used.

60
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Important: If your IdP is Azure, Google Workspace, or Okta, Jamf Pro users or end users using
enrolled devices may encounter login errors if the Token Expiration Time Override setting is
enabled. To prevent these errors, you may want to disable the Token Expiration Time Override
setting. This will stop Jamf Pro from verifying the token's lifetime, which is controlled and verified by
your IdP. Alternatively, you can ensure that the token expiration time set in Jamf Pro exceeds the
expiration time configured by your IdP. However, issues may still occur if the token expiration time
dynamically changes.

8. Click an option to configure the Identity Provider User Mapping setting to define which attribute from the
SAML token should be mapped to Jamf Pro users:
◦ NameID—This is the default attribute name.
◦ Custom Attribute—Allows you to enter a custom attribute name that is included in the SAML token sent
from the IdP.
9. Click Username or Email for Jamf Pro User Mapping.
These options determine how users in your IdP will be mapped to Jamf Pro users. By default, Jamf Pro
gets information about the user from the IdP and matches it with existing Jamf Pro user accounts. If the
incoming user account does not exist in Jamf Pro, then group name matching occurs.
10. Enter the SAML assertion attribute that defines users in the IdP in the Identity Provider Group Attribute
Name field.
Jamf Pro matches each group from the Jamf Pro database and compares group names. Each user will be
granted access privileges from all of the groups in the same manner as a local Jamf Pro user would.
AttributeValue strings may be formatted as multiple strings, a single string, or semicolon-separated
values.

Example: http://schemas.xmlsoap.org/claims/Group

11. (Optional) Use the RDN Key for LDAP Group field to extract the name of the group from strings sent in
LDAP format, Distinguished Names (DN).
Jamf Pro searches the incoming string for a Relative Distinguished Name (RDN) with the specified key and
use the value of the RDN Key as an actual name of the group.

Note: If the directory service string contains several RDN parts with the same key (e.g.,
CN=Administrators, CN=Users, O=YourOrganization ), Jamf Pro will extract group names
from the left-most RDN Key (e.g., CN=Administrators ). If you leave the RDN Key for LDAP
Group field blank, Jamf Pro will use the entire LDAP format string.

61
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

12. (Optional) Click the Security checkbox and click a Jamf Pro Signing Certificate option to establish
secure SAML communication with a certificate:
◦ Generate Certificate—Allows you to generate a signing certificate if you are not providing your own.
Click Generate and a signing certificate will be automatically generated.
◦ Upload Certificate—Allows you to upload your own signing certificate. If you are uploading the Jamf
Pro Signing Certificate, upload a signing certificate keystore (.jks or .p12) with a private key to sign
and encrypt SAML tokens, enter the password to the keystore file, select a private key alias, and then
enter the key password.

Note: For some IdP's, you may need to download the certificate and include it in your IdP
configuration settings.

13. (Optional) Click Single Sign-On Options for Jamf Pro to configure the following additional options:
◦ Allow users to bypass the Single Sign-On authentication—Allows users to sign in to Jamf Pro
without SSO, if they directly navigate to the Jamf Pro URL. When a user tries to access Jamf Pro via
your IdP, SSO authentication and authorization still occurs.
◦ Enable Single Sign-On for Self Service for macOS—Allows users to sign in to Self Service via the
IdP login page. Self Service is able to access any existing usernames from the IdP.

Note:
▪ Enabling this option automatically changes the Authentication Type in Settings > Self
Service > macOS > Login to Single Sign-On.
▪ Disabling this option automatically changes the Authentication Type in Settings > Self
Service > macOS > Login to Directory Service account or Jamf Pro user account.

◦ Enable Single Sign-On for User Authentication during Enrollment—Allows users to enroll via the
login page of their identity provider during user-initiated enrollment, Account-Driven User Enrollment,
and Account-Driven Device Enrollment. When enabled, the username at the IdP login page will be the
username Jamf Pro uses for the Username field in the User and Location category during an inventory
update for a computer or mobile device. You can click Any identity provider user to allow access to
all users in your IdP, or click Only this group to restrict access to a select group of users.

Note:
▪ If Directory Service is integrated with Jamf Pro, the User and Location information will be fully
populated using a lookup from Jamf Pro to Directory Service.
▪ If Directory Service is not integrated with Jamf Pro, the Username field will be the only item
populated in the User and Location category. User lookup will not work during enrollment.

62
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

14. Click Save .

15. (Optional) Click Download to download the Jamf Pro metadata XML file.
Some IdPs require the metadata file to properly configure SAML. The file contains several important URLs
that let the IdP know where to send a user, as well as how to verify to Jamf Pro.
◦ EntityDescriptor : jamfproURI/saml/metadata
◦ SingleLogoutService : jamfproURI/saml/SingleLogout
For other IdPs, minimal metadata is required without the need for the metatdata file. This allows for quicker
setup since all required information will be provided in the system automatically.

Users are now automatically redirected to your organization's IdP login page to access configured portions of
Jamf Pro.

Testing the Single Sign-On Configuration

1. Log out of Jamf Pro and your IdP.
2. Navigate to your Jamf Pro URL in a web browser.
You will be redirected to the SSO login page.
3. Log in to Jamf Pro using your SSO credentials.

Your IdP login page should successfully redirect you to the Jamf Pro Dashboard after authentication.

SMTP Server Integration

Integrating with an SMTP server allows you to do the following:

• Send email notifications to Jamf Pro users when certain events occur.
• Send user-initiated enrollment invitations via email.
• Send mass emails to end users.

To integrate with an SMTP server, you need to configure the SMTP Server settings in Jamf Pro.

Related Content

• Email Notifications
• Mass Actions for Computers
• Mass Actions for Mobile Devices
• Device Enrollment for Computers
• Device Enrollment for Mobile Devices

63
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Configuring the SMTP Server Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the System section, click SMTP server .
3. Click Edit .
4. Enable the Enable SMTP server toggle.
5. Enter a server and port number in the Server And Port field.

Example: smtp.serveraddress.com : 465

6. Select an encryption protocol from the Encryption pop-up menu.

7. Enter a value in the Connection Timeout field.
8. Enter a name in the Sender Display Name field.
9. Enter an email address in the Sender Email Address field.

Note: This email account must be associated with the SMTP server used in step 5.

10. (Optional) If your SMTP server requires authentication, select the Requires authentication checkbox,
and configure the necessary fields.
11. Click Save .

Testing the SMTP Server Settings

Once the SMTP Server settings are configured, you can send a test email from Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click SMTP server .
3. Click Test .
4. Enter a test email address and click Test again.

A message displays, reporting whether or not the email was sent successfully. If the email is not sent
successfully, troubleshooting should be completed with your SMTP server provider and IT staff.

Email Notifications
Jamf Pro can send email notifications when the following events occur:

64
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• A computer fails to enroll.

• An error occurs while a policy is running.
• A restricted software violation occurs.

Note: For this to work, email notifications must also be enabled for the individual restricted software
records.

• The license limit for a licensed software record is exceeded.

Note: For this to work, email notifications must also be enabled for the individual licensed software
records.

• One or more Memcached Endpoint(s) are not reachable.

• Smart computer group membership changes.
• Smart device group membership changes.
• Smart user group membership changes.
• SSL certificate verification is disabled.
• Tomcat is started or stopped.
• The database is backed up successfully.
• A database backup fails.
• An instance of the Jamf Pro web app in a clustered environment fails.
• Jamf Pro account is locked out because of excessive failed login attempts.
• Jamf Pro fails to add a file to the cloud distribution point.
• Jamf Pro is unable to communicate with your Jamf Protect instance.
• An updated patch reporting software title is available.

Note: You can choose to be notified of available software title updates via email or a Jamf Pro
notification, or both. The Jamf Pro notification option displays a pop-up dialog to the user in Jamf Pro
when a new software title update is available. You can also receive notifications for a specific
software title. If you disable this notification, you do not receive notifications for any specific software
titles that have Patch Notifications enabled.

• The volume purchasing (formerly VPP) service token for a location is approaching its expiration date.

65
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Note: The first email notification is sent 31 days before the token expires. Email notifications are sent
once a week until the token is 7 days from its expiration date. When the expiration date is less than 7
days, they are sent every day until the token expires. After the token has expired, no email
notifications are sent.

• A Jamf Infrastructure Manager instance has not checked in with Jamf Pro.

Note: An email notification is sent if the Infrastructure Manager fails to check in with Jamf Pro after
three attempts. Only one notification is sent for this event.

• The Jamf Pro JSS Built-in Certificate Authority (CA) is approaching its expiration date or has already
expired.
• The Jamf Pro JSS Built-in Certificate Authority (CA) renewal process succeeded or failed.

Enabling Email Notifications

Jamf Pro allows you to enable email notifications for specific events.

Note: Some essential notifications, such as certificate authority (CA) expiration emails, are enabled by
default and cannot be disabled.

Requirements
• An SMTP server set up in Jamf Pro (For more information, see SMTP Server Integration.)
• An email address specified for the Jamf Pro user account you want to enable email notifications for (For
more information, see Jamf Pro User Accounts and Groups.)

1. In Jamf Pro, click the account settings icon, and then click Notifications

Note: The Notifications option is not displayed if your Jamf Pro user account is associated with a
Directory Service group.

2. Select the checkbox for each event that you want to receive email notifications for.
3. Click Save .

66
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Activation Code
The Activation Code settings in Jamf Pro allow you to update the activation code for your license. You can also
change the organization name associated with the license and view licensing information.

Updating the Activation Code

Every time you receive a new activation code, it must be updated in Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. Click Activation Code .
3. Click Edit .
4. Enter the new activation code.
5. Click Save .

Change Management
Change Management allows you to track the changes that happen in Jamf Pro, such as the creation of a Jamf
Pro user account. The Change Management settings in Jamf Pro allow you to log those changes to a log file
(JAMFChangeManagement.log) on the Jamf Pro host server and log the changes to a syslog server.

The Change Management logs can also be viewed in Jamf Pro. The information displayed includes:

• Date/time the change took place

• Username of the administrator who made the change
• Object type (such as a Jamf Pro user account)
• Object name (such as the username of a Jamf Pro user account)
• Action (such as “Created”)
• Details about the change

In addition, you can view the changes to a specific object in that object’s history.

Note: The option to log changes to a log file or a syslog server is only available for on-premise
environments. If your environment is hosted in Jamf Cloud, changes are automatically displayed in the
Change Management settings and cannot be exported.

67
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

General Requirements
To log changes to a log file, the account used to run Tomcat must have write permissions for the directory
where the JAMFChangeManagement.log file is located.

Configuring the Change Management Settings for On-Premise

Environments
The option to configure the Change Management settings is only available for on-premise environments. If
your environment is hosted in Jamf Cloud, changes are automatically displayed in the Change Management
settings.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Change management .
3. Click Edit .
4. Configure the settings on the pane.
5. Click Save .

Viewing Change Management Logs in Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.
2. In the System section, click Change management .
3. View log details by doing the following:
◦ To view the object associated with a change, click the object in the Object Name column.
◦ To view details about the change, click Details in the Details column.

SSL Certificate
Jamf Pro requires a valid SSL certificate to ensure that computers and mobile devices communicate with the
Jamf Pro server and not an imposter server. For cloud-hosted Jamf Pro instances, the SSL certificate is
completely managed by Jamf. If you have an on-premise environment, you must create or upload an SSL
certificate for your on-premise instance of Jamf Pro.

The Apache Tomcat settings in Jamf Pro allow you to create an SSL certificate from the certificate authority
(CA) that is built into Jamf Pro. You can also upload the certificate keystore for an SSL certificate that was
obtained from an internal CA or a trusted third-party vendor.

Note:

68
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• If your environment is hosted in Jamf Cloud, the Apache Tomcat settings are managed by Jamf
Cloud and are not accessible.
• If your environment is clustered, you must log in to the Jamf Pro web app for each Apache Tomcat
node and create or upload any SSL certificates for each node.

Related Content

• Enabling SSL on Tomcat with a Public Certificate

Creating or Uploading an SSL Certificate

Requirements
To create or upload an SSL certificate, Jamf Pro must be installed as the “ROOT” web app, and the user
running the Tomcat process must have read/write access to Tomcat’s server.xml file.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Apache Tomcat settings .
3. Click Edit .
4. Select Change the SSL certificate used for HTTPS and click Next.
5. Follow the onscreen instructions to upload or create an SSL certificate.
6. Restart Tomcat for the changes to take effect. For instructions, see the Starting and Stopping Tomcat
article.

Log Flushing
Flushing logs reduces the size of the database and can speed up searches. You can flush the following types
of logs:

• Application Usage logs

• Computer Usage logs
• Policy logs
• Screen sharing logs
• Computer and mobile device management history
• Computer inventory reports (computer inventory information from past inventory submissions)
• Mobile device inventory reports (mobile device inventory information from past inventory submissions)

69
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

• Jamf Pro access logs

• Change Management logs
• Event logs
• User and Location History
• User Reports
• Jamf Application Deployments

You can schedule log flushing to take place daily, or you can manually flush logs as needed. You can also
choose to flush logs that are older than a certain number of weeks or months, or one year.

For information on the types of data flushed with each log and the database tables affected, see the Data and
Tables Affected by Log Flushing article.

Related Content

• Viewing and Flushing Logs for a Policy

• Computer History Information
• Mobile Device History Information

Scheduling Log Flushing

1. In Jamf Pro, click Settings in the sidebar.
2. In the System section, click Log flushing .
3. Click Edit .
4. Use the pop-up menus to choose the amount of time after which each type of log should be flushed.
5. Choose a time of day from the Time to Flush Logs Each Day pop-up menu.
6. Click Save .

Manually Flushing Logs

1. In Jamf Pro, click Settings in the sidebar.
2. In the System section, click Log flushing .
3. Click Flush .
4. Select the checkbox for each type of log you want to flush.
5. From the Flush Logs Older Than pop-up menu, choose the amount of time after which logs should be
flushed.
6. Click Flush .

A message displays, reporting the success or failure of the flush.

70
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Maintenance Pages
The Maintenance Pages setting allows you to create a custom maintenance page for each language used in
your environment.

The maintenance page is displayed to users when Jamf Pro is starting up or being upgraded during
enrollment.

A maintenance page configuration is preconfigured in Jamf Pro for each of the following languages: English,
French, German, Japanese, Spanish, and Traditional Chinese. When a computer or mobile device has a
preferred language set on it, it displays the maintenance page configuration that corresponds with that
language. The English version of the maintenance page is displayed if the computer or mobile device does not
have a preferred language set on it.

In addition to the language, the message and the graphic displayed on the maintenance page can be
customized. The preconfigured maintenance page message is “We’ll be back.” You can use Markdown to
format the maintenance page message and image.

Creating a Maintenance Page Configuration

The Maintenance Pages setting allows you to create a custom maintenance page for each language used in
your environment.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Maintenance pages .
3. Click New.
4. Use the Language pop-up menu to specify the language that will be contained within the message.
Computers and mobile devices with a preferred language that matches the specified language will display
this version of the maintenance page.
5. Use the Maintenance Page Message field to customize the message displayed during the Jamf Pro
maintenance process.
For information about how to use Markdown to customize the message, see the Using Markdown to
Format Text article.

6. Click Save .
7. Repeat this process as needed for other languages.

71
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Jamf Pro Summary

The Jamf Pro Summary is a custom report that can be useful for troubleshooting Jamf Pro issues, and for
providing information to Jamf for purposes of support or license renewal.

By default, the Jamf Pro Summary includes the following information:

• Number of managed and unmanaged computers

• Number of managed mobile devices
• Operating system on the Jamf Pro host server
• Path to the Jamf Pro web app
• Apache Tomcat version
• Information about the version of Java installed on the Jamf Pro host server
• Information about the MySQL connection and configuration

You can also add information to the Jamf Pro Summary from the following categories as needed:

• Computers
• Mobile Devices
• Users
• System Settings
• Server Infrastructure
• Global Management
• Computer Management
• Computer Management–Management Framework
• Mobile Device Management
• User Management
• Network Organization
• Database

Related Content

• Customer Experience Metrics

Viewing the Jamf Pro Summary

You can view the Jamf Pro Summary in a browser window to analyze the custom report.

1. In Jamf Pro, click Settings in the sidebar.

72
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

2. In the Information section, click Jamf Pro Summary .

3. Select the checkboxes next to the items you want to include.
4. Click Create.
The Jamf Pro Summary displays in a browser window.
5. Click the Back button in the web browser to return to the Jamf Pro Summary pane.

Sending the Jamf Pro Summary to Jamf

You can send a copy of the Jamf Pro Summary to Jamf for troubleshooting help or for license renewal
purposes.

Requirements
To send the Jamf Pro Summary to Jamf, you need a valid Jamf ID.

To create a Jamf ID, go to: https://id.jamf.com/CommunitiesSelfReg

1. In Jamf Pro, click Settings in the sidebar.

2. In the Information section, click Jamf Pro Summary .

3. Select the checkboxes next to the items you want to include.
4. Click Send Summary to Jamf.
5. Enter your Jamf ID credentials, and then click Send.

The Jamf Pro Summary is sent to Jamf.

Jamf Pro Server Logs

The Jamf Pro Server Logs settings allow you to view and download the Jamf Pro server log and volume
purchasing logs from the Jamf Pro web app. You can also use the Jamf Pro Server Logs settings to do the
following:

• Jamf Pro— You can enable debug mode and statement logging for the Jamf Pro
• Volume purchasing— You can enable debug mode and traffic logging for volume purchasing. Traffic
logging allows you to view the communication between the Jamf Pro server and Apple.

Related Content

• Enabling Debug Mode

73
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Viewing and Downloading the Jamf Pro Server Log

1. In Jamf Pro, click Settings in the sidebar.
2. In the Information section, click Jamf Pro server logs .
3. Click Edit .
4. Configure the options on the screen.
5. Click Save .
The Jamf Pro server log displays on the page.

6. (Optional) Click Download to download the log.

The JAMFSoftwareServer.log is downloaded immediately.

Viewing and Downloading the Volume Purchasing Log

1. In Jamf Pro, click Settings in the sidebar.
2. In the Information section, click Jamf Pro server logs .
3. Select the Volume Purchasing tab and click Edit .
4. Configure the options on the screen.
5. Click Save .
The volume purchasing server log displays on the page.

6. (Optional) Click Download to download the log.

The JAMFProVPP.log is downloaded immediately.

Jamf Pro Health Check Page

The Jamf Pro health check page allows you to view the status of your environment. This can be useful for
identifying performance and configuration issues. For example, you can use the Jamf Pro health check page to
ensure all instances of the Jamf Pro web app in a clustered environment are running without error.

Note: The Jamf Pro health check page is not the same as the Jamf Pro Health Check service offered by
Jamf Professional Services.

The following table lists the possible status the Jamf Pro health check page may return:

74
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 System Settings

Status Description

[{"healthCode":1,"httpCode":503,"description":"DBConnectionError"}] An error occurred while

testing the database
connection.

[{"healthCode":2,"httpCode"200:,"description":"SetupAssistant"}] The Jamf Pro Setup

Assistant was detected.

[{"healthCode":3,"httpCode":503,"description":"DBConnectionConfigError"}] A configuration error

occurred while attempting to
connect to the database.

[{"healthCode":4,"httpCode":503,"description":"Initializing"}] The Jamf Pro web app is

initializing.

[{"healthCode":5,"httpCode":503,"description":"ChildNodeStartUpError"}] An instance of the Jamf Pro

web app in a clustered
environment failed to start.

[{"healthCode":6,"httpCode":503,"description":"InitializationError"}] A fatal error occurred and

prevented the Jamf Pro web
app from starting.

[] The Jamf Pro web app is

running without error.

Using the Jamf Pro Health Check Page

To navigate to the Jamf Pro health check page, append "healthCheck.html" to your Jamf Pro URL. For
example:

• https://JAMF_PRO_URL.jamfcloud.com/healthCheck.html (hosted in Jamf Cloud)

• https://JAMF_PRO_URL.com:8443/healthCheck.html (hosted on-premise)

The status of your environment displays on the screen.

Once you have identified the status of your environment, you can take steps to resolve any issues that were
found.

75
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Global Management Settings

Push Certificates
A push certificate is an encrypted file generated by Apple that establishes trust between a third-party service
like Jamf Pro and Apple Push Notification service (APNs). APNs is the medium through which Jamf Pro
commands and information are sent to and from devices. Devices continuously listen to APNs for commands
and send messages back to Jamf Pro through APNs after commands have been received.

Each push certificate is valid for one year and must be renewed using the same Apple ID that was used to
generate it.

If you have a push certificate in .p12 format, you do not need to create a new one. You can simply upload
the .p12 file to Jamf Pro following the instructions in this section.

You can also use Jamf Pro to renew your push certificate when needed.

Note: Uploading a push certificate to Jamf Pro automatically enables the Enable Push Notifications
setting in Jamf Pro's Security settings.

Related Content

• Network Ports Used by Jamf Pro

• Video: Generating an Apple Push Notification (APNs) Certificate with Jamf Pro
• Video: Renewing an Apple Push Notification (APNs) Certificate with Jamf Pro
• Supporting Apple Push Notification Service (APNs) Over HTTP/2

Creating a Push Certificate

A push certificate is an encrypted file generated by Apple that establishes trust between Jamf Pro and the
Apple Push Notification service (APNs) to allow secure communication to devices enrolled with Jamf Pro.

An assistant in Jamf Pro guides you through the following steps to create a new push certificate (.pem) and
upload it to Jamf Pro.

76
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Requirements
• A valid Jamf ID. To create a Jamf ID, go to: https://id.jamf.com/CommunitiesSelfReg
• A valid Apple ID. (An institutional Apple ID is recommended.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Push certificates .
3. Click New.
4. Select Download signed CSR from Jamf. A CSR, or certificate signing request, is a file that Jamf Pro
generates to identify itself to APNs, which will use that request to generate the push certificate.
5. Click Next.
6. Enter your Jamf ID credentials. If you don't have a Jamf ID, go to account.jamf.com and click Create one
now to get started.
7. Click Next. The CSR file JamfSignedCSR.plist will automatically be downloaded.
8. Complete the following steps in the Apple Push Certificates Portal to create the push certificate:
a. Either click the link provided in Jamf Pro, or open a new tab and navigate to identity.apple.com/
pushcert.
b. Sign in using your Apple ID. The Apple ID used to create the push certificate will need to be reused
every year to renew the certificate.

Best Practice: Jamf recommends that you use a generic, institutionally owned Apple ID rather
than a personal Apple ID. If a personal Apple ID is used and that person leaves the organization,
you will need to create a new certificate and re-enroll every managed device in Jamf Pro. If you
need to create a new Apple ID, click the "Create yours now" link to do so.

c. Click Create a Certificate.

d. Read through the terms of use, select the checkbox to certify you have done so, and then click Accept.
e. Click Choose File, select the JamfSignedCSR.plist file that you downloaded from Jamf Pro
earlier, and click Upload.

Best Practice: Jamf recommends that you add information in the Notes box to specify what
service is using the push certificate along with any other information that might be needed by the
individual renewing the certificate in a year. For example, you can enter the Jamf Pro instance
name this certificate will be used on, as well as the date and your name in case there are any
questions in the future.

f. Click Upload to generate the push certificate.

77
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

g. On the following screen, click Download to download the push certificate.

The certificate will have a filename specific to your organization but will always end in .pem. If a .cer
file downloads, use Safari for your browser and reattempt the download.
9. Return to Jamf Pro, and click Next.
10. Click Upload .
11. Click Choose File and navigate to the .pem file you downloaded from Apple, and click Upload.
12. Return to the Push Certificates settings page, and click the newly created push certificate.
13. Click Edit .
14. In the Apple ID field, enter the Apple ID you used to create the push certificate.
This will ensure that in a year when the push certificate needs to be renewed, there will be no confusion
about what Apple ID was used in the Apple Push Certificates Portal to generate the push certificate.

15. Click Save .

16. Take note of the date displayed in the Expiration Date field. On that date, in a year, the trust established
today between APNs and Jamf Pro will break and all device communication will immediately cease.

Best Practice: Jamf recommends setting a calendar reminder for yourself to renew the push
certificate before the expiration date. It takes just a moment and can possibly save extra work in the
future if the push certificate were to expire.

Devices should now successfully enroll with Jamf Pro. However, if the push certificate is invalid, devices will
not be able to completely enroll with Jamf Pro, and APNs communication errors will be displayed in the
JAMFSoftwareServer.log file.

Uploading a Push Certificate (.p12)

If you have a push certificate that’s in .p12 format, you can upload it to Jamf Pro.

Note: You will only have a push certificate in .p12 format if the CSR used to create the certificate was
not issued by Jamf Pro. Uploading a push certificate to Jamf Pro automatically enables the Enable
Push Notifications setting in Jamf Pro's Security settings.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Push certificates .
3. Click New.
4. Select Upload push certificate (.p12).
5. Follow the onscreen instructions to upload the push certificate.

78
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Renewing the Push Certificate

Important: Jamf recommends that you do not delete the existing push certificate from Jamf Pro when
renewing a push certificate.

Requirements
• A valid Jamf ID. To create a Jamf ID, go to: https://id.jamf.com/CommunitiesSelfReg
• A valid Apple ID. (An institutional Apple ID is recommended.)

Note: If you are renewing a push certificate that was originally obtained from Apple's iOS Developer
Program (iDEP), you must use the Apple ID for the iDEP Agent account used to obtain the
certificate.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Push certificates .
3. Click the push certificate, and then click Renew .
4. Choose a method for renewing the push certificate:
◦ If you have the Cloud Services Connection configured, select Download signed CSR from Jamf. Jamf
Pro connects to Jamf Nation securely and obtains the signed CSR.
◦ If the server hosting Jamf Pro does not have an outbound connection, select Download CSR and sign
later using Jamf Account.
◦ If you have a new push certificate in .p12 format, select Upload push certificate (.p12).
5. Follow the onscreen instructions to renew the push certificate.

Deleting the Push Certificate

Deleting the push certificate from Jamf Pro disables communication between Jamf Pro and APNs. This
prevents Jamf Pro from sending macOS configuration profiles and macOS remote commands to computers,
and managing iOS devices. In addition, without a push certificate, Mac App Store apps cannot be distributed to
computers. To restore these capabilities, you must create a new push certificate, and then re-enroll your
computers and mobile devices with Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Push certificates .

79
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

3. Click the push certificate and click Delete . Then click Delete again to confirm.

Jamf Push Proxy

The Jamf Push Proxy enables communication between the Jamf Pro server and devices with Jamf Self
Service installed. This communication allows you to send Notification Center notifications to computers and
mobile devices with Self Service installed.

Jamf Pro requires a valid proxy server token to authenticate to the Jamf Push Proxy. An assistant in Jamf Pro
guides you through the process to request a new proxy server token from the Jamf Authorization Server and
upload it to Jamf Pro. The following diagram illustrates the communication between the Jamf Push Proxy and
the Apple Push Notification service (APNs), Jamf Pro, and devices in your environment:

Requesting or Renewing a Proxy Server Token

Requirements
To request or renew a proxy server token, you need a valid Jamf ID.

80
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

To create a Jamf ID, go to: https://id.jamf.com/CommunitiesSelfReg

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Push certificates .
3. To request and upload a new token, do the following:
a. Click New and select Get proxy server token from Jamf Authorization Server.
b. Follow the onscreen instructions to get the proxy server token and upload it to Jamf Pro.
4. To renew a token, select the existing push proxy, and then click Renew.

Note: The proxy server token will be renewed automatically; however, you can manually renew it for
troubleshooting purposes.

GSX Connection
The GSX Connection settings allow you to integrate Jamf Pro with Apple's Global Service Exchange (GSX) to
look up and populate the following purchasing information for computers and mobile devices:

• Purchase date
• Warranty expiration date

Note: GSX may not always return complete purchasing information. Only the information found in GSX
is returned. Additional fields may be populated if supplemental coverage is purchased.

To integrate Jamf Pro with GSX, you must first create a GSX account and obtain a certificate from Apple. Then
you can configure the GSX Connection settings in Jamf Pro, which involves entering GSX account information,
retrieving an API token from Apple, and uploading the Apple certificate.

You can also use Jamf Pro to test the GSX connection and upload a renewed Apple certificate when needed.

Configuring the GSX Connection Settings

Requirements
To configure the GSX Connection settings, you need:

81
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• A GSX account with the “Manager” role, access to Web Services, and access to coverage/warranty
information
• An Apple certificate (.p12)

For instructions on creating a GSX account and obtaining an Apple certificate, see the Integrating with
Apple’s Global Service Exchange (GSX) article.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click GSX connection .
3. Click Edit .
4. Select Enable Connection to GSX.

Note: This setting and others on this pane may already be configured if Jamf Pro was used to
generate a certificate signing request (CSR).

5. Enter the username and account number, including the leading zeros, for the GSX account.
6. Provide your API token in the API Token field by doing the following:
a. Click the “Log in to your Apple GSX account” link below the API Token field.
b. Log in to your Apple GSX account.
c. Click Copy to clipboard to copy your API Token.
d. In Jamf Pro, paste your API Token into the API Token field.

Note: The API token is not displayed after you finish configuring the GSX connection or when
you edit an existing GSX connection. This is because the API token changes with every request
and will always be different.

7. In the Certificate-based Authentication section, click Upload.

8. The URI field will be populated automatically.
9. Follow the onscreen instructions to upload the Apple certificate (.p12).

Note: The keystore password will be the same as the export password that was set when the
certificate was created.

10. Click Save .

82
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

After the GSX connection is in place, you can look up and populate purchasing information for a single
computer or device by editing its inventory information, or for multiple computers or devices by using a mass
action.

Testing the GSX Connection

1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click GSX connection .
3. Click Test .
4. Click Test again.

A message displays, reporting the success or failure of the connection.

A successful connection will display information similar to the following:

[Accept: application/json, Content-Type: application/json, X-Apple-SoldTo: 0000000000,

X-Apple-ShipTo: 0000000000] GET https://partner-connect.apple.com/gsx/api/authenticat
e/check HTTP/1.1
Response: OK

Populating GSX Purchasing Information for Individual Devices

1. In Jamf Pro, click Computers or Devices in the sidebar.
2. Perform a simple or advanced search.
3. Click the computer or device you want to update the information for.
4. Click the Purchasing tab in the sidebar and click Edit.
5. In the PO Number field, enter a PO number and click Search.

The purchasing data for the computer or mobile device from GSX is populated in Jamf Pro.

Populating GSX Purchasing Information via Mass Action

You can populate GSX purchasing information for multiple computers or devices by sending a mass action
command.

1. Do one of the following:

a. View a smart or static computer group membership list. For more information, see Viewing Smart
Group Memberships or Viewing Static Group Memberships.
b. Perform a simple or advanced search.

83
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: You can only perform mass actions from a simple mobile device search if you searched
by devices.

2. At the bottom of the list, click Action.

3. Click the Send Remote Commands radio button, and then click Next.
4. Click the Look up Purchasing Information from GSX radio button, and click Next.

The purchasing data for multiple computers or devices from GSX is populated in Jamf Pro.

Renewing the Apple Certificate

You can use Jamf Pro to upload a renewed Apple certificate without removing the existing certificate so the
connection with GSX is not lost. A notification is displayed 31 days prior to the expiration date of the Apple
certificate.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click GSX connection .
3. Click Edit .
4. Click Renew.
5. Follow the onscreen instructions to upload a renewed Apple certificate.

Inventory Preload
The Inventory Preload setting allows you to upload computer and mobile device inventory data before devices
are enrolled. The preloaded data will be applied to computers and mobile devices when inventory is collected
based on a matching serial number. User data will be applied immediately when a comma-separated value
(CSV) file is uploaded.

Important: The values in the CSV file must be separated by commas. Separating values in the CSV file
using other characters such as semicolons will result in errors.

Data from the uploaded CSV file takes precedence over existing Jamf Pro data according to the following
priorities:

• The data will overwrite any existing active data records when duplicate serial numbers are found.
• The data takes precedence over Directory Service device data if Directory Service is configured.

84
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

The preloaded data is used on an ongoing basis to update device inventory records in Jamf Pro when
inventory is collected. For example, device inventory records are updated during the following events:

• When uploading a CSV file with a unique device and set of device data. The next time inventory is collected
and the specified device is updated in Jamf Pro, the inventory is updated with the Inventory Preload data.
• When uploading a subsequent CSV for the same unique device with a different set of device data. The next
time inventory is collected and the specified device is updated in Jamf Pro, the inventory is updated with the
Inventory Preload data.

The inventory collection process runs following enrollment or according to the frequency in the Inventory
Collection settings. For more information, see the following sections in this guide:

• Computer Inventory Collection Settings

• Mobile Device Inventory Collection Settings

Important: When using Inventory Preload, any manual edits or mass action updates to computer and
mobile device inventory details within Jamf Pro will be overwritten by the Inventory Preload data when
inventory collection runs.

The following table lists the valid fields for Inventory Preload CSV uploads:

Field Computers Mobile Devices

Serial Number (required) ✓ ✓

Device Type (required) ✓ ✓

Note: Only two values are valid: "Computer" or

"Mobile Device"

Username ✓ ✓

Full Name ✓ ✓

Email Address ✓ ✓

Phone Number ✓ ✓

Position ✓ ✓

Department ✓ ✓

85
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Field Computers Mobile Devices

Building ✓ ✓

Room ✓ ✓

PO Number ✓ ✓

PO Date ✓ ✓

Warranty Expiration ✓ ✓

AppleCare ID ✓ ✓

Purchase Price ✓ ✓

Life Expectancy ✓ ✓

Purchasing Account ✓ ✓

Purchasing Contact ✓ ✓

Lease Expiration ✓ ✓

Bar Code 1 ✓

Bar Code 2 ✓

Asset Tag ✓ ✓

Vendor ✓ ✓

Extension attributes (For more information, see the ✓ ✓

“Extension Attributes" section below.)

The CSV template that can be downloaded from the Inventory Preload page contains all supported fields.

Example Workflow
The following example describes how data for a mobile device can be uploaded using Inventory Preload, how
it updates Jamf Pro inventory records, and how inventory details can be updated by uploading subsequent
CSV files.

1. A CSV file with the following contents is uploaded using Inventory Preload:

Serial Number Device Type Username Building Department

C8PLK8CLFM Mobile Device wcrandall Hopkins Hall Psychology

86
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

2. When mobile device serial number "C8PLK8CLFM" is enrolled, the following happens:
◦ The mobile device is assigned to user "wcrandall".
◦ The Building field for the mobile device is updated to be "Hopkins Hall".
◦ The Department field for the mobile device is updated to be "Psychology".
3. The CSV file is revised to specify mobile device serial number "C8PLK8CLFM" is in building "Smith Hall".
4. The revised CSV file is uploaded to Jamf Pro using Inventory Preload.
5. The next time mobile device "C8PLK8CLFM" updates its inventory, the Building field will be updated to
"Smith Hall".

Validation
Uploading a CSV file that contains building and department data requires the building and department to exist
in Jamf Pro. If the building and department do not exist in Jamf Pro, the upload will fail.

Users
When a CSV file is uploaded, the CSV data is compared to the Jamf Pro inventory database to determine if
new users need to be created or if the information for existing users will be updated.

The following fields are required in the CSV file for users to be created or updated in Jamf Pro:

New Update

Username ✔ ✔

Email address ✔

If the CSV file contains a new username and an email address is provided, the new user is created in Jamf
Pro.

If the CSV file contains an existing username, the following user-related fields are updated in Jamf Pro:

• Full Name
• Email Address
• Phone Number
• Position

When Data is Applied

Data from the uploaded CSV file is applied in Jamf Pro at different times depending on the data type.

87
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

User-related data, including the following fields, is applied immediately when the CSV file is uploaded:

• Username
• Full Name
• Email Address
• Phone Number
• Position

Computer and mobile device data, including the device location, is applied on an ongoing basis each time
inventory is collected.

Extension Attributes
Extension attributes are not provided in the CSV template since they vary by each configuration, but you can
add them if needed. Extension attributes are dynamically mapped using the "EA " prefix in the column header
(note the space after "EA"). For example, if the CSV data contains a column named "EA Memo1", the inventory
preload update process will map the value in that column to an existing extension attribute in Jamf Pro named
"Memo1".

Note: The extension attribute field functions differently than the other fields when a CSV file is uploaded
to Inventory Preload. For example:

• If the extension attribute field is empty in the uploaded CSV file, the existing extension attribute value
is removed from the inventory record.
• If any other field is empty in the uploaded CSV file, the current value for the field is retained in the
inventory record.

Uploading a CSV File Using Inventory Preload

Requirements
To upload a CSV file, you need:

• A Jamf Pro user account with all privileges for Inventory Preload Records
• A Jamf Pro user account with Create and Update privileges for Users

For more information, see Jamf Pro User Accounts and Groups.

88
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Inventory preload .
3. To download a CSV file template and prepare the data, click Template .
4. If your browser prompts you to allow downloads, click Allow.
5. Prepare the downloaded CSV file using an editor of your choice.

Important: If you edit the CSV file using Microsoft Excel on Windows, you must save the file using
the file type, "CSV UTF-8 (Comma delimited)(*.csv)". If you saved the CSV file as an XLSX file, you
can convert the file to "CSV UTF-8 (Comma delimited)(*.csv)" by using the Save As command and
changing the file type. However, data may be lost depending on how your data was formatted.

6. After you have prepared your CSV file, click File Upload in Jamf Pro.
7. Drag or browse for your CSV file in the Upload Resource File dialog. Your file will be displayed in the
dialog.

Important: New data will overwrite existing data for CSV rows that have matching Serial Numbers.

8. Click Confirm to upload the CSV file.

a. If the file is valid, the CSV data will appear in table format in the Jamf Pro window.
b. If the file is invalid, a list of errors will be displayed. Make note of the errors, click Decline. Fix the
errors and try uploading it again.

Viewing and Exporting Active Data

View the active data in Jamf Pro or export it as a CSV file.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Inventory preload .
3. To export the active data, do the following:
a. Select the checkboxes for each row of data you want to export, or click the top checkbox to select all
rows.
b. Click Export selected items in the top-right corner of the pane.
The exported file will be named inventory-preload.csv.

89
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Deleting Active Data

You can delete all active data that was previously uploaded to Inventory Preload. Deleting the active data
effectively disables the Inventory Preload update process since no preloaded data will exist when inventory is
collected.

All inventory details in Jamf Pro that were updated using Inventory Preload will remain intact.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Inventory preload .
3. Click Delete Data, and then click Delete.

Warning: The delete action deletes all active data, regardless of which table data rows may be
selected.

Viewing Inventory Preload Activity History

View the history of all uploaded resource files, including the filename, the name of the user who uploaded the
file, and the date the file was uploaded.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Inventory preload .
3. Click History .
A list of all inventory preload activity is displayed.
4. To add comments for records in the history list, click Add Note, enter a note, and then click Add Note
again to save the note.

User-Initiated Enrollment Settings

Enrollment is the process of adding computers and mobile devices to Jamf Pro. This establishes a connection
between the computers and mobile devices and the Jamf Pro server. User-initiated enrollment allows users to
initiate the enrollment process on their own by navigating to an enrollment URL. For example:

• https://JAMF_PRO_URL.jamfcloud.com/enroll (hosted in Jamf Cloud)

• https://JAMF_PRO_URL.com:8443/enroll (hosted on-premise)

90
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: Users must use Safari to access the enrollment URL on mobile devices.

Users can enroll the following:

• Mac computers
• Institutionally owned mobile devices
• Personally owned mobile devices

Related Content

• Device Enrollment for Computers

• Device Enrollment for Mobile Devices
• User Enrollment for BYOD

• Intro to Apple device enrollment types (Apple)

Configuring User-Initiated Enrollment Settings

Jamf Pro's User-Initiated Enrollment settings configure enrollment restrictions, workflows, and user experience
for devices.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click User-initiated enrollment .
3. Click Edit .
4. Use the General pane to configure settings for restricting re-enrollment, skipping certificate installation, or
uploading a third-party signing certificate to be used during enrollment.

Note: The certificate installation step is skipped by default.

5. Use the Messaging pane to customize the text displayed on devices during enrollment.
You can configure text for multiple languages. Use Markdown to format your text. For information about
using Markdown to customize the messages, see the Using Markdown to Format Text article.
a. To add a language, click +Add Language and then choose the language from the Language pop-up
menu. To customize an existing language, click Edit .

Note: English is the default language if the device does not have a preferred language set on it.

91
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

b. In the Page Title for Enrollment field, enter a page title to display at the top of all enrollment pages.
c. Use the Language dialog to further customize settings such as Login and Device ownership
messaging.
For more information see User-Initiated Enrollment Messaging Settings.
d. Click Save.
6. Use the macOS pane to enable user-initiated enrollment and configure the management account for Mac
computers.

Warning: Do not use the same username for the management account created in User-Initiated
Enrollment settings and a managed local administrator account created in a PreStage enrollment. If
the same username is used for both, those accounts may not be created correctly during Automated
Device Enrollment, and unexpected errors may occur. In addition, the password for the local
administrator password solution (LAPS) will not be retrievable in the Jamf Pro API.

7. Use the iOS pane to enable Profile-Driven User Enrollment (user-initiated enrollment via URL) and
Account-Driven User Enrollment (user-initiated enrollment using a Managed Apple ID) for mobile devices.

Note: If you have personally owned devices currently enrolled in Jamf Pro using a Personal Device
Profile, enabling Account-Driven User Enrollment or Profile-Driven User Enrollment does not
remove them from management.

8. Use the Access pane to specify whether an Directory Service group has access to enroll mobile devices
using an enrollment URL without an invitation.
When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during
enrollment.

Note: If a Directory Service user belongs to more than one Directory Service user group in Jamf
Pro, the user will have the option to select the sites you assign to each group that user belongs to.

9. Click Save .

User-Initiated Enrollment Messaging Settings

Most messaging settings apply to both computers and mobile devices, except for the following settings that
only apply to mobile devices:

• Device ownership
• Certificate

92
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• Institutional MDM
• Personal MDM

The QuickAdd setting only applies to Mac computers.

You can use the Messaging pane's Language dialog to customize the following settings:

Login
Customize the way you want the Login page to display to users.

Note: This is the only setting you can customize for Account-Driven User Enrollment.

Device ownership

Customize the text that displays to users based on their mobile device ownership type.

The text displayed on the enrollment page depends on which enrollment options you enable:

• Institutionally and personally owned mobile devices—Customize the text that prompts users to
choose the appropriate device ownership type, and customize the device management description
that explains the IT management capabilities for each device ownership type. When users select the
personal or institutional device ownership type, the respective device management description is
displayed.
• Personally owned devices only—Customize the device management description that explains the IT
management capabilities for personal device ownership. This description is accessible to users by
tapping the Information icon displayed on the Personal MDM page during enrollment.

End User License Agreement

Enter an End User License Agreement (EULA) for personally owned devices.

If the EULA fields are left blank, a EULA page is not displayed to users during enrollment.

Sites

Customize the message that prompts users to choose a site.

If a user logs in with a Jamf Pro user account, they can assign an LDAP user to the computer or mobile
device. If you have more than one site in Jamf Pro and have entered information on the Personal MDM
pane, this information is displayed to users when they are prompted to choose a site.

93
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: This setting does not apply to User Enrollment.

Certificate
Customize the message that prompts users to install the CA certificate for mobile devices to trust at
enrollment.
Institutional MDM
Customize the message that prompts users to install the MDM profile for institutionally owned devices.
Personal MDM
Customize the message that prompts users to install the MDM profile for personally owned devices.
User Enrollment MDM
Customize the message that prompts users to install the MDM profile, including guidance for users on
what to enter for their Managed Apple ID.
QuickAdd
Customize the message that prompts users to download and install the QuickAdd Package on enrolled
Mac computers.
Complete
Customize the messages that are displayed to users if enrollment is successful or fails.

Management Account Creation During Computer Enrollment

When you enroll a computer with Jamf Pro, you must specify a local administrator account called the
"management account". However, choosing to create the management account on computers is optional and
is only required for some workflows. The management account only needs to be created if you want to log in to
a specific computer to perform management tasks.

To create the management account, you must enable user-initiated enrollment, and then configure the
management account username.

Warning: Do not use the same username for the management account created in User-Initiated
Enrollment settings and a managed local administrator account created in a PreStage enrollment. If the
same username is used for both, those accounts may not be created correctly during Automated Device
Enrollment, and unexpected errors may occur. In addition, the password for the local administrator
password solution (LAPS) will not be retrievable in the Jamf Pro API.

Important: The management account must be created to allow use of local administrator password
solution (LAPS) functionality, which you can use to manage the management account password. For
more information, see the Local Administrator Password Solution for Jamf Pro technical paper.

94
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

You can identify if a computer is managed by viewing the Managed attribute field in computer inventory
information. For more information, see Computer Inventory and Criteria Reference.

Related Content

• Local Accounts
• Automated Device Enrollment for Computers

Enrollment of Personally Owned Mobile Devices

Personally owned mobile devices can be enrolled with Jamf Pro using Account-Driven User Enrollment
(applies to iOS 15 or later, or iPadOS 15 or later) or User Enrollment (applies to iOS 13.1 or later, or iPadOS
13.1 or later). Both methods are designed to keep corporate data safe on devices while protecting users'
privacy. Enrolling personally owned devices keeps personal and institutional data separate by associating a
personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited
management of devices using a set of configurations that associate management with the user, not the entire
device. The user can access their corporate data without the administrator erasing, modifying, or viewing
personal data. This separation allows users to keep their personal data protected and intact once the device is
removed from Jamf Pro, while the corporate data is deleted. For more information on User Enrollment
management capabilities, see Managing Mobile Devices.

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager or
Apple Business Manager to your instance of Microsoft Entra ID or create them manually in Apple School
Manager or Apple Business Manager. For more information, see the following Apple documentation:

Apple School Manager User Guide:

• Intro to federated authentication with Apple School Manager

• Use Managed Apple IDs in Apple School Manager

Apple Business Manager User Guide:

• Intro to federated authentication with Apple Business Manager

• Use Managed Apple IDs in Apple Business Manager

Disclaimer:

Personal device profiles have been deprecated and are no longer recommended as a method of
enrolling personally owned devices. User Enrollment is the Apple-preferred method for enrolling
personally owned devices in a Bring Your Own Device (BYOD) program. For information on enrolling
personally owned iOS or iPadOS devices with Jamf Pro, see the Building a BYOD Program with User
Enrollment and Jamf Pro technical paper.

95
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Automated Device Enrollment Integration

Apple's Automated Device Enrollment, also known as zero-touch deployment, immediately enrolls and
configures a device when a user turns it on. No user interaction from IT. This enrollment method is most
commonly used for devices owned by your organization and establishes the following device statuses:

• Supervised—Supervision prevents users from removing the MDM profile installed by Jamf Pro.
• User Approved MDM—User Approved MDM grants Jamf Pro administrators additional device
management privileges, such as managing third-party kernel extensions.

Integrating Jamf Pro with Automated Device Enrollment involves the following steps:

1. Download a public key (.pem) file from Jamf Pro.

2. Obtain a server token file (.p7m) from Apple.
3. Upload the server token file to Jamf Pro.
You can repeat this step to create multiple Automated Device Enrollment instances in Jamf Pro.

Jamf Pro automatically syncs and displays Automated Device Enrollment updates from Apple every two
minutes.

Note:

• Up to a two minute syncing delay may occur, which can cause outdated Automated Device
Enrollment to display in Jamf Pro. Additional environment-specific factors can affect the syncing
between Jamf Pro and Apple.
• Deleting an Automated Device Enrollment instance removes the integration from Jamf Pro but does
not delete the settings in Apple School Manager or Apple Business Manager.

Related Content

• Video: Integrating Jamf Pro with Apple's Device Enrollment

• Video: Renewing a Device Enrollment Server Token File

• Intro to Apple device enrollment types (Apple)

Downloading a Public Key

Before you can obtain the server token file from Apple, you need to download a public key from Jamf Pro.

96
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Automated Device Enrollment .
3. Click Public Key to download the public key.

The public key (.pem) is downloaded.

Obtaining the Server Token File

You must upload a public key (.pem) from Jamf Pro to Apple School Manager or Apple Business Manager to
obtain a server token file (.p7m).

Requirements
You need an Apple School Manager or Apple Business Manager account with the Administrator or Device
Manager role assigned.

For more information about Apple School Manager, accounts, and roles, see the following Apple
documentation:

• Apple School Manager User Guide

• Apple Business Manager User Guide

Note: Jamf recommends you only use one Apple School Manager or Apple Business Manager
account to integrate with Automated Device Enrollment. Using more than one account makes any
issues more difficult to troubleshoot.

1. Log in to Apple School Manager or Apple Business Manager.

2. If prompted, follow the onscreen instructions to verify your identity.
3. Click on your account name in the lower-left corner, and then choose "Preferences" from the pop-up menu.
4. Click the (+) Add button to the right of the Your MDM Servers heading.
5. Enter a unique name for your MDM server in the MDM Server Name text field.
6. Select or deselect the Allow this MDM Server to release devices checkbox.

Note: Jamf recommends deselecting the checkbox. For more information, see Release Devices in
Apple Business Manager.

7. Under MDM Server Settings, click Choose File, and then upload the public key you downloaded from
Jamf Pro.

97
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

8. Click Save.
9. Select your server name listed under Your MDM Servers.
10. Click Download Token.
11. Choose "Download Server Token" from the pop-up window and save to your computer.

Uploading the Server Token File to Configure Automated Device

Enrollment
Upload a server token file to create an Automated Device Enrollment instance in Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Automated Device Enrollment .
3. Click New.
4. Enter a display name for the Automated Device Enrollment instance.
5. Click Upload Server Token File to upload the server token file (.p7m) you downloaded from Apple.
This creates one Automated Device Enrollment instance in Jamf Pro. The information contained in the
server token file is displayed.

Note: A server token is valid for one year after the token is uploaded and saved in Jamf Pro.

6. (Optional) Choose a supervision identity to associate with the Automated Device Enrollment instance.
For information on how to create, upload, and download a supervision identity for use with Apple
Configurator, see Supervision Identities.

7. Click Save .

To configure another instance, repeat this process.

You can now configure Computer PreStage Enrollments or Mobile Device PreStage Enrollments to enroll
devices into Jamf Pro via Automated Device Enrollment.

Replacing a Server Token File to Renew an Automated Device

Enrollment Instance
If your Automated Device Enrollment server token expires or needs replacing, you must download a new token
from Apple School Manager or Apple Business Manager and upload it to Jamf Pro.

Jamf Pro displays an expiration warning in Notifications when the Automated Device Enrollment service
token is about to expire.

98
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: If you are uploading a new server token file (.p7m) to renew an expired Automated Device
Enrollment instance, Jamf recommends that you do not delete the expired instance from Jamf Pro
before uploading the new server token file.

1. Log in to Apple School Manager or Apple Business Manager.

2. If prompted, follow the onscreen instructions to verify your identity.
3. Click on your account name in the lower-left corner, and then choose "Preferences" from the pop-up menu.
4. Select your server name listed under Your MDM Servers.
5. Click Download Token.
6. Choose "Download Server Token" from the pop-up window and save to your computer.

7. In Jamf Pro, click Settings in the sidebar.

8. In the Global section, click Automated Device Enrollment .
9. Select the Automated Device Enrollment instance you want to renew and click Edit.
10. Click Upload Server Token File to upload the server token file (.p7m) you downloaded from Apple. The
information contained in the server token file is displayed.
11. Click Save .

Computer or Mobile Device Removal from Apple Business

Manager or Apple School Manager
Institutionally owned devices in Apple Business Manager or Apple School Manager can either be unassigned
so they do not prompt for Automated Device Enrollment during setup, or released if the organization no longer
owns them.

Unassigning Devices in Apple Business Manager or Apple School Manager

You can unassign devices in Apple Business Manager or Apple School Manager that should not be
automatically enrolled during setup but still belong to your organization. Unassigning a device does not
unenroll it from Jamf Pro. Unassigned devices remain available to reassign.

Note: For a device to be prompted for Automated Device Enrollment during setup, unassigned
devices must first be re-added to Apple Business Manager or Apple School Manager prior to re-
enrolling in Jamf Pro.

For information on unassigning devices, see the following Apple documentation:

• Assign, reassign, or unassign devices in Apple Business Manager

• Assign, reassign, or unassign devices in Apple School Manager

99
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Releasing Devices in Apple Business Manager or Apple School Manager

You can release devices in Apple Business Manager or Apple School Manager that should not be
automatically enrolled during setup or no longer belong to your organization. Releasing a device from
Apple Business Manager or Apple School Manager does not unenroll it from Jamf Pro. Released iOS,
iPadOS, and tvOS devices from Apple Business Manager or Apple School Manager can be added back
using Apple Configurator for Mac. Released computers with Apple silicon or the Apple T2 Security Chip
can be added back using Apple Configurator for iPhone.

For more information on releasing and re-adding devices, see the following Apple documentation:

• Release devices in Apple Business Manager

• Release devices in Apple School Manager
• Add Apple devices to Apple School Manager or Apple Business Manager

Enrollment Customization Settings

The Enrollment Customization configurations in Jamf Pro customize the Automated Device Enrollment user
experience.

Example: You can display an End User License Agreement (EULA) during enrollment or other custom
messaging as the user advances through the Setup Assistant. The Enrollment Customization settings
also allow you to apply branding to display a familiar look and feel—such as your company's colors or
logos—to users.

Configuring the Enrollment Customization settings creates an Enrollment Customization configuration that you
can add to a PreStage enrollment.

An Enrollment Customization configuration includes the following types of settings:

• PreStage Panes—PreStage Panes are groups of settings that customize the screens that display during
Automated Device Enrollment with Jamf Pro. The PreStage Panes display during the Setup Assistant after
the user chooses a Wi-Fi Network or another internet connection.
• Settings for Branding—You can customize how the Enrollment Customization configuration displays by
adding an icon and configuring colors to present users with a familiar look and feel.

Related Content

• Customizing the Jamf Pro Enrollment Experience Using Enrollment Customization and Jamf Connect (Jamf
Pro)

100
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Creating an Enrollment Customization Configuration

Requirements
• Mobile devices with iOS 13 or later, or iPadOS 13 or later
• Computers with macOS 10.15 or later
• To add a Single Sign-On Authentication PreStage Pane, you must have Single Sign-on enabled in Jamf
Pro. For more information, see Single Sign-On (SSO).
• Enabling Jamf Pro to pass user information to Jamf Connect requires Jamf Connect 1.12.0 or later. In
addition, you must ensure Jamf Connect is configured and integrated with your identity provider (IdP).
• To add a Directory Service Authentication PreStage Pane, you need Directory Service server set up in
Jamf Pro. For more information, see Microsoft Entra ID Migration Assistant and LDAP Directory Service
Integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Enrollment customization .
3. Click New.
4. Enter a display name and description for the Enrollment Customization configuration.
5. Choose a site to add the Enrollment Customization configuration to from the Site pop-up menu.
This allows you to add the configuration to a PreStage enrollment in that same site.

Note: If you have site access only, the profile is assigned to the applicable site automatically and
the Site pop-up menu is not displayed.

6. Add PreStage Panes to display screens to the end user:

a. Click Add Pane.
b. In the Add Pane dialog, enter a display name for the pane that will identify it in the list of PreStage
Panes.
c. Choose the type of PreStage Pane you want to add from the Pane Type pop-up menu.
d. Configure the settings for the PreStage Pane.

Note:
▪ If you are configuring a Text PreStage Pane as the first screen presented to the user in the
configuration, the button for navigating back in the enrollment process is not displayed. If the
pane is the last screen in the configuration, the button to navigate forward initiates the
enrollment process.

101
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

▪ If you enable Jamf Pro to pass user information to Jamf Connect, you can map the attributes
from your Identity Provider to an Account Name and Account Full Name. For example, if your
IdP uses "Short Name" for the Account Name, you can type "Short Name" in the Account
Name field so when the user enters their username (Account Name) during enrollment, Jamf
Connect maps the Account Name to the "Short Name" in the IdP. When configured, these
values are automatically sent to computers via a configuration profile during Automated
Device Enrollment.Values entered in the Account Name and Full Account Name fields must
be entered exactly as they appear in your IdP.

e. Click Apply.
7. (Optional) Add additional PreStage Panes to the Enrollment Customization configuration as needed.
You can drag and drop PreStage Panes to change the PreStage pane order. If you added a Single Sign-
On Authentication PreStage Pane and a Text PreStage Pane, the transition between each type of pane
occurs when the user authenticates in the IdP login screen or uses the navigational buttons.
8. Click the Branding and Preview tab to customize the enrollment experience and configure the settings on
the page.
Once a change is made, it automatically displays in the preview field.

9. Click Save .

You can add the configuration to a PreStage enrollment. For more information, see Automated Device
Enrollment for Computers.

Note: You cannot delete an Enrollment Customization configuration if the configuration is included in a
PreStage enrollment. To delete the configuration, you must first remove it from the PreStage.

PreStage Panes
PreStage Panes are groups of settings that customize the screens that display during Automated Device
Enrollment with Jamf Pro. The PreStage Panes display during the Setup Assistant after the user chooses a Wi-
Fi Network or another internet connection.

Single Sign-On Authentication

If you have Single Sign-On enabled in Jamf Pro, this pane automatically prompts users to sign in using
organization SSO credentials to enroll the computer. Your existing Jamf Pro SSO settings are used, and
can allow any Identity Provider (IdP) user to sign-in and enroll or only a select group of users in your IdP.

102
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: You can only allow access to one group.

Users are assigned to the device in Jamf Pro after sign-in. If Directory Service is integrated with Jamf
Pro, the User and Location information is populated using a lookup from Jamf Pro to Directory Service. If
Directory Service is not integrated with Jamf Pro, the Username field is the only information populated in
the User and Location category, and user lookup will not work during enrollment.

If your organization uses Jamf Connect for local account creation, you can enable the Enable Jamf Pro
to pass user information to Jamf Connect setting. This allows Jamf Pro to pass the SAML token
attributes to Jamf Connect to use to create the user's local account name and full name on the computer.
This workflow requires additional attribute mapping to confirm that the attribute values sent in a SAML
token from your IdP contain the correct values for local account creation. For more information, see the
Managing Jamf Connect and Enrollment Customization with Jamf Pro technical paper.

Jamf Pro creates a profile with this information and distributes the profile to the computer during
enrollment. This information remains on the computer for up to one hour.

Text

You can enter custom text to display to the user during enrollment, such as an acceptable use policy.
You can enter page title and label names for the navigational buttons on-screen.

You can enter text in plain text format or use Markdown in the text body to customizing the text format.
See the Using Markdown to Format Text article for information on limitations to the Markdown syntax that
can be used in this pane.

Note: HTML is not supported.

You can configure multiple Text PreStage Panes to suit your environment.

After you add a Text pane, you can preview the user experience in Jamf Pro.

Directory Service Authentication

If you have a Directory Service server set up in Jamf Pro, this pane enables the user to authenticate
using their Directory Service credentials during enrollment. You must enter text for a title of the page, text
for the username and password fields, and text to label the navigational buttons to guide the user through
the login screen.

103
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

In addition, you can restrict enrollment access to only a select Directory Service group or groups. Only
the selected Directory Service group is allowed to enroll devices using the PreStage enrollment. You can
add multiple Directory Service groups to the pane to suit your environment.

This automatically assigns the user to their device in Jamf Pro. The User and Location information is
populated using a lookup from Jamf Pro to Directory Service.

Note: You can only add one Directory Service Authentication pane per Enrollment Customization
configuration, and you cannot add a Directory Service Authentication pane if a Single Sign-On
Authentication pane already exists in the Enrollment Customization.

Settings for Branding

Jamf Pro allows you to configure settings that customize elements within the Enrollment Customization
configuration to present end users with a familiar look and feel. You can customize the elements in the Text
and Directory Service Authentication PreStage Panes.

You can upload an icon that displays at the top of all Text and Directory Service Authentication PreStage
Panes throughout the enrollment process. When uploading an icon, it is required that you use a file with the
GIF or PNG format and recommended that the size is 180x180 pixels.

The following elements can be customized by entering a six-digit hexadecimal color code or by using the color
picker:

• Body Text Color—This color is applied to the text in the pane.

• Button Color—This color is only applied to the navigational button the allows users to move forward in the
enrollment process.
• Button Text Color—This color is only applied to the text on the navigational button that allows users to
move forward in the enrollment process.
• Background Color—This color is displayed in the background, behind the panes during the enrollment
process.

The preview field to the right of the Branding settings automatically displays your changes so you can finalize
your configuration before saving.

Note: The preview functionality for a Single Sign-On Authentication PreStage Pane is a generic
authentication preview. This user experience is dependent on your Identity Provider.

104
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Re-enrollment Settings
The Re-enrollment settings in Jamf Pro allow you to clear certain information from inventory for a computer or
mobile device when it is re-enrolled with Jamf Pro.

The Re-enrollment settings are applied to computers and mobile devices when they are re-enrolled with Jamf
Pro via the following enrollment methods:

• Automated Device Enrollment

• Device Enrollment
• User Enrollment (personally owned mobile devices only)

The following table lists the settings that you can apply to inventory information during re-enrollment:

Setting Description

Clear user and location This setting clears all information from the User and Location category on the Inventory
information on mobile tab in computer and mobile device inventory information during re-enrollment with Jamf
devices and computers Pro. When devices are re-enrolled, the user and location fields display a blank value.
Information is not cleared, however, when the following happens:
• If a user logs in to the enrollment portal using an Directory Service account, or a Jamf
Pro user logs in and assigns an Directory Service user to the device, then the user and
location information associated with the Directory Service account is assigned to the
device during re-enrollment. If the user chooses a site at enrollment, the device is
associated with the selected site.
• If there is an extension attribute displayed on the User and Location category on the
Inventory tab, the value for the extension attribute is not cleared during re-enrollment.
• If a PreStage enrollment is used to enroll devices and the Use existing location
information, if applicable option is selected, the user and location information of the
user logging in is populated in the device's inventory information.
For more information about user and location information, see Computer Inventory and
Criteria Reference and Mobile Device Inventory and Criteria Reference.

Clear user and location This setting clears all information from the User and Location History category on the
history information on History tab in computer and mobile device inventory information during re-enrollment
mobile devices and with Jamf Pro.
computers For more information about user and location history information, see Computer History
Information and Mobile Device History Information.

Clear policy logs on This setting clears all information from the Policy Logs category on the History tab in
computers computer inventory information during re-enrollment with Jamf Pro.
In addition, this setting clears the logs for a policy for re-enrolled computers that have run
the policy.

105
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Setting Description

When the computer is re-enrolled with Jamf Pro, any policies that the computer is in the
scope of are re-run on the computer at the policy's next trigger.

Clear extension attribute This option clears all values for extension attributes that are populated by the following
values on computers and input types:
mobile devices • Text field
• Pop-up menu
• Script (computers only)
• Directory Service Attribute Mapping

Note: Values for extension attributes that are populated by scripts and Directory
Service Attribute Mappings are cleared during re-enrollment, but are then re-
populated the next time computers and mobile devices check in with Jamf Pro.

This option does not remove the extension attribute from Jamf Pro.
For more information about extension attributes, see Computer Extension Attributes and
Mobile Device Extension Attributes.

Clear management history This setting clears all information from the Management History category on the History
on mobile devices and tab in computer and mobile device inventory information during re-enrollment with Jamf
computers Pro.
You can clear the following information:
• Completed, pending, and failed commands
• Pending and failed commands
• Failed commands
• Nothing
The default setting is to clear pending and failed commands.

Note: If there are pending commands at the time of re-enrollment, these

commands are cleared.

106
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Configuring the Re-enrollment Settings

Requirements
To re-enroll a device, you must send the Remove MDM Profile remote command to the device before re-
enrolling it. For more information about how to send a remote command, see Remote Commands for
Computers and Remote Commands for Mobile Devices.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Re-enrollment .
3. Choose the settings that you want to apply to device inventory information during re-enrollment.
4. Click Save .

When computers and mobile devices are re-enrolled with Jamf Pro, the settings are applied to inventory
information.

Jamf Pro URL

The Jamf Pro URL is the URL that client applications, computers, and mobile devices connect to when
communicating with the Jamf Pro server. You can view and configure the Jamf Pro URL in Jamf Pro if you are
hosting your own Jamf Pro server. It is recommended that you configure the Jamf Pro URL to include the
correct protocol, fully qualified domain name (FQDN), and port of the server.

Important: In general, you should not change the Jamf Pro URL in a production environment with
managed computers and mobile devices. If the Jamf Pro URL is incorrect or not specified, client
applications, computers, and mobile devices are unable to connect to the server. If you are considering
making a change to your Jamf Pro URL, contact Jamf Customer Success.

You can also view or configure the Jamf Pro URL that’s used for enrolling mobile devices with an enrollment
profile and Apple’s iPhone Configuration Utility (iPCU).

Note: If your environment is hosted in Jamf Cloud, the Jamf Pro URL setting is managed by Jamf Cloud
and is not accessible.

107
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Viewing or Configuring the Jamf Pro URLs

1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click Jamf Pro URL .
3. To configure the Jamf Pro URLs:
a. Click Edit.
b. Enter the new URLs in the fields on the pane.
c. Click Save.

MDM Profile Settings

The MDM Profile Settings allow you to configure when the MDM profile will be automatically renewed for
computers and mobile devices. The MDM profile contains the device identity certificate, which is also renewed
for a duration of two years when the MDM profile is renewed.

Configuring MDM Profile Renewal for Computers or Mobile

Devices
1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click MDM profile settings .
3. Click Edit .
4. Configure when MDM profiles are automatically renewed for computers and mobile devices using the
following settings:
◦ When the built-in certificate authority is renewed—By default, the MDM profile and device identity
certificate on all computers or mobile devices will be renewed when Jamf Pro's built-in certificate
authority is renewed.
◦ days before the MDM profile expires—This option allows you to specify the number of days before
the MDM profile expires to renew it. Choose 90, 120, or 180 from the pop-up menu to change the
number of days. The default is 180 days.

5. Click Save .

Note:

• The MDM profile will automatically renew after the next MDM command is issued or after the next
time the computer or mobile device checks in to Jamf Pro via MDM. Devices may not check in
immediately. Therefore, MDM profiles may not instantaneously renew after a renewal is triggered.

108
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• The MDM Profile Expiration Date value in the inventory will show the new expiration date after the
MDM profile is renewed. The device identity certificates will expire in two years.
• To monitor for any MDM profiles that were not renewed, Jamf recommends that you create a smart
computer or mobile device group and set the MDM Profile Renewal Needed – CA Renewed
search criteria value to "Yes".
• The CA certificate's validity period displayed on mobile devices does not update after the MDM
profile is renewed following a CA certificate renewal. Jamf recommends viewing the CA certificate's
validity period and all CA certificate information in Jamf Pro.

PKI Certificates
The PKI Certificates settings allow you to manage the public key infrastructure needed to establish
communication between computers and mobile devices and certificate authorities (CA). Jamf Pro requires a
PKI that supports certificate-based authentication.

The PKI must include the following components:

• A certificate authority (CA). You can use the built-in CA, a trusted third-party CA, or an external CA that
supports SCEP.
• A certificate authority (CA) certificate
• A signing certificate

Related Content

• Security
• JSON Web Token for Securing In-House Content

• Certificate-Based Authentication for Mac Computers

• Using OpenSSL to Create a Certificate Keystore for Tomcat

Viewing and Exporting Certificates

You can view the following information for a certificate:

• Subject name
• Serial number
• Device name associated with the certificate
• Username associated with certificate
• CA configuration name

109
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• Date/time issued
• Expiration date/time
• Status (Active or Inactive)
• State (Issued, Expiring, Expired, or Revoked)
• Configuration profiles associated with a third-party certificate

When you are viewing a list of certificates, you can export the list to a .csv, .txt, or XML file.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click a number in the Expiring, Active, Inactive, or All column for a CA to view a list of corresponding
certificates.
4. Click a certificate subject to view more details about a specific certificate.
If applicable, the certificate details will include the revoked date. For third-party CA certificates, any
configuration profiles associated with the certificate are also displayed.
5. (Optional) If you want to export the list of certificates displayed in step 3:
a. Click Export.
b. Select a file format for the exported file.
c. Click Next.
The export begins immediately.
d. Click Done.

The Built-in CA
No configuration is necessary to use Jamf Pro's built-in CA. The built-in CA is used by default to issue
certificates to computers and mobile devices. The CA certificate and signing certificate are created and stored
for you automatically. When a device checks in with Jamf Pro, it communicates with the SCEP server to obtain
the CA certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and
you are using the built-in CA, you can enable Jamf Pro as SCEP Proxy to issue device certificates via
configuration profiles. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

Downloading the Built-in CA Certificate

The downloaded built-in CA certificate (.pem) can be used to establish trust with other servers or services. For
example, you can establish trust for IIS on Windows servers for HTTPS distribution points. For more
information, see the Using IIS to Enable HTTPS Downloads on a Windows Server 2016 or 2019 File Share
Distribution Point article.

110
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click the Management Certificate Template tab, and then click Built-in CA.
4. Click Download CA Certificate.
The certificate file (.pem) downloads.

The certificate issued by the built-in CA is also stored in the System keychain in Keychain Access on Mac
computers as "JAMF Software JSS Built-in Certificate Authority".

Revoking a Certificate from the Built-in CA

Warning: Revoking a certificate stops communication between Jamf Pro and the computer or mobile
device that the certificate was issued to. To restore the communication, re-enroll the computer or mobile
device.

1. In Jamf Pro, click Settings in the sidebar.

2. Click Global.
3. Click PKI Certificates .
A list of CAs will be displayed with the number of expiring, active, inactive, or all certificates for each CA.
4. Click a number in the Expiring, Active, Inactive, or All column.
A list of corresponding certificates will be displayed.
5. Click a certificate subject to view more details about a specific certificate.
6. To revoke the certificate, click Revoke .
7. Click Revoke again to confirm.
The status of the certificate is changed to "Inactive", and the state is changed to "Revoked".

Note: You can also view a record of revoked certificates in the jamfsoftwareserver.log file. For
more information, see Jamf Pro Server Logs in this guide.

Creating a Built-in CA Certificate from a CSR

Depending on your environment, you may need to create a certificate from a certificate signing request (CSR).
For example, you may need to do this if you have a clustered environment with Tomcat configured to work
behind a load balancer.

111
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: The certificate created from the CSR is intended solely for purposes of communication between
Jamf Pro and a managed computer or mobile device.

To create a certificate from a CSR, you need a request in Base64-encoded PEM format.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click the Management Certificate Template tab, and then click Built-in CA.
4. Click Create Certificate from CSR.
5. In the CSR field, paste the CSR.
The request must begin with ----BEGIN CERTIFICATE REQUEST---- and end with ----END
CERTIFICATE REQUEST----

6. Select a certificate type.

7. Click Create.
The certificate file (.pem) will download immediately.

Creating a Backup of the Built-in CA Certificate

It is recommended that you create a password-protected backup of the CA certificate issued by the built-in CA
and store it in a secure location.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click the Management Certificate Template tab, and then click Built-in CA.
4. Click Create CA Backup.
5. Create and verify a password to secure the backup of the built-in CA certificate.
You will need to enter this password to restore the certificate backup.
6. Click Create Backup.
The backup file (.p12) will download immediately.

Renewing the Built-in CA

Jamf recommends renewing the built-in CA before its expiration date. If the built-in CA is allowed to expire,
some critical workflows will no longer function. For example, enrolling computers or mobile devices after the
CA has expired prevents them from being managed.

A notification will display in Jamf Pro 360 days before the built-in CA is scheduled to expire. If the 360-day
default setting for the expiration notification does not meet your needs, contact Jamf Support.

112
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Important: (On-premise environments only) Jamf recommends using a publicly trusted SSL/TLS
certificate for Tomcat. If you are using a Tomcat SSL/TLS certificate issued from Jamf Pro's built-in
certificate authority (CA), you must transition to a trusted certificate before renewing Jamf Pro's built-in
CA, or you will lose MDM communication with enrolled iOS devices.If you want to move from an
SSL/TLS certificate issued from Jamf Pro's built-in CA to an SSL/TLS certificate issued from a third-
party CA, see the Enabling SSL on Tomcat with a Public Certificate article.If it is not possible for you to
leverage a third-party external Tomcat SSL/TLS certificate in your environment, contact Jamf Support
for assistance.

Requirements
Jamf Pro 10.23.0 or later

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click a number in the All column.
A list of corresponding certificates will be displayed.
4. Click the certificate with "Certificate Authority" in the subject to view the certificate details.
5. Click Renew and then confirm the renewal.
6. (Optional) Verify the new expiration date.
7. Refresh the page.
The renewal status is displayed in Jamf Pro notifications. Additionally, an email with the renewal process
status is sent if email notifications are configured for your account.

After the built-in CA is renewed, its expiration date is extended by 10 years. All signing certificates issued by
the built-in CA are automatically renewed.

Important: If the built-in CA fails to renew, do not trigger the process again. If the expiration date is not
extended or you notice issues with the renewed CA (e.g., Jamf Pro cannot communicate with managed
computers or mobile devices), contact Jamf Support.

Further Considerations

• Renewing the built-in CA may affect integrations that use the built-in CA itself or certificates created from a
CSR that was signed by the CA. These certificates may need to be re-issued. The affected integrations may
include:

113
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

◦ HTTPS file share distribution point configuration

◦ Signing custom configuration profiles
◦ SCCM (System Center Configuration Manager) plug-in
• When Apple Education Support is enabled in your environment, renewing the built-in CA causes existing
EDU profiles to be redistributed. This may increase network traffic.
• After the built-in CA is renewed, all active certificates issued by the built-in CA will automatically renew. To
view the expiration date of a specific certificate, navigate to Global > PKI Certificates, and then click the
number displayed in the All column.
• Automatic renewal of MDM profiles is controlled by the MDM Profile Settings in Jamf Pro. By default, after
the built-in CA is renewed, the MDM profile and the device identity certificate will renew the next time an
MDM command is issued or the next time the computer or mobile device checks in to Jamf Pro. For more
information, see MDM Profile Settings in the Jamf Pro Documentation.

Third-Party CAs
You can integrate Jamf Pro with trusted third-party CAs, including DigiCert, Venafi, or Active Directory
Certificate Services (AD CS). These integrations allow an organization to have a CA that controls all of the
identity certificates across all devices. Using a third-party CA will allow for unified reporting on all certificates
for IT teams.

• DigiCert—DigiCert certificates are managed in Jamf Pro using the DigiCert PKI Platform service. After
communication between Jamf Pro and the DigiCert PKI Platform is established, you can deploy certificates
to computers or mobile devices. For more information, see the Integrating with DigiCert Using Jamf Pro
technical paper.
• Venafi—Venafi certificates are managed in Jamf Pro using Venafi Trust Protection Platform. After
communication between Jamf Pro and Venafi Trust Protection Platform is established, you can deploy
certificates to computers or mobile devices. For more information, see the Integrating with Venafi Using
Jamf Pro technical paper.
• AD CS—After communication with the PKI provider is successfully established, you can deploy certificates
via configuration profiles using AD CS as the CA. You can also distribute in-house apps developed with the
Jamf Certificate SDK to establish identities to support certificate-based authentication to perform Single
Sign-On (SSO) or other actions specific to your environment. For more information, see the Integrating with
Active Directory Certificate Services (AD CS) Using Jamf Pro technical paper.

Adding a Third-Party PKI Certificate Authority to the Jamf Pro Dashboard

Adding a third-party CA to the Jamf Pro Dashboard helps you monitor its status and progress. For example,
you can determine the number of active, expiring, and inactive certificates that have been deployed. You can
also view the percentage of active certificates in the the pie chart in the Jamf Pro Dashboard widget.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .

114
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

3. Click the third-party CA you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the PKI Certificate Authorities area of the Jamf Pro Dashboard and find the widget for the
third-party CA you added.
7. Click any item in the widget to view the details.

External CAs
If you are using an organizational or third-party CA that supports SCEP, you can use it to issue management
certificates to computers and mobile devices. When a device checks in with Jamf Pro, the device
communicates with the SCEP server to obtain the certificate.

Note: If you do not want computers or mobile devices to communicate directly with a SCEP server and
you are using an external CA, you can use Jamf Pro to obtain management certificates from the SCEP
server and install them on devices during enrollment. You can also enable Jamf Pro as SCEP Proxy to
issue device certificates via configuration profiles. For more information, see the Enabling Jamf Pro as
SCEP Proxy technical paper.

Integrating an external CA with Jamf Pro involves the following steps:

• Specifying SCEP parameters for the external CA

• Uploading a signing certificate and CA certificate for the external CA

Note: If you need to make changes to your organizational or third-party CA in Jamf Pro, it is
recommended that you contact Jamf Customer Success. Changes to the PKI settings may require re-
enrollment of mobile devices in your environment to restore trusted communication between the Jamf
Pro server and mobile devices required for Mobile Device Management (MDM). Preparing for a change
to PKI settings for computer management or restoring trusted communication between the Jamf Pro
server and managed computers after a change is made to PKI settings in Jamf Pro may be possible
using policy features available in Jamf Pro. Policies can be used to update trusted certificate settings on
managed computers required for MDM.

Specifying SCEP Parameters for an External CA

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click the Management Certificate Template tab, and then click External CA.

115
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

4. Click Edit.
5. Use the External CA pane to specify SCEP parameters.
6. Choose the type of challenge password to use from the Challenge Type pop-up menu:
◦ Static—If you want all computers and mobile devices to use the same challenge password, choose
"Static" and specify a challenge password. The challenge password will be used as the pre-shared
secret for automatic enrollment.
◦ Dynamic—
If you are using a non-Microsoft CA and you want each computer and mobile device to use a unique
challenge password, choose "Dynamic". The "Dynamic" challenge type requires the use of either a
webhook or a Java Service Provider Interface (SPI) plug-in:
▪ Webhook Method (recommended)—For details on the webhook method, see SCEPChallenge in
the "Webhooks" section of the Jamf Pro Developer Portal.
▪ Java SPI Plug-in Method—The Java SPI plug-in method only works for on-premise Jamf Pro
installations. This method has the same functionality as the webhook method, however, it requires
membership in the Jamf Developer Program. Before choosing the "Dynamic" challenge type, contact
your Jamf Customer Success Manager to learn more about the Jamf Developer Program and the
additional steps needed to use this method.

Note: The "Dynamic" challenge type requires you to use user-initiated enrollment or automated
device enrollment to enroll computers and mobile devices so that a unique challenge password is
used for each device.For more information on user-initiated enrollment, see:
▪ Device Enrollment for Computers
▪ Device Enrollment for Mobile Devices
For information on automated device enrollment, see:
▪ Automated Device Enrollment for Computers
▪ Automated Device Enrollment for Mobile Devices

◦ Dynamic-Microsoft CA—
If you are using a Microsoft CA and you want each computer and mobile device to use a unique
challenge password, choose "Dynamic-Microsoft CA".

Note:
▪ When using the "Dynamic-Microsoft CA" challenge type, the Username field requires the
down-level logon name format. For more information, see the Using Name Formats
documentation from Microsoft.
▪ The "Dynamic-Microsoft CA" challenge type requires you to use user-initiated enrollment to
enroll computers and mobile devices so that a unique challenge password is used for each
device. For more information, see:
▪ Device Enrollment for Computers

116
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

▪ Device Enrollment for Mobile Devices

◦ Dynamic-Entrust—
If you are using an Entrust CA, choose "Dynamic-Entrust".

Note: If you enable Jamf Pro as SCEP Proxy and you are integrating with an Entrust CA,
additional steps are needed to distribute certificates via configuration profiles. For more
information, see the Enabling Jamf Pro as SCEP Proxy technical paper.

7. Click Save .

Uploading Signing and CA Certificates for an External CA

To integrate an external CA with Jamf Pro, you must provide the signing and CA certificates for the external
CA. This is done by uploading a signing certificate keystore (.jks or .p12) that contains both certificates to
Jamf Pro. For information about how to obtain and download a SCEP Proxy signing certificate from a Microsoft
CA, see the following articles:

• Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Terminal and Uploading the
Certificate to Jamf Pro
• Obtaining a SCEP Proxy Signing Certificate from a Microsoft CA Using Command Prompt and Uploading
the Certificate to Jamf Pro

Note: By default, Jamf Pro uses the signing and CA certificates for the Jamf Pro built-in CA. You must
replace these certificates with the ones for the external CA when you initially set up the integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click PKI certificates .
3. Click the Management Certificate Template tab, and then click External CA.
4. At the bottom of the External CA pane, click Change Signing and CA Certificates.
5. Follow the onscreen instructions to upload the signing and CA certificates for the external CA.

Volume Purchasing Integration

Jamf Pro's volume purchasing integration syncs with Apple School Manager or Apple Business Manager to
automatically populate your apps and books in Jamf Pro for managed distribution to devices or users.

117
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

In Apple School Manager or Apple Business Manager, the Apps and Books section provides a central place
to purchase content in volume. All purchased content is associated with a location-based service token. A
default location is included, but you can create multiple locations to help you manage your content by office
location, departments, or budget holder.

In Jamf Pro, each location token is uploaded to establish volume content syncing and make your apps and
books are available for managed distribution. You can also view and search app information, such as the
amount of used and available licenses for paid apps.

Related Content

• Volume Content

• Recently Purchased Volume Content is not Displayed in Jamf Pro

Volume Purchase Location Considerations

Consider the following when adding locations to volume purchasing in Jamf Pro:

• To avoid issues with content scoping and renewal dates, it is recommended that you do not configure
multiple locations for the same distribution content.
• Each service token for the specific distributed content should only be allocated once. For example, if the
service token you want to upload already exists in Apple's Profile Manager, delete the service token from
Apple's Profile Manager before uploading it to Jamf Pro. This limitation includes a single server instance.
• If you upload a new token file to renew distributed content licenses, it is recommended that you do not
delete the expired location from Jamf Pro before uploading the new server token file.
• If you configured a location for your distributed content licenses and later integrated your environment with
Apple School Manager or Apple Business Manager, it is recommended that you do not add a separate
location for these licenses.
Use the "Renew Service Token" button on the location Details tab to upload the new token (.vpptoken)
that you acquired from Apple School Manager or Apple Business Manager. This will allow Location to
display for your Apple School Manager token in Jamf Pro. When prompted, reclaim the service token to use
it with your Jamf Pro instance. For information on how to obtain the token file, see the following Apple
documentation:
◦ Apple School Manager User Guide
◦ Apple Business Manager User Guide

Note: It is recommended that you only use one Apple School Manager or Apple Business Manager
account to integrate with volume purchasing. Using more than one account makes it difficult to isolate
the account causing the issues when troubleshooting.

118
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• Deleting a location removes the instance from Jamf Pro but does not delete the settings in Apple School
Manager or Apple Business Manager.

Adding a Volume Purchasing Location to Jamf Pro

To distribute paid apps and books purchased in volume, you must upload one or more location-based tokens
to Jamf Pro.

You also choose the country associated with the location and can specify that all purchased content is
populated in the app and eBook catalogs.

1. In Apple School Manager or Apple Business Manager, follow these steps:

a. Click on your account name in the lower-left corner, and then choose "Preferences" from the pop-up
menu.
b. Click Payments and Billing.
c. Under the Apps and Books tab, click Download next to the correct server location content token.
The token downloads to the Downloads folder on your computer.

Note: If the content token is not displayed, click Locations and check if you have Apple
Business Essentials enabled. If you do, add a new location and return to Payments and Billing
> Apps and Books. The content token should now be displayed.

2. In Jamf Pro, click Settings in the sidebar.

3. In the Global section, click Volume purchasing .
4. Click New.
5. Enter a display name for the location.

Note: If you configure email notifications for the location, this name displays in the email body.

6. Click Upload Service Token and upload the service token (.vpptoken) for the location.

Important: Each service token should only exist in one location at a time. If the service token you
want to upload already exists in Apple's Profile Manager, delete the service token from Apple's
Profile Manager before uploading it to Jamf Pro.

7. Choose the country that is associated with the account.

8. (Optional) Select Automatically Populate Purchased Content if you want content purchased in volume
to be populated in the app and eBook catalogs.

119
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

9. (Optional) Select Notify users when an app is no longer assigned to them if you want to send a
notification to users when an app is revoked.
10. (Optional) If your environment integrates with Apple School Manager and you do not want users with
Managed Apple IDs to receive an invitation or get prompted to register with volume purchasing, select
Automatically register with volume purchasing if users have Managed Apple IDs.

Note: To automatically register users that have Managed Apple IDs, you must create a Volume
Purchasing invitation that includes the users in the scope, and additionally configure the invitation to
automatically register included users. For more information, see User-Assigned Volume Purchasing
Registration.

11. Click Save .

The volume purchasing integration syncs with Apple School Manager or Apple Business Manager every time
the VPP License Monitor runs.

Adding Volume Purchasing Notifications

To make the managed distribution content management more efficient, you can enable a volume purchasing
notification. This allows Jamf Pro to send you a daily email after the predefined condition is triggered. You can
also specify the recipients to send the notification to. To properly configure a notification, at least one location
must exist in Jamf Pro, and you must be logged in with a Jamf Pro user account that has full access or site
access and an email address configured.

Requirements
To add volume purchasing notifications, you need:

• An SMTP server set up in Jamf Pro (For more information, see SMTP Server Integration.)
• At least one location configured in Jamf Pro
• Email notifications enabled for Jamf Pro user accounts (For more information, see Email Notifications.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Volume purchasing .
3. Click Notifications.
4. Click New.
5. Use the New Volume Purchasing Subscription pane to configure the settings for the notification,
including the display name, the trigger, and tokens that you want to monitor.

120
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Note: Jamf Pro users with the "Volume Purchasing Locations" privilege that have site access are
allowed to manage notifications in the context of the site.

6. Click the Scope tab and configure the scope of the notification by adding recipients:
a. Click Add to add recipients of the notification. You can select the existing Jamf Pro user accounts, or
manually add external recipients that are not registered in Jamf Pro.
b. Click Done in the top-right corner of the pane.
7. Click Save .

After adding a volume purchasing notification, you must enable it.

Renewing or Replacing a Service Token from Apple Business

Manager
1. Log in to Apple Business Manager at https://business.apple.com.
2. Click on your account name in the lower-left corner, and then choose "Preferences" from the pop-up menu.
3. Click Payments and Billing.
4. Under the Apps and Books tab, click Download next to the correct server location token. The token
downloads to the Downloads folder on your computer.

5. In Jamf Pro, click Settings in the sidebar.

6. In the Global section, click Volume purchasing .
7. Select a Location.
8. Click Edit .
9. Click Renew Server Token.
10. Upload the server token downloaded in step 4.
11. Click Save .

Categories
Categories are organizational components that allow you to group policies, packages, scripts, and printers in
Jamf Admin and Jamf Pro. You can also use categories to group policies, configuration profiles, apps, and
books in Jamf Self Service. This makes these items easier to locate.

You can add categories to Jamf Admin or Jamf Pro. When you add, edit, or delete a category in Jamf Admin,
the changes are reflected in Jamf Pro and vice versa.

After you add a category to Jamf Admin or Jamf Pro, you can add items to the category when configuring them
in Jamf Admin or Jamf Pro.

121
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Adding a Category to Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. Click New Category .
3. Enter a Category Name and choose a priority for the category.

Note:
◦ Priority is used for displaying the category in Self Service (e.g., A category with a priority of “1” is
displayed before other categories).
◦ The Category Name can be no longer than 32 characters.

4. Click OK.

Adding a Category to Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click Categories .
3. Click New.
4. Enter a display name and choose a priority for the category.

Note: Priority is used for displaying the category in Self Service.

5. Click Save.

122
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Editing or Deleting a Category in Jamf Admin

1. Open Jamf Admin and authenticate to the Jamf Pro server.
2. In the "Categories" list above the main repository, select the category you want to edit or delete.
3. Do one of the following:
◦ To edit the category, double-click it and change the display name and priority as needed. Then click OK.

◦ To delete the category, click Delete , and then click Delete again to confirm.

Event Logs
Jamf Pro records events in the form of logs. You can view the status of these events using the Event Logs.

The Event Logs pane displays the following information:

• Date/time the status was last updated for an event

• Name of the device that is in the scope of an event
• Object type (such as “macOS Configuration Profile”)
• Object name associated with an event (such as the name of a configuration profile)
• Action of the event (such as “Install”)
• Status of the event (such as “Started” or “Completed”)

Event logs can be viewed for macOS configuration profiles and iOS configuration profiles.

Viewing Event Logs

Requirements
To access Event Logs, a Jamf Pro user account or group must have the Administrator or Auditor privilege
set. For more information, see Jamf Pro User Accounts and Groups.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Event logs .
3. View log details by doing the following:
◦ To view details about a particular device, click a device in the Device Name column.
◦ (Configuration profiles only) To view the object associated with an event, click an object in the Object
Name column.
◦ To view log details, click a status in the Status column.

123
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Webhooks
The Webhooks setting in Jamf Pro allows you to create outbound webhooks for any event in the Events API. In
conjunction with the Events API, webhooks allow you to use real-time events from Jamf Pro to build custom
workflows on-demand using the programming language of your choice. For example, you could configure a
webhook to send an event to an instant message plug-in you have written that will notify a chatroom when a
third-party macOS software title in Jamf Pro has been updated.

Configuring a Webhook
1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click Webhooks .
3. Click New.
4. Enter a display name for the webhook.
5. Enter a URL for the webhook to post to.
6. Choose the type of authentication required to connect to the webhook:
◦ None—Requires no additional information.
◦ Basic Authentication—Requires username and password information.
◦ Header Authentication—Requires key value pairs in JSON format similar to the following:

{"Authorization":"Value", "Token":"TokenValue"}

Note: The following keys are not allowed in the Header Authentication field:
▪ Content-Type
▪ User-Agent
▪ Accept-Encoding
▪ Content-Length
▪ Host

7. Enter the connection timeout for the webhook.

8. Enter the read timeout for the webhook.
9. Choose either "XML" or "JSON" as the format for sending the webhook information.
10. Choose the event that will trigger the webhook.
11. Click Save .

For information on supported webhooks, see the Jamf developer resources: https://developer.jamf.com/
developer-guide/docs/webhooks

124
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

AirPlay Permissions
AirPlay Permissions allow you to map one or more mobile devices to an AirPlay destination, such as an Apple
TV, so that those mapped mobile devices can be automatically paired with the AirPlay destination. When a
mobile device is mapped to an AirPlay destination via AirPlay Permissions, you can also choose to
automatically give the mobile device the password for the AirPlay destination, or to make only the permitted
AirPlay destinations available to that device.

When configuring AirPlay Permissions, you must choose a mobile device inventory field to use to map devices
to permitted AirPlay destinations. The inventory field you choose is automatically mapped to an AirPlay
destination when the value in that field is the same for both the mobile device and the AirPlay destination
device.

Creating an AirPlay Permission

Requirements
To use AirPlay Permissions, you need:

• Mobile devices with iOS 8 or later

• Apple TV devices enrolled with Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click AirPlay permissions .
3. Click New.
4. Enter a display name for the AirPlay Permission.
5. Select the inventory field from the Mapping Field pop-up menu.
6. (Optional) Enable settings for restricting AirPlay destinations and automating passwords, as needed.
7. Click Save .
8. Repeat this process for each new AirPlay Permission you want to create.

The mobile devices and AirPlay destinations that share the selected inventory field are mapped immediately.

Conditional Access

Disclaimer:

125
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Jamf will discontinue Conditional Access support in a future release of Jamf Pro (removal date: 1
September 2024) due to the migration away from Microsoft's Partner Device Management legacy API.
Jamf now offers an alternative solution called macOS Device Compliance using Microsoft's new Partner
Compliance Management API. Jamf customers must move their workflows to macOS Device
Compliance in Jamf Cloud before the deprecation of the Microsoft Partner Device Management API. For
more information, see Migrating from macOS Conditional Access to macOS Device Compliance. For
more information on Jamf Cloud support, contact Jamf Customer Success.

For step-by-step instructions on how to edit existing Conditional Access integrations, see the "macOS
Conditional Access (Legacy)" section in the Device Compliance with Microsoft Intune and Jamf Pro technical
paper.

Migrating from macOS Conditional Access to macOS Device

Compliance
If you have computers enrolled under the legacy Conditional Access integration, you must migrate the
computers to the new Device Compliance integration before the deprecation of the Microsoft Partner Device
Management API (removal date: 1 September 2024).

Important: To ensure device compliance remains accurately reported, you must enable the Device
Compliance integration immediately after disabling the Conditional Access integration.

Requirements
• Jamf Cloud-hosted environment (The macOS Device Compliance migration is not available for Jamf Pro
servers in AWS GovCloud. This migration should not be used by customers utilizing Conditional Access
with the US Government Sovereign Cloud.)
• Jamf Pro 10.48.0 or later
• Computers registered under the Conditional Access integration

1. Remove target users from the Partner Device Management scope in Microsoft Intune.

Note: Users cannot be scoped for both Partner Device Management and Partner Compliance
Management when registering or re-registering new computers with Device Compliance.

a. Log in to Microsoft Intune.

b. Navigate to Tenant administration > Connectors and tokens > Partner device management.

126
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

c. Under Included groups, remove all groups that include users you want to migrate to Device
Compliance.
d. Click Save.
2. Disable the Conditional Access integration in Jamf Pro by doing the following:
a. Navigate to Settings > Global > Conditional access.
b. Click Edit .
c. Deselect the Enable Intune Integration for macOS checkbox.
d. Click Save .
3. Enable the Device Compliance integration. For more information, see Configuring the Microsoft Intune
Integration.
4. (Optional) Create a smart computer group to view computers that have not been migrated to Device
Compliance.

Best Practice:
Use the following criteria to create the smart computer group:

Criteria Operator Value

Conditional Access Inventory is Activated or Unresponsive

State

Device Compliance Integration - is Not Registered

Registration Status

5. (Optional) Create a smart computer group to view computers that have been migrated to Device
Compliance.

Best Practice:
Use the following criteria to create the smart computer group:

Criteria Operator Value

Device Compliance Integration - is Registered

Registration Status

Your devices will be migrated to the Device Compliance integration after JamfAAD information has been
collected and sent to Jamf Pro. This data collection process occurs every two hours on an active device. After
the Device Compliance integration is complete, some users may see a one-time prompt to enter their Microsoft
credentials.

127
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Google BeyondCorp Enterprise Integration

Google BeyondCorp Enterprise allows organizations to ensure that only trusted users from compliant
computers and mobile devices access organizational resources. The BeyondCorp Enterprise integration
between Jamf Pro and BeyondCorp enables administrators to build a compliance and security framework
around end user devices rather than using a network perimeter.

Integrating with BeyondCorp Enterprise allows you to do the following:

• Share the Jamf determined compliance state with BeyondCorp.

128
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• Restrict access to applications protected by BeyondCorp Enterprise Context-Aware policies.

Integrating Jamf Pro with BeyondCorp Enterprise

Integrating Jamf Pro with BeyondCorp Enterprise for macOS and iOS/iPadOS involves the following steps:

1. Creating BeyondCorp Enterprise smart groups

2. Enabling the BeyondCorp Enterprise integration
3. Registering a computer or device with Google
4. Creating and assigning a Context-Aware access policy

Note: The Google Chrome web browser must be used to leverage the macOS BeyondCorp Enterprise
integration.Enabling the iOS platform under Device Compliance while already using the Google
BeyondCorp integration for iOS devices (or vice versa) will cause compliance data flow issues. This
behavior doesn't affect the macOS platform for Device Compliance and Google BeyondCorp. For more
information about enabling both integrations, contact Jamf Customer Success.

Related Content

• Enroll browsers with Jamf Pro (Google)

• Set up third-party partner integrations (Google)

General Requirements
You must have the following to complete the BeyondCorp Enterprise integration:

• A Google Workspace Customer account

• A Google Workspace Enterprise SKU or Cloud Identity Premium SKU
• A Google Admin account
• A Jamf Pro User account with Conditional Access and Smart Group privileges for users
• Google Chrome with the Endpoint Verification extension installed on a macOS device
• Self Service installed on an iOS or iPadOS device
• Jamf Cloud-hosted environment

Important: A BeyondCorp Enterprise license is needed if access level policies on cloud-based and on-
premises applications and virtual machines running on Google Cloud Platform leveraging Google Cloud
Identity Aware Proxy will be applied.

129
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Creating BeyondCorp Enterprise Smart Groups

Create smart computer groups for managed computers and smart device groups for mobile devices. The
BeyondCorp Enterprise integration requires you to create both an Applicable Group and a Compliance Group
to successfully complete the integration.

• Applicable Group—Smart group containing all devices that Jamf Pro uses to send a compliance status to
Google BeyondCorp, regardless of whether they are compliant or not.
• Compliance Group—Smart group containing all devices whose status is compliant that Jamf Pro will send
to Google BeyondCorp.

Create a smart group for your BeyondCorp Applicable Group and your BeyondCorp Compliance Group. For
more information, see Smart Groups.

Enabling the BeyondCorp Enterprise Integration

1. Navigate to the Devices payload on the Google Admin webpage.
2. Click Mobile & endpoints.
3. Click Settings.
4. Click Third-party integrations.
5. Click the Edit icon in the Security and MDM partners pane.
6. Click Manage.
7. Click Open connection for Jamf.

Note: You will be redirected to the Jamf webpage. The Customer ID will be displayed in the URL.
Save your Customer ID.

8. In Jamf Pro, click Settings in the sidebar.

9. In the Global section, click BeyondCorp Enterprise integration .
10. Use the switch to enable integration.
11. Copy and paste your Google Customer ID from the Jamf URL above into the Customer ID field.
12. Select the platform type.
13. Select the Compliance Group.
14. Select the Applicable Group.
15. Click Save .
16. Navigate back to Google Admin > Devices > Mobile & endpoints on the Google Admin webpage and
select your device.

130
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Registering a Computer with Google

Note: Google Chrome and the Endpoint Verification extension are used to register a device. There are
several methods to manage Google Chrome extensions as an administrator. Jamf recommends
leveraging Google’s Chrome Browser Cloud Management. For more information, see Definitive Guide
to Google Chrome for the Apple Enterprise Fleet from Jamf.

1. Sign on to the Endpoint Verification extension with your Google Identity.

2. Click Turn on sync in the Endpoint Verification tab.
3. Sign in to your device account.
4. Navigate back to the Devices payload on the Google Admin web page.
5. Click Mobile & endpoints.
6. Click Devices.

Note: Your device should be displayed on the Devices page.

Registering a Device with Google

When a user registers a device with Google in the Self Service app from a mobile device, they are guided
through the steps:

1. The user signs in to Self Service.

2. The user taps Compliance under the Browse section on the home screen.
3. The user taps Register.
4. The Google sign in screen appears. The user is prompted to sign in with their Google credentials.
5. The user taps Continue.
6. The user taps Allow to allow Jamf to see device details on Google.
7. The user taps Ok.

Creating and Assigning a Context-Aware Policy

1. Navigate to your Google Admin account.
2. Click the Security payload.
3. Click Access and data control
4. Click Context-Aware Access.
5. Click Access Levels.
6. Click Create access level.

131
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

7. Enter a unique name and description for your new access level.
8. In the Conditions pane, click the Advanced tab, and enter your condition.
Jamf recommends the following condition as a starting point:

!has(device.vendors.Jamf) || device.vendors["Jamf"].is_compliant_device == true

Note: For more information on conditions, see Google's Custom access level specification.

Important: Jamf only shares device compliance and device management state with Google. No
inventory data is made available to Google.

9. Navigate back to the Context-Aware Access pane.

10. Click Assign access levels.
11. Assign access levels to one or more applications.
12. Click Assign.
13. Select the checkbox wth the policies you want to apply the access levels to.
14. Click Save.
15. Click Third-party services and confirm your device is now managed by Jamf and marked compliant.

Cloud Services Connection

You can automatically connect your Jamf Pro instance with available Jamf-hosted services by enabling the
Cloud Services connection. The following services are available:

• App Installers
• Icon Service
• Jamf Platform Integration Service
• Title Editor

Related Content

• Jamf Protect Integration with Jamf Pro

• Jamf Connect Integration with Jamf Pro

• Title Editor Documentation

132
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

App Installers
With a Jamf Pro instance hosted in Jamf Cloud and an enabled Cloud Services connection, you can use App
Installers to distribute available third-party macOS software titles from the App Installers Software Title List in
the Jamf App Catalog to target computers in a smart computer group and automatically keep the apps up-to-
date.

Icon Service
When you enable the Cloud Services connection, your Jamf Pro instance is automatically connected to the
Icon Service. After enabling the connection, new icons uploaded to Jamf Pro are stored in the Icon Service
rather than in the Jamf Pro database. This removes the work of storing, moving, and displaying icons for items
made available in Self Service and helps you save on database storage and memory usage.

Note: The Icon Service is hosted in the us-east-1 data region.

Jamf Platform Integration Service

When you enable the Cloud Services connection, your Jamf Pro instance is automatically connected to the
Jamf Platform Integration Service. After enabling the connection, Jamf Pro will allow you to complete a one-
time registration process to integrate Jamf Protect with Jamf Pro. This allows you to download the latest
version of the Jamf Protect package and configure scope for Jamf Protect plan configuration profiles directly
from Jamf Pro. Jamf Pro will also allow you to automatically deploy the Jamf Protect/Jamf Connect installer to
devices once a profile with the specified domain name is installed.

Note: You must have a valid Jamf Protect subscription to use this integration.

The following applications do not need to be cloud hosted:

• Jamf Pro
• Jamf Protect
• Jamf Connect

If you have licenses for Jamf Connect, Jamf Pro will allow you to view and edit your configuration profiles with
Jamf Connect settings from Settings > Jamf Applications > Jamf Connect. You can also configure Jamf
Connect deployment and update settings for computers in the scope of those profiles.

133
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Title Editor
When you enable the Cloud Services connection, you can set up a Title Editor instance in Jamf Pro to create
custom software titles, override existing patch definitions, and create custom patch definitions.

Note: Title Editor uses the us-east-1 hosted data region.

Enabling the Cloud Services Connection

Requirements
To enable the Cloud Services connection, you need a Jamf ID with a valid Jamf Pro subscription.

To create a Jamf ID, go to: https://id.jamf.com/CommunitiesSelfReg

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Cloud services connection .
3. Enter your Jamf ID credentials.
4. Click Save .

A message displays, reporting the success or failure of the connection. After you have successfully enabled
the Cloud Services connection, your environment is automatically connected to the Icon Service.

Device Compliance
You can integrate with Microsoft Intune using Microsoft's Partner Compliance Management API to enforce
compliance on institutionally owned computers and mobile devices managed by Jamf Pro. This allows
organizations to ensure that only trusted users on compliant devices can access company resources.

For step-by-step instructions on Device Compliance workflows for computers and mobile devices, see the
following technical paper: Device Compliance with Microsoft Intune and Jamf Pro.

Jamf Pro Device Compliance Requirements

Administrator Requirements

To configure the Microsoft Intune integration with Jamf Pro, you need the following:

134
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

• Jamf Cloud-hosted environment

Note: The Device Compliance integration is not yet supported in Jamf Premium Cloud Plus.

• Jamf Pro 10.29.0 or later (iOS and iPadOS) or Jamf Pro 10.43.0 or later (macOS)
• A Jamf Pro user account with Device Compliance privileges
• Experience with creating smart groups in Jamf Pro. For more information, see Smart Groups in the Jamf
Pro Documentation.
• Microsoft Enterprise Mobility + Security (specifically Microsoft AAD Premium and Microsoft Intune)

Computer Requirements

Computers you want to monitor for compliance must have the following:

• macOS 10.11 or later

• Local or mobile user accounts

Note: Network accounts are not supported in the Microsoft Intune integration for macOS.

• Latest version of Jamf Self Service for macOS

Mobile Device Requirements

Mobile devices you want to monitor for compliance must have the following:

• iOS 11 or later, or iPadOS 13 or later

• Latest version of Microsoft Authenticator app (available from the App Store)
• Jamf Self Service for iOS 10.10.3 or later

Configuring the Microsoft Intune Integration

You must configure a connection between Jamf Pro and Microsoft Intune to allow Jamf Pro to send the
compliance status to Microsoft Entra ID (formerly Azure AD) for each computer and mobile device registered
with Entra ID. If you have multiple Jamf Pro instances, you can connect them to a single Entra ID tenant.

Note: This integration is not available for personally owned computers or mobile devices.

135
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

Important: For iOS or iPadOS compliance workflows, do not enable the iOS platform under the
Microsoft Intune Device Compliance while already using the Google BeyondCorp integration for iOS
devices (or vice versa), as this will cause compliance data flow issues. For more information about
enabling these integrations, contact Jamf Customer Success.

Requirements
If you already have one platform enabled (e.g., macOS) and would like to add another one (e.g., iOS),
ensure the platform type is enabled in Entra ID before you enable it in Jamf Pro.

1. In Jamf Pro, create the following smart groups for each platform (macOS and iOS/iPadOS) that you want to
manage with Device Compliance:
For more information on creating smart groups, see Smart Groups in the Jamf Pro Documentation.

macOS
◦ (Applicable Group) This group should contain all of the computers that need access to company
resources, regardless of whether they are compliant or not.
◦ (Compliance Group) This group should contain the computers that must meet specific criteria to be
considered compliant. For example, the criteria could be meeting macOS version requirements, or
the presence of a certain application.

Best Practice:
When creating the Compliance Group, add the criteria you want compliant computers to
have. For example, you may want to include the following criteria:
▪ Operating System Version
▪ Last Inventory Update
▪ FileVault Status
Jamf recommends selecting Send email notification on membership change when
creating the Compliance Group to be notified when a computer falls out of compliance.

136
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

iOS/iPadOS
◦ (Applicable Group) This group should contain all of the mobile devices that need access to
company resources, regardless of whether they are compliant or not. Once configured in Device
Compliance, the Register with Microsoft button is made available in Jamf Self Service for iOS.
◦ (Compliance Group) This group should contain the mobile devices that must meet specific criteria
to be considered compliant. For example, the criteria could be meeting iOS version requirements,
or the presence of a certain application.

Best Practice:
When creating the smart device group, add the criteria that devices must have to be
considered compliant. For example, you may want to include the following criteria:
▪ iOS/iPadOS Version
▪ Jailbreak Detected
▪ Last Backup
▪ Passcode Status
Jamf recommends selecting Send email notification on membership change when
creating the smart device group to be notified when a device falls out of compliance.

2. In Jamf Pro, click Settings in the sidebar.

3. In the Global section, click Device compliance .
4. Click Edit .
5. Use the switch to enable the integration.
6. Choose your platform type.
7. Choose the Compliance Group you want Jamf Pro to use to calculate device compliance.
8. Choose the Applicable Group you want Jamf to use to send compliance status to Microsoft Intune.
Microsoft Intune will send the compliance status to Entra ID.
9. Select one of the following landing page options for devices that are not recognized by Microsoft Entra ID:
◦ The default Jamf Pro Device Registration page
◦ The Access Denied page
◦ A custom webpage

137
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

10. Click Save .

The Microsoft Intune integration is configured in Jamf Pro and you are redirected to the Microsoft Intune
webpage to create a compliance partner.

Creating a Compliance Partner in Microsoft Intune

After the Microsoft Intune integration is configured in Jamf Pro, you must then finish the Microsoft Intune
configuration in Microsoft Intune.

Requirements
To accept permissions requested by Microsoft, you must have an Microsoft Entra ID account with global or
domain administrator rights.

1. On the Microsoft application registration page, enter your Entra ID credentials and follow the onscreen
instructions to grant the permissions requested by Microsoft.
After permissions have been granted for the Cloud Connector for Device Compliance app and the User
registration app for Device Compliance, you are redirected to the Configure Compliance Partner page.
2. Click Open Microsoft Endpoint Manager.
A new tab opens to the Partner compliance management blade in Microsoft Intune.
3. Click Add compliance partner.
4. Choose "Jamf Device Compliance" from the Compliance partner pop-up menu.
5. Choose the desired platform type from the Platform pop-up menu and click Next.
6. Click Add Groups and choose the Entra ID user groups you want to use from the Select groups to
include pop-up menu.

Important: Do not select "Add all users" from the Assignments pane. Selecting this option will
prevent the integration from working.

Note: You can change the Entra ID user groups at any time by completing steps 2-6 of this
procedure and step 10.

7. Click Select and then click Next.

8. Review your configuration and then click Create.
9. Navigate back to the Jamf Cloud Connector tab and click Confirm.

138
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Global Management Settings

You are redirected back to Jamf Pro. Jamf Pro completes and tests the configuration. The success or
failure of the connection displays on the Device Compliance settings page.
10. To connect additional Jamf Pro instances to the same Entra ID tenant, configure the Device Compliance
settings for each instance and grant the requested permissions for the Cloud Connector for Device
Compliance and the User registration app for Device Compliance. You do not need to add Jamf as a
compliance partner again.

Once the connection is successfully enabled, Jamf Pro sends the compliance status to Entra ID through the
Microsoft Intune Compliance Management connection for each computer or mobile device that is registered
with Entra ID (registering with Entra ID is an end user workflow). You can view the compliance status of the
device in Entra ID. Devices will not appear in Microsoft Intune under the Devices list.

139
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Jamf Application Integrations

Jamf Parent Integration with Jamf Pro
Jamf Parent is a free app that allows parents to manage their children's school-issued devices by allowing and
restricting apps and device functionality.

Integrating Jamf Parent with Jamf Pro allows administrators to limit the management capabilities of Jamf
Parent by doing the following:

• Specify the time periods when parents can manage their children's devices with Jamf Parent in Jamf Pro.
These restrictions can be specified when integrating Jamf Parent with Jamf Pro.
• Set restrictions using mobile device configuration profiles created in Jamf Pro.
• Remove restrictions set by Jamf Parent and Jamf Parent management capabilities from student devices by
sending a remote command to a single device or sending to multiple devices using a mass action.
• Prevent students from managing other students' school-issued devices with Jamf Parent by distributing a
configuration profile that restricts the Jamf Parent app on student devices. For information about enforcing
restrictions on devices, see the Restricting iOS Apps in the Best Practice Workflow for Jamf Pro.

To integrate the Jamf Parent app with Jamf Pro, you must enable the app and configure its settings in Jamf
Pro. Then parents can install the Jamf Parent app from the App Store or Google Play on their iOS and Android
devices. If parents have an Apple Watch paired with their iPhone, the Jamf Parent app installs on their Apple
Watch as well.

Parents can add their children's devices to Jamf Parent by scanning the QR code in Jamf Self Service for iOS
on their child's device.

Related Content

• Remote Commands for Mobile Devices

• Mass Actions for Mobile Devices
• Mobile Device Configuration Profiles

Integrating Jamf Parent with Jamf Pro

140
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Requirements
• A Jamf Pro user account with read and update privileges for Jamf Parent and read privileges for smart
device groups and static device groups
• (On-premise only) A valid SSL certificate obtained from a third-party vendor (For more information, see
SSL Certificate in the Jamf Pro Documentation.)
• (On-premise only) Allow secure inbound connections from "student-api.services.jamfcloud.com"
• Supervised student devices with Jamf Self Service for iOS 10.9.0 or later

To use Jamf Parent, parents need their own mobile device with iOS 10.2 or later with the Jamf Parent app
installed on it.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Parent .
3. Click Edit .
4. Select Allow limited management of students' devices by Jamf Parent.
5. From the Student Device Group pop-up menu, choose the smart or static device group of student
devices you want Jamf Parent to manage.
The devices in the selected device group will display a QR code in Self Service that will be used to add the
student device to Jamf Parent.
6. Choose days and times to restrict Jamf Parent app usage from the Jamf Parent Restrictions pop-up
menus.
7. Choose the time zone to use for the Jamf Parent time restrictions from the Time Zone pop-up menu.
8. Click Save .

The QR code is made available in Self Service to devices in the selected student device group.

To view the number of devices with Jamf Parent that are managing a student device, you can use the Jamf
Parent Pairings smart device group criteria.

Parent Experience for Jamf Pro Integrations

Parents use instructions provided by the school to open Self Service on the student's school-issued device.
Then, they add the devices to Jamf Parent by scanning the QR code in Self Service using a device with iOS
10.2 or later with the Jamf Parent app installed on it.

To help parents get started with Jamf Parent, you can provide them with the Jamf Parent Guide for Jamf Pro
Parents.

141
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

1. The parent opens Self Service on the student's device, and then taps the Jamf Parent icon in the top-right
corner of the page.

2. The parent downloads Jamf Parent from the App Store or Google Play on their own iOS or Android device.

142
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

3. The parent opens Jamf Parent, and then taps Get Started.

143
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

4. The parent taps Scan QR Code to scan the QR code in Self Service, and then taps Confirm.

144
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

The student device is paired with Jamf Parent. Parents can repeat this process for any other student devices
they want to manage with Jamf Parent.

If two or more parents want to manage the same child's device with Jamf Parent, they must close and reopen
the QR code in Self Service before scanning the QR code on the second device with Jamf Parent.

Safelisting Apps from Jamf Parent Restrictions

You can safelist apps from being restricted by the Jamf Parent app. This allows you to ensure that apps
required by your organization (e.g., a content filtering app) are not inadvertently restricted on student devices
by the Parent app. To safelist an app, do the following:

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Parent .

145
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

3. Click Edit .
4. Click the Safelisted Apps tab and then click Edit.
5. Click Add and enter the name of the app you want to safelist. Then select it from the pop-up search
results.
The Bundle ID is entered automatically.
6. Click Save .

Devices with the Parent app in your environment are unable to restrict these apps on student devices.

Note: Jamf Parent can always restrict native iOS/iPadOS apps (e.g., Safari or Mail) and apps that fall
under a disallowed app category (e.g., Entertainment).

Jamf Teacher Integration with Jamf Pro

Jamf Teacher is a free mobile device, computer, and web application that teachers can use to manage student
devices in the classroom.

When integrated with Jamf Pro, Jamf Teacher allows teachers to manage student devices in the classroom
using the classes and lessons features:

• Classes—Classes are groups of students assigned to a teacher that the teacher can manage. Assigned
classes are classes created in Jamf Pro that are assigned to the teacher. These classes appear in the Jamf
Teacher sidebar.
• Lessons—Lessons allow teachers to configure which apps, websites, resources, and built-in apps students
can use during lessons such as Math or English, ensuring students only access apps and websites that are
related to the subject they are currently learning. When creating lessons, teachers can also add lesson
resources such as websites, Google Drive, or Dropbox. Lesson resources are available to students while
the lesson is active.

Integrating Jamf Teacher with Jamf Pro allows administrators to limit the management capabilities of Jamf
Teacher by doing the following:

• Configure how long Jamf Teacher restrictions can be set on student devices
• Configure the time at which restrictions applied by Jamf Teacher end
• Remove restrictions set by Jamf Teacher using the "Remove restrictions set by Jamf Teacher" mass action
or remote command

146
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Note: If a Jamf Pro administrator and Jamf Pro both set restrictions on the same student's device, the
student's device will accept the most restrictive settings. Restrictions are set via mobile device
configuration profiles created in Jamf Pro.

Related Content

• Apps Purchased in Volume

• Remote Commands for Mobile Devices
• Mass Actions for Mobile Devices
• Mobile Device Configuration Profiles

• Jamf Teacher Guide for Teachers

Configuring Jamf Teacher Settings in Jamf Pro

To integrate the app with Jamf Pro, you must enable the app and configure its settings in Jamf Pro. Then you
can distribute the app to teachers.

Requirements
• A Jamf Pro user account with read and update privileges for Jamf Teacher.
• (On-premise only) A valid SSL certificate obtained from a third-party vendor (For more information, see
SSL Certificate in the Jamf Pro Documentation.)
• (On-premise only) Allow secure inbound connections from "student-api.services.jamfcloud.com".
• Students and teachers assigned to supervised devices including Shared iPads.

Note: If a student is not assigned to a Shared iPad they cannot join a lesson.

• Classes created in Jamf Pro (For more information, see Classes in the Jamf Pro Documentation.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Teacher .
3. Click Edit .
4. Select Allow limited management of students' devices by Jamf Teacher.
5. (Optional) Choose how long teachers can restrict student devices from the Maximum Restriction Time
pop-up menus.

147
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

6. (Optional) Choose the time at which all restrictions set by Jamf Teacher are cleared from student devices
from the Restrictions End Time pop-up menus, and then do the following:
a. Choose the region in which Jamf Teacher time restrictions are cleared from the Region pop-up menu.
b. Choose the time zone in which Jamf Teacher time restrictions are cleared from the Time Zone pop-up
menu.
7. Click Save .

Configuring and Distributing the Jamf Teacher App

To distribute the Jamf Teacher app to teachers, you must create a managed app configuration. The managed
app configuration allows teachers to use the app without logging in.

Managed app configuration is a set of key-value pairs used to configure iOS applications. You can use
managed app configuration to configure and customize Jamf-managed apps for your organization.

Note: If optional key-value pairs are not used, the app's default settings are used.

For more information or to generate a managed app configuration, see the AppConfig Generator utility from
Jamf.

Requirements
To use Jamf Teacher with Jamf Pro, teachers need a mobile device with iOS 11 or later.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Mobile Device Apps in the sidebar.
3. Click New.
4. Select App Store app or apps purchased in volume and click Next.
5. Enter the name of the app, choose an App Store country and click Next. Then click Add for the app you
want to add.
6. On theGeneral tab, ensure that the Make App Managed when possible checkbox is selected.
7. Use the Scope, Self Service, and Managed Distribution tabs to configure app distribution settings as
needed.
8. Click the App Configuration tab and enter the following in the Preferences field:

<dict>
<key>action</key>
<string>updateToken</string>
<key>device</key>

148
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

<dict>
<key>UDID</key>
<string>$UDID</string>
</dict>
<key>apiUrl</key>
<string>$DAS_URL</string>
<key>jamfProAuth</key>
<dict>
<key>jamfProUrl</key>
<string>$JPS_URL</string>
<key>authCode</key>
<string>$OAUTH_AUTH_CODE</string>
<key>appConfigReinstallCode</key>
<string>$APP_CONFIG_REINSTALL_CODE</string>
</dict>
</dict>

9. Click Save .

The app is distributed the next time mobile devices in the scope contact Jamf Pro. If users were added as
targets to the scope, the app is distributed to the devices those users are assigned to the next time the devices
contact Jamf Pro.

Note: If the user assignment is changed on a device with Jamf Teacher installed on it, you must
redistribute the app to that device with Jamf Pro.

For more information about the Jamf Teacher user experience, see the Getting Started with Jamf Teacher.

Safelisting Apps from Jamf Teacher Restrictions

You can safelist apps from being restricted by the Jamf Teacher app. This allows you to ensure that apps
required by your organization (e.g., a content filtering app) are not inadvertently restricted on student devices
by the Teacher app. To safelist an app, do the following:

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Teacher .
3. Click Edit .
4. Click the Safelisted Apps tab and then click Edit.
5. Click Add and enter the name of the app you want to safelist. Then select it from the pop-up search
results.

149
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

The Bundle ID is entered automatically.

6. Click Save .

Devices with the Teacher app in your environment are unable to restrict these apps on student devices.

Note: The Teacher app can always restrict native apps (e.g., Safari or Mail) and apps that fall under a
disallowed genre (e.g., Entertainment).

Jamf Protect Integration with Jamf Pro

Jamf Protect is a cross-platform enterprise endpoint security solution that provides administrators and security
professionals the ability to protect devices using a holistic offering of security capabilities. With Jamf Protect's
macOS endpoint security capability, you can create custom detections that protect computers with real-time
monitoring for suspicious and unwanted activities, while measuring computers against the Center for Internet
Security (CIS) benchmarks with compliance baselines. Jamf Protect runs without using kernel extensions to
support continuous macOS updates and preserve the Apple user experience.

• Enable automatic package deployment.

• Download the Jamf Protect package.
• Sync Jamf Protect

Integrating Jamf Protect allows you to do the following from Jamf Pro:

• Enable automatic package deployment.

• Download the Jamf Protect package.
• Sync Jamf Protect plan configuration profiles.

To integrate Jamf Pro with your Jamf Protect tenant, you must do the following:

1. Create an API Client in Jamf Protect to generate the configuration and endpoint information required by
Jamf Pro.
2. Register your Jamf Protect tenant to establish a secure connection between Jamf Pro and Jamf Protect.

Related Content

• Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers
• Plans (Jamf Protect)
• Setting Up Analytic Remediation With Jamf Pro (Jamf Protect)

150
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Registering Your Jamf Protect Tenant in Jamf Pro

Registering your Jamf Protect tenant establishes a secure connection between Jamf Pro and Jamf Protect.

Requirements
• Cloud Services Connection enabled
For instructions, see Cloud Services Connection in the Jamf Pro Documentation.
• An API Client created from Jamf Protect.
To create an API Client, go to Administrative > API Clients in your Jamf Protect tenant.
• The following Jamf Pro user account privileges:

Category Privilege

Jamf Pro Server Settings Jamf Protect. (Read and Update)

Cloud Services Connection (Read)

Jamf Pro Server Actions Read and Download Jamf Application Assets

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Protect .
3. Click Begin Registration.
4. Enter your Jamf Protect API endpoint in the Jamf Protect API URL field.
5. Enter your API Client configuration information in the Client ID and Password fields.
6. Click Register.

Your Jamf Protect tenant is integrated with your Jamf Pro instance and a package download and list of plans
should display.

151
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Jamf Protect Plans in Jamf Pro

If you have a Jamf Pro subscription and registered your Jamf Protect tenant with Jamf Pro, plans from your
Jamf Protect tenant are available as computer configuration profiles in Jamf Pro. You can configure the scope
of plan configuration profiles to deploy them to target computers.

152
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

Keep the following in mind when configuring scope for plan configuration profiles:

• If you delete plan configuration profiles from Jamf Protect, the plans will re-appear without a scope the next
time Jamf Pro syncs with Jamf Protect (every six hours).
• You cannot edit the settings in a Jamf Protect plan from Jamf Pro . To edit a plan, navigate to the plan in
your Jamf Protect tenant. Changes to a plan on computers are applied the next time the computer checks in
with Jamf Protect.
• If the Jamf Protect PKG is deployed without a plan configuration profile, computers will not check in with the
Jamf Protect Cloud and the agent will not successfully monitor for threats. Configuring scope for your plans
before deploying the Jamf Protect PKG is recommended.
• To help you find plan configuration profiles synced from Jamf Protect on the computer configuration profiles
pane, "(Jamf Protect)" is appended to each profile name that is synced.

Configuring Scope for Jamf Protect Plans

You can configure the scope of available plan configuration profiles to deploy them to target computers.

Requirements
• A Jamf Protect subscription
• One or more plans in Jamf Protect

153
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

• Registration of your Jamf Protect tenant in Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Protect .
3. In the Jamf Protect Plans table, click the plan configuration profile you want to configure in
the Profile column.

Note: You can click Sync to manually check Jamf Protect for plan updates. Jamf Pro automatically
syncs with Jamf Protect every six hours.

4. Click Edit .
5. Click the Scope tab.
6. Configure the scope of your plan configuration profile.
7. Click Save .

The plan configuration profile is distributed to target computers the next time they check in with Jamf Pro, and
the scope also displays in the Scope column on the Jamf Protect page in Jamf Pro.

If you selected the Automatically deploy the Jamf Protect PKG with plans checkbox in the Jamf Protect
Deployment section, the Jamf Protect PKG is automatically deployed to computers in the scope that have not
yet installed the Jamf Protect PKG.

Viewing and Retrying Jamf Protect Deployments

You can view the status of Jamf Protect deployments to see if the Jamf Protect package was successfully
installed. If you need to retry a deployment, you can resend the install commands for one or more computers.

1. In Jamf Pro, click Settings in the sidebar.

154
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

2. In the Jamf Apps section, click Jamf Protect .

3. Next to the Jamf Protect plan for which you want to view or retry deployment, click View.
Computers in the scope of the plan are displayed, along with their deployed version and deployment
command statuses.
4. (Optional) To retry deployment for a computer, click Retry next to the deployment command status for that
computer. To retry deployment for multiple computers, select the computers you want and then click Retry
Selected in the top-right corner of the pane.

Jamf Connect Integration with Jamf Pro

Jamf Connect is an app that allows administrators to manage authentication by connecting a user's local
macOS account to their organization's cloud identity (network account).

Jamf Connect includes two core components:

• Login window—An authorization plug-in that modifies the default macOS login process and login window
UI.
• Menu bar app—An application that helps users manage their network and local passwords.

The Jamf Connect integration in Jamf Pro allows you to automatically deploy the Jamf Connect package to
computers in the scope of computer configuration profiles with Jamf Connect settings.

You can configure the following:

• View all computer configuration profiles—View all computer configuration profiles with Jamf Connect
settings in a single location (Settings > Jamf Applications > Jamf Connect). Jamf Pro automatically
detects and displays any configuration profile with settings written to a preference domain starting with
com.jamf.connect .
• Deploy Jamf Connect —Deploy a specific version of Jamf Connect to computers in the scope of a
configuration profile. This allows you to complete an initial deployment of Jamf Connect to target computers
or to manage subsequent updates without enabling automatic updates.
• Configure automatic updates—Configure automatic updates for computers in the scope of a Jamf
Connect configuration profile. You can configure Jamf Pro to automatically deploy minor updates (e.g., 1.0.0
to 1.1.0), maintenance updates (e.g., 1.0.0 to 1.0.1), or both.
• Receive Notifications—Receive notifications in Jamf Pro when a new Jamf Connect version is available.

Keep the following in mind when using this integration:

• If a computer is in the scope of multiple configuration profiles, such as separate configuration profiles for the
login window and menu bar app, Jamf Pro uses the most proactive update type for computers in scope of
both profiles.

155
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

• You cannot configure automatic updates to complete major updates (e.g., 1.19.3 to 2.0.0 or later). To
complete a major upgrade for Jamf Connect, use a policy.
• This feature cannot be used to downgrade the Jamf Connect version on computers.

Training Video

Watch the Use Jamf Pro for Jamf Connect Deployment and Updates video to learn more about
managing updates using Jamf Pro.

Related Content

• Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers
• Jamf Connect Documentation

Creating Jamf Connect Configuration Profiles Using Jamf Pro

You can use Jamf Pro to create a computer configuration profile that configures Jamf Connect settings with the
Application & Custom Settings payload. This payload allows you to select Jamf Connect preferences,
automatically generate a PLIST file, and configure the scope. Jamf Pro can use configuration profiles created
in this way to automatically deploy and update Jamf Connect.

Depending on which components of Jamf Connect you plan to use, you must configure settings for the
following Jamf application domains:

• com.jamf.connect— Includes all settings for the Jamf Connect menu bar app
• com.jamf.connect.login— Includes all settings for the Jamf Connect login window

Keep the following in mind when you configure Jamf Connect:

• You can configure multiple Application & Custom Setting payloads in a single configuration profile. This
allows you to configure multiple preference domains in a single configuration profile.
• You can split your Jamf Connect settings into multiple configuration profiles written to the same preference
domains. This allows you to easily add or remove a subset of Jamf Connect settings (e.g., enrollment-only
settings or updating your product license).

Requirements
• Integration with a cloud identity provider (IdP)
• Familiarity with your IdP's minimum authentication settings

156
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New .
4. Use the General payload to configure basic settings, including the level at which to apply the profile and the
distribution method.
Only payloads and settings that apply to the selected level are displayed for the profile. To distribute the
profile during enrollment using a computer PreStage enrollment, ensure you create a computer-level
configuration profile.
5. Use the Application & Custom Settings payload to configure Jamf Applications.
6. Click Add .
7. Choose "com.jamf.connect.login" from the Jamf Application Domain pop-up menu.
8. Choose a version of the preference domain you want to configure.
The latest version is recommended.
9. Select "Jamf Connect Login.json" from the Variant pop-up menu.

The Jamf Connect preference domain settings display.

10. Configure Jamf Connect settings.

157
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

To determine which settings are required, see Authentication Settings.

Best Practice: Jamf recommends deselecting any unused settings from the payload. This prevents
Jamf Pro from including blank key-value pairs from the configuration profile.

11. If you plan to use the Jamf Connect menu bar app in your organization, click Add to configure settings for
the Jamf Connect menu bar app preference domain ( com.jamf.connect ).

12. Click the Scope tab and configure the scope of the profile.

Note: Ensure the scope of the profile contains the computers that are in the scope of the PreStage
enrollment.

158
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

13. Click Save .

Your configuration profiles are distributed to target computers when they check in with Jamf Pro.

If you configure deployment and update settings for the newly created profile, Jamf Pro installs or updates
Jamf Connect on target computers.

Configuring Jamf Connect Deployment and Update Settings

You can configure Jamf Pro to deploy Jamf Connect to existing computers and automatically update the
version as new releases become available. To do so, you must assign deployment and update settings to an
existing configuration profile in Jamf Pro that has Jamf Connect settings. Jamf Pro will install and update
computers in the scope of the configuration profile accordingly.

This deployment method is recommended for the following scenarios:

• Deploying Jamf Connect for the first time to computers that are already enrolled in Jamf Pro.
• Managing automatic update settings for existing computers that already have Jamf Connect installed.

Requirements
• Cloud Services Connection enabled
For instructions, see Cloud Services Connection in the Jamf Pro Documentation
• The following Jamf Pro user account privileges:

Category Privilege

Jamf Pro Server Settings Jamf Connect (Read)

Jamf Pro Server Objects Jamf Connect Deployments

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Connect .
3. Next to the configuration profile with the Jamf Connect settings you want to deploy, click Edit.
4. Next to Automatically Deploy And Update Jamf Connect, clickYes.
5. Choose a version of Jamf Connect to deploy from the Version pop-up menu.

Note: If a computer in the scope of the configuration profile already has a previous version of Jamf
Connect installed, Jamf Pro will update that computer to the chosen version.

159
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Application Integrations

6. Choose one of the following options from the Update Type pop-up menu to manage future updates:
◦ Manual—Only deploy the chosen version to computers in scope and do not automatically deploy future
updates.
◦ Maintenance—Automatically deploy maintenance (e.g., 1.0.1) updates to computers in scope.
◦ Minor & Maintenance—Automatically deploy minor and maintenance (e.g., 1.1.0 and 1.0.1) updates to
computers in scope.
7. Click Next .
Jamf Pro displays a confirmation pop-up dialog summarizing the actions it will take based on the settings
you have configured.
8. Click Confirm.

Jamf Pro deploys the chosen version of Jamf Connect when computers in the scope of the configuration profile
check in and updates them accordingly as new releases become available.

Viewing and Retrying Jamf Connect Deployments

You can view the status of Jamf Connect deployments to see if the Jamf Connect package was successfully
installed. If you need to retry a deployment, you can resend the install commands for one or more computers.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Jamf Apps section, click Jamf Connect .
3. Next to the configuration profile for which you want to view or retry deployment, click View.
Computers in the scope of the profile are displayed, along with their deployed version and deployment
command statuses.
4. (Optional) To retry deployment for a computer, click Retry next to the deployment command status for that
computer. To retry deployment for multiple computers, select the computers you want and then click Retry
Selected in the top-right corner of the pane.

160
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Jamf Self Service

Jamf Self Service for macOS
Jamf Self Service for macOS allows users to browse and install configuration profiles, Mac App Store apps,
and books. Users can also run policies and third-party software updates via patch policies, as well as access
webpages using bookmarks.

Jamf Pro allows you to manage every aspect of Self Service, including its installation, user authentication, and
the items available to users. In addition, you can configure how Self Service is displayed to users by replacing
the default Self Service application name, icon, and header image with custom branded elements to present
users with a familiar look and feel.

You can make any configuration profile, policy, software update (via patch policy), Mac App Store app, or book
available in Self Service and customize how it is displayed to users. This includes displaying an icon and
description for the item, adding the item to the in relevant categories, and displaying item-specific notifications.
You can also specify which computers display the item in Self Service and which users can access it.

Jamf Self Service for macOS Installation Methods

Jamf Self Service can be installed on managed computers using two different methods:

• Automatically using Self Service settings in Jamf Pro.

• Using a policy. This gives you more control over the installation.

General Requirements
Jamf Self Service 10.10.0 or later can run on macOS 10.11.x or later.

If Self Service is configured to install automatically, computers in your environment install the version of Self
Service that is compatible with the computer's macOS version:

macOS Version Self Service Version Installed

macOS 10.15 or later Latest version

macOS 10.14.4 Self Service 10.42.0

161
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

macOS Version Self Service Version Installed

macOS 10.13 Self Service 10.32.0

macOS 10.12 Self Service 10.21.0

Installing Self Service for macOS Automatically

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click macOS .
3. Click Edit .
4. Select the Install Automatically checkbox.
5. (Optional) Configure the installation location for Self Service.
6. Click Save .

Self Service is installed on all managed computers the next time they check in with Jamf Pro. It is also installed
on computers as they are newly enrolled.

Installing Self Service for macOS Using a Policy

You can download the latest version of Self Service for manual installation using a policy on computers with
10.13 or later.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Self Service section, click macOS .
3. Click Download .
The Self Service.tar.gz file is downloaded immediately.

Note: To download earlier versions of Self Service for manual installation, append one of the
following to your Jamf Pro URL:
◦ macOS 10.12: /bin/level2/SelfService.tar.gz
◦ macOS 10.11: /bin/level3/SelfService.tar.gz
◦ macOS 10.10: /bin/level4/SelfService.tar.gz
For example: https://JAMF_PRO_URL.jamfcloud.com/bin/level2/SelfService.tar.gz

4. Double-click the file to decompress it.

5. Use Composer or another package-building tool to package the Self Service application included in the file.
For information on building packages using Composer, see the Composer User Guide.

162
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

6. Add the package to Jamf Admin or Jamf Pro. For more information, see Package Management.
7. Create a policy to install Self Service. For detailed instructions, see Package Deployment.

macOS Onboarding

Updated 05 December 2023

This page has been updated to include information on excluding computers from macOS Onboarding
workflows.

macOS Onboarding allows you to easily configure and deploy content on computers for your end users. You
can choose which policies, configuration profiles, and applications are automatically installed on end user
computers when Self Service for macOS opens for the first time on a new computer. After enrolling computers
through Automated Device Enrollment or user-initiated enrollment, Self Service for macOS launches on the
end user's computer to begin the onboarding process.

End users can minimize the onboarding screen while the macOS Onboarding process takes place, allowing
them to use applications as soon as they are installed without waiting for the entire onboarding process to
finish.

Excluding Computers from macOS Onboarding

When you enable macOS Onboarding and add the items to be deployed, the onboarding workflow initiates
for all computers in your environment. This includes newly enrolled computers and those that were previously
enrolled. You can exclude computers from the workflow before enabling macOS Onboarding in Jamf Pro.

Excluding computers from macOS Onboarding involves the following steps:

1. Creating a Smart Group to Identify Computers for Exclusion

2. Creating a Script for macOS Onboarding Exclusion
3. Creating a Policy for macOS Onboarding Exclusion

Creating a Smart Group to Identify Computers for Exclusion

Create a smart computer group for the computers you do not want macOS Onboarding to deploy to.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Smart Computer Groups in the sidebar.
3. Click New .
4. Enter a display name for the group (e.g., Exclude Computers from macOS Onboarding).

163
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

5. To enable email notifications, select the Send email notification on membership change checkbox.
6. Click the Criteria tab and add criteria to the group:

Note: The following are minimum recommendations; consider adding other criteria to your smart
computer group.

a. Click Add .
b. Click Show Advanced Criteria.
c. Click Choose for Last Enrollment.
d. Choose "before (yyyy-mm-dd)" from the Operator pop-up menu.
e. Enter a value in the Value field or browse for a value by clicking Browse .
f. (Optional) Repeat steps a through e to create a range of excluded computers.
7. Choose "and" from the And/Or pop-up menus to specify the relationships between criteria.
8. Click Save.
Operations in the group take place in the order they are listed (top to bottom). Group memberships update
each time computers check in with Jamf Pro and meet or fail to meet the specified criteria.
9. Click View to view excluded computers.

Creating a Script for macOS Onboarding Exclusion

You can create a script that marks macOS Onboarding as complete on target computers. This allows you to
use a policy to exclude a smart group of computers from running macOS Onboarding.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Scripts .
3. Click New.
4. Use the General pane to configure basic settings for the script, including the display name and category.
5. Click the Script tab and enter the following script contents in the script editor:

#!/bin/zsh

sudo -u $3 defaults write /Users/"$3"/Library/Preferences/com.jamfsoftware.selfserv

ice.mac.plist com.jamfsoftware.selfservice.onboardingcomplete -bool YES

You can use the settings on the tab to configure syntax highlighting and theme colors in the script editor.
6. Click the Options tab and configure additional settings for the script, including the priority and parameter
labels.
7. Click Save .

164
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Creating a Policy for macOS Onboarding Exclusion

Create a policy for the computers you do not want macOS Onboarding to deploy to.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New .
4. In the General payload, enter a display name for the policy (e.g., Exclude Computers from macOS
Onboarding).
5. Use the General payload to configure the following settings:
◦ For Trigger, select "Recurring Check-in".
◦ For Execution Frequency, select "Once per user per computer".
6. Select the Scripts payload and click Configure.
7. Click Add for the script you previously created in Creating a Script for macOS Onboarding Exclusion.
8. Click the Scope tab and add the smart computer group you previously created in Creating a Smart Group
to Identify Computers for Exclusion.
9. Click Save .

The policy deploys to computers in your smart group. The script marks macOS Onboarding as complete on
target computers. As a result, macOS Onboarding does not deploy to computers that have executed the policy.

Enabling macOS Onboarding

You must enable macOS Onboarding in Jamf Pro before it can be configured for end user computers.

Important: When you enable macOS Onboarding and add the items to be deployed, the onboarding
workflow initiates for all computers in your environment. This includes newly enrolled computers and
those that were previously enrolled. Only items set to be available in Self Service can be selected and
items should not run again if the trigger is set to run once per computer. If you would like to exclude
computers from macOS Onboarding, see Excluding Computers from macOS Onboarding. Excluding
computers from macOS Onboarding must happen before enabling macOS Onboarding in Jamf Pro.

Requirements
• Jamf Pro 11.0.0 or later
• Jamf Self Service for macOS 11.0.0 or later
• Ensure the Launch Self Service when done checkbox is selected in Settings > Global > User-
Initiated Enrollment > macOS. This allows macOS Onboarding to launch automatically.

165
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

1. In Jamf Pro, click Settings in the sidebar.

2. Navigate to Self Service > macOS Onboarding.
3. Click Edit .
4. Select the Enabled checkbox.
5. Click Save .

Adding Items to macOS Onboarding

To set up macOS Onboarding, select the policies, configuration profiles, or Mac apps that you want to deploy
to end user computers.

Requirements
• A Jamf Pro user account with macOS Onboarding privileges
• One or more of the following items to add to onboarding:

Note: All items must have Make Available in Self Service selected as the distribution method.

◦ Policies

Note: Do not use the Enrollment Complete trigger with a policy being used for Onboarding. If
used, Onboarding will not work.Do not select Automatically re-run policy on failure for a
policy with Onboarding. If selected, the Onboarding completion screen will be skipped.

For instructions on creating a policy, see Policy Management.

◦ Configuration Profiles
For instructions on creating a configuration profile, see Computer Configuration Profiles.
◦ Volume purchased Mac apps from the App Store
For more information on creating Mac apps in Jamf Pro and distributing apps purchased in volume,
see Apps Purchased in Volume.

1. In Jamf Pro, click Settings in the sidebar.

2. Navigate to Self Service > macOS Onboarding.
3. Click Edit .
4. Click the Policies, Configuration Profiles, or Applications tab and then select the items you want to be
included in the macOS Onboarding.

166
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

5. Click the Overview tab to view Items Enabled.

6. Drag the items into the preferred order of installation on end user computers.
7. Click Save .

macOS Onboarding automatically deploys to all computers in your environment.

Jamf Self Service for macOS User Login Settings

The Self Service User Login settings allow you to configure the method for logging in to Jamf Self Service for
macOS. Self Service User Login is disabled by default. After enabling Self Service User Login, you must select
a login method and authentication type.

There are two login methods you can choose from:

• Allow users to log in to view items available to them

• Require login

After selecting a login method, you must select one of the following authentication methods:

• LDAP account or Jamf Pro user account—To require or allow users to log in using an Directory Service
account or Jamf Pro user account, you need an Directory Service server set up in Jamf Pro or you must
create a Jamf Pro user account for that user. For more information, see LDAP Directory Service Integration
or Jamf Pro User Accounts and Groups.
• Single Sign-On—To require or allow a user to log in using single sign-on, you must enable single sign-on
for Self Service for macOS. For more information, see Single Sign-On (SSO).

Configuring Jamf Self Service for macOS User Login

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click macOS .
3. Click Edit .
4. From the Configuration tab, select the Enable Self Service User Login checkbox.
5. Select a login method from the Login Method pop-up menu.
6. (Optional) If you want the Remember Me checkbox to display on the Self Service Login page, select the
Allow users to store their login credentials in Keychain Access checkbox.
7. Select an authentication type.
8. Click Save .

The settings are applied the next time computers check in with Jamf Pro.

167
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Jamf Self Service for macOS Configuration Settings

You can use the Self Service Configuration settings in Jamf Pro to do the following:

• Automatically install Self Service on managed computers and customize the installation location.
• Configure the user login method.
• Enable Self Service notifications.
• Enable the User Approved MDM Profile notification.
• Select the category that displays on the Home page when users launch Self Service.
• Customize the bookmarks display name in Self Service. The bookmarks label is populated with
"Bookmarks" by default, but you can change it to meet the needs of your organization (e.g., "Websites" or
"Resources").

Related Content

• Jamf Self Service for macOS Installation Methods

• Jamf Self Service for macOS User Login Settings
• Jamf Self Service for macOS Notifications
• Bookmarks

Configuring Jamf Self Service for macOS

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click macOS .
3. Click Edit.
4. Click the Configuration tab.
5. Configure the settings on the pane.
6. Click Save .

The settings are applied the next time computers check in with Jamf Pro.

Jamf Self Service for macOS Notifications

You can enable Self Service notifications using the Self Service Configuration settings. After enabling Self
Service notifications, item-specific notification options are made available in Jamf Pro when adding or editing
items. These settings allow you to add a notification for the item or software title update to Self Service only, or
to both Self Service and Notification Center.

Notifications in Self Service display in the Notifications list in the Self Service toolbar. A badge appears on the
Notifications icon when new items or software updates are added to Self Service.

168
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

You can also display notifications in Notification Center as banners or alerts in macOS. Users can then click
the notification to open the item in Self Service.

Enabling Self Service Notifications

You can display Self Service notifications in Notification Center.

Requirements
• A push certificate in Jamf Pro (For more information, see Push Certificates.)
• The Enable Push Notifications checkbox selected in Jamf Pro (For more information, see Security
Settings.)
• A valid proxy server token uploaded to Jamf Pro (For more information, see Jamf Push Proxy.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Self Service section, click macOS .
3. Click Edit .
4. Click the Configuration tab.
5. Select the Enable Self Service Notifications checkbox
6. Click Save .

Once saved, the option to display notifications for items made available in Self Service is made available when
configuring those items.

For more information on which items can be made available in Self Service, see Items Available to Users in
Jamf Self Service for macOS.

Jamf Self Service for macOS Branding Settings

You can customize how Self Service displays to your end users by configuring the following settings:

• Icon—
The branding icon displays on the Self Service Login page, in the branding header in Self Service, and as
the Self Service icon in the Finder and the Dock. You can customize the branding icon by replacing the
default Self Service logo with your organization's logo or another icon of your choice. It is recommended that
you use a GIF or PNG file that is 180x180 pixels.

169
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Note: Jamf Pro now supports authentication for locally hosted icons in Jamf Self Service for macOS
10.14.4 and later. For information about enabling this authentication, contact Jamf Support.

• Branding Header—The branding header displays across the Home page of Self Service. You can
customize the branding header image by replacing the default image with an image of your choosing. It is
recommended that you use a GIF or PNG file that is 1500x320 pixels. You can use the following template to
ensure the most important part of your branding header page remains visible on the screen when the
application window is resized:

• Branding Name—The branding name displays on the Self Service Login page and in the branding header in
Self Service. By default, "Self Service" is displayed as the branding name. You can customize the branding
name by modifying the Main Header and Secondary Header text fields.
• Application Name—The application name displays in the Finder, the Dock, and in the app title bar and
menu. By default, "Self Service" is displayed as the application name. You can customize the application
name by modifying the Application Name text field.

Configuring the Branding Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click Branding .
3. Click the default branding configuration.
4. Click Edit .
5. Configure your branding settings on the pane.
A preview of your changes automatically display in the right-side pane.

6. Click Save .

The branding configuration is displayed in Self Service the next time computers check in with Jamf Pro.

Bookmarks
You can use bookmarks to give your users easy access to specified webpages directly from Jamf Self Service
for macOS.

170
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

When you make a bookmark available in Self Service, you can customize how the bookmark is displayed to
users. This includes uploading an icon for the bookmark, and specifying whether the bookmarked webpage
opens in Self Service or in a web browser. You can also specify which computers display the bookmark in Self
Service and which users can access it (called "scope").

Configuring a Bookmark
1. In Jamf Pro, click Settings in the sidebar.

2. In the Self Service section, click Bookmarks .

3. Click New.
4. Enter a display name and description, and then choose a priority for the bookmark.
5. Configure the bookmark using the options on the pane.
6. Click the Scope tab and configure the scope of the bookmark. For more information, see Scope.
7. Click Save .

The bookmark is available in Self Service on computers in the scope the next time they check in with Jamf Pro.

Items Available to Users in Jamf Self Service for macOS

You can make the following items available in Jamf Self Service for macOS for users to install on their
computers:

• Configuration profiles
• Policies
• Mac App Store apps
• Books
• Third-party software title updates (via patch policies)
• Third-party software titles (via App Installers)

It is up to you to determine which items are appropriate for Self Service. For example, it may be helpful to
make a policy available in Self Service that users can run to map printers to their computers.

To make a policy available in Self Service, select the Make the policy available in Self Service checkbox
when configuring the policy.

To make a configuration profile, app, book, or patch policy available in Self Service, choose "Make Available in
Self Service" from the Distribution Method pop-up menu when configuring it in Jamf Pro.

To make a third-party software title available in Self Service via App Installers, select Make available in Self
Service as the distribution method.

171
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

You can customize how items available in Self Service are displayed to users. The following table shows the
customization options for each item:

Configurati Mac App Patch App

Option Description Policies Books
on Profiles Store Apps Policies Installers

Customize You can ✔ ✔ ✔

the Self customize In-house
Service the name for books only
Display the item that
Name displays in
Self Service.
For example,
if you create
a policy with
the name
“Install Office
2011 with
Service Pack
3”, you may
want an
abbreviated
name to
display in
Self Service
(such as
“Office
2011”).

Note
: If
this
field
is left
blank
, the
item
name
you
enter
ed on
the
Gene
ral
paylo

172
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Configurati Mac App Patch App

Option Description Policies Books
on Profiles Store Apps Policies Installers

ad
displ
ays
in
Self
Servi
ce.

Customize You can ✔ ✔ ✔ ✔ ✔

the action customize
button the name for
the button
that users
click to
initiate the
item (e.g.,
"Install").

Customize You can ✔

the customize
secondary the name for
action button the button
that users
click to
initiate the
item again
(e.g.,
"Reinstall").

Customize You can ✔ ✔ ✔ ✔ ✔ ✔

the item enter a
description description
that users
can view to
get more
information.
In addition,
you can
customize
the text
displayed in
the

173
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Configurati Mac App Patch App

Option Description Policies Books
on Profiles Store Apps Policies Installers

description
by using
Markdown in
the
Description
field. For
more
information,
see the
Using
Markdown to
Format Text
article.

Display You can add ✔ ✔ ✔ ✔ ✔

notifications a notification
for the item to Self
Service and
Notification
Center when
a new item is
added to
Self Service
for macOS.
When
configuring a
notification,
you can
specify
subject and
message
text. All
notifications
are required
to have a
subject. If
subject text
is not
specified,
the item
name is
displayed in
the subject

174
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Configurati Mac App Patch App

Option Description Policies Books
on Profiles Store Apps Policies Installers

line by
default.
In addition,
you can
customize
the text
displayed in
the message
by using
Markdown in
the
Message
field.

Upload an You can ✔ ✔ ✔ ✔ ✔

icon upload an
icon to
display for
the item. It is
recommende
d that you
use a file
with the GIF
or PNG
format that is
512 x 512
pixels.

Display in You can ✔ ✔ ✔ ✔ ✔

the configure an
"Featured" item to
category display in the
"Featured"
category in
Self Service.

Display or You can ✔ ✔ ✔ ✔ ✔

feature in configure an
one or more item to
categories display or be
featured in
one or more
categories in
Self Service.

175
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Jamf Self Service for macOS URL Schemes

URL schemes provide a way to directly reference resources within Jamf Self Service for macOS. You can
configure URL schemes to do the following actions in Self Service:

• Install an item made available in Self Service

• Direct users to the description of an item made available in Self Service
• Direct users to specific Self Service categories
• Direct users to the History or Notifications tabs
• Direct users to the Compliance Remediation page

Once configured, you can provide the URL schemes to your users (e.g., via email or a webpage). Clicking the
URL scheme on a computer prompts Self Service to open.

You can create as many URL schemes as needed using the templates in the table below:

URL Scheme Type Description URL Template

Install item Install an item by replacing "<content_type>" jamfselfservice://content?

with the type of item (policy, app, configprofile, entity=<content_type>&id=<content_id>&actio
or ebook) and replace "<content_id>" with the n=execute
item ID found in the item URL in Jamf Pro. Example: jamfselfservice://content?
Users may need to log in to Self Service in entity=configprofile&id=40&action=execute
order to complete the installation. This is not
available for patch policies.

Note: The URL for an item is also

available on the Self Service tab of that
item. You can copy the item URL from
Jamf Pro by clicking the Clipboard

button.

Open item description Direct users to the description of an item by jamfselfservice://content?

replacing "<content_type>" with the type of entity=<content_type>&id=<content_id>&actio
item (policy, app, configprofile, or ebook) and n=view
replace "<content_id>" with the item ID found Example: jamfselfservice://content?
in the item URL in Jamf Pro. This is not entity=configprofile&id=40&action=view
available for patch policies.

176
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

URL Scheme Type Description URL Template

Note: The URL for an item description

is also available on the Self Service tab
of that item. You can copy the item
URL from Jamf Pro by clicking the

Clipboard button.

Open category Direct users to a specific category in Self jamfselfservice://content?

Service by replacing "<category_ID> with the action=category&id=<category_id>
category ID found in the category URL in Jamf Example: jamfselfservice://content?
Pro or use one of the following IDs for the action=category&id=-1
default categories:
• -1 for the All category
• -2 for the Featured category
• -3 for the Bookmarks category
• -4 for the Compliance category

Note: The macOS Intune Integration

must be enabled for the Compliance
category to be made available in Self
Service.

Open History tab Direct users to the History tab jamfselfservice://content?action=history

Open Notifications tab Direct users to the Notifications tab jamfselfservice://content?action=notifications

Open Compliance Direct users to the Compliance Remediation jamfselfservice://remediate

Remediation page page

Note: The macOS Intune Integration

must be enabled for the Compliance
Remediation page to be made
available in Self Service.

Open to search term Direct users to specific search results by jamfselfservice://content?

replacing "searchterm" with the search term action=search&term=searchterm

177
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Jamf Self Service for Mobile Devices

Jamf Self Service allows users to browse and install mobile device configuration profiles, apps, and books on
managed mobile devices. Users can tap their way through Self Service using an intuitive interface.

Jamf Pro allows you to manage every aspect of Self Service, including its installation, authentication, and the
items available to users.

You can use Jamf Pro to group configuration profiles, apps, and books in categories, which makes those items
easier to locate in Self Service. If iBeacon monitoring is enabled in your environment, Self Service is the
component that detects when a mobile device enters or exits an iBeacon region. In addition, you can send
notifications to mobile devices with Self Service installed. Notifications are displayed to users in the following
ways:

• The Self Service app icon displays a badge with the number of notifications that have not been viewed by
the user.
• In Self Service, the Notifications button displays a badge with the number of notifications that have not
been viewed by the user. Items are listed in the Notifications area of the app as they are added.
• (Optional) Each notification can be configured to also display an alert and appear in Notification Center.
This requires a proxy server token in Jamf Pro.

Self Service for iOS displays an unlimited number of notifications which are persistent until they are manually
deleted by the user.

Self Service for iOS does not support single sign-on workflows.

The latest version of the Self Service app available in the App Store requires devices with iOS 11 or later, or
iPadOS 13 or later. For more information on the Self Service levels of compatibility, see Jamf Self Service for
iOS. Jamf Self Service for iOS is available for free from the App Store.

Jamf Self Service for iOS

The Jamf Self Service for iOS settings allow you to do the following:

• Install or uninstall Self Service on managed mobile devices.

• Require or allow users to log in to Self Service with an LDAP directory account or Jamf Pro user account. To
require or allow users to log in using an LDAP account or Jamf Pro user account, you must have an LDAP
server set up in Jamf Pro or you must create a Jamf Pro user account for that user. For more information,
see LDAP Directory Service Integration or Jamf Pro User Accounts and Groups.
• Display in-house app updates in Self Service.

178
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

The Self Service app can be automatically installed on all managed mobile devices with iOS 7 or later except
Apple TV devices and personally owned devices.

Starting with Self Service 10.10.1, you can manually install the Self Service app on personally owned devices
with iOS 13 or later, or iPadOS 13 or later that were enrolled using User Enrollment; devices with iOS 15 or
later, or iPadOS 15 or later that were enrolled using Account-Driven User Enrollment.

Note: If you do not want users to be prompted to enter an Apple ID when Self Service is being installed
on their device, you must distribute Self Service using device-based volume assignment. For more
information, see Content Distribution Methods using Jamf Pro.

General Requirements
Self Service can run on mobile devices with iOS 7 or later that are managed by Jamf Pro 9.4 or later. The
latest version of the Self Service app available in the App Store requires devices with iOS 11 or later, or
iPadOS 13 or later.

If Self Service is configured to install automatically, devices in your environment will install the version of the
Self Service app that is compatible with the device's iOS version:

iOS Version iPadOS Version Self Service Version Installed

iOS 11 or later iPadOS 13 or later Latest version

iOS 10 Self Service 10.9.1

iOS 8 or 9 Self Service 10.4.0

iOS 7 Self Service 9.98.1

Note: For manual installations, devices with iOS 11 or later must use Self Service 9.101.0 or later.
Earlier versions of Self Service will not work on devices with iOS 11 or later.

Note: For manual installations using Volume Purchasing, you must have access to your volume
purchasing token.

179
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Manually Installing Self Service with Volume Purchasing

1. Log in to Apple School Manager or Apple Business Manager.
2. Click Apps and Books under the Content menu on the left side of the page.
3. Search for "Jamf Self Service" in the search bar.
4. Click Jamf Self Service.
5. Assign yourself a volume purchasing token in the Choose a Location drop down menu.
6. Enter quantity licenses needed and click Get.

7. In Jamf Pro, click Settings in the sidebar.

8. In the Global section, click Volume purchasing .
9. Click New.
10. Fill out fields as needed.
11. Click Upload Service Token and upload the volume purchasing token to your Jamf Pro Instance.

12. In Jamf Pro, click Settings in the sidebar.

13. In the Self Service section, click iOS .
14. On the General pane, select "Manually install Self Service App" from the Installation Method menu, and
configure any additional settings.
15. Click Devices on the left side menu options.
16. Click Mobile Device Apps under the Devices menu option.
17. Click Jamf Self Service.
18. Click Edit.
19. On the General pane, select "Install Automatically/Prompt Users to Install" from the Distribution Method
pop-up menu, and configure any additional settings.

Note: Do not scope to mobile devices yet.

20. Click Managed Distribution.

21. Click Assign Content Purchased in Volume.
22. Select your Volume Purchasing token.
23. On the App Configuration tab, add the following lines to the Preferences field:

<dict>
<key>INVITATION_STRING</key>
<string>$MOBILEDEVICEAPPINVITE</string>
<key>JSS_ID</key>
<string>$JSSID</string>
<key>SERIAL_NUMBER</key>
<string>$SERIALNUMBER</string>
<key>DEVICE_NAME</key>

180
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

<string>$DEVICENAME</string>
<key>MAC_ADDRESS</key>
<string>$MACADDRESS</string>
<key>MANAGEMENT_ID</key>
<string>$MANAGEMENTID</string>
<key>JSS_URL</key>
<string>$JPS_URL</string>
</dict>

24. Click Save .

25. Click View Mobile Device Apps.
26. Click Jamf Pro.
27. Click the Scope tab and configure the scope of the app.
28. Click Save .

Self Service is distributed to mobile devices in the scope the next time they check in with Jamf Pro.

Automatically Installing Self Service for iOS

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click iOS .
3. Click Edit .
4. Select "Automatically install Self Service app" from the Installation Method pop-up menu.
5. (Optional) Click the App Options tab and configure the User Login setting.
6. Click Save .

Users are prompted to install the app from the App Store the next time the device checks in with Jamf Pro.
Users are also prompted to install the app from the App Store on mobile devices as they are newly enrolled.

Manually Installing Self Service for iOS

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click iOS .
3. Click Edit .
4. On the General pane, choose "Manually install Self Service app" from the Installation Method pop-up
menu.
5. (Optional) Click the App Options tab and configure the preferences as needed.
6. Click Save .
7. Click Devices at the top of the page.

181
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

8. Click Mobile Device Apps.

9. Click New.
10. Select App Store app and click Next.
11. Add Jamf Self Service from the App Store catalog.
12. On the General pane, select "Install Automatically/Prompt Users to Install" from the Distribution Method
pop-up menu, and configure any additional settings.
13. Click the Scope tab and configure the scope of the app.
14. On the App Configuration tab, add the following lines to the Preferences field:

<dict>
<key>INVITATION_STRING</key>
<string>$MOBILEDEVICEAPPINVITE</string>
<key>JSS_ID</key>
<string>$JSSID</string>
<key>SERIAL_NUMBER</key>
<string>$SERIALNUMBER</string>
<key>DEVICE_NAME</key>
<string>$DEVICENAME</string>
<key>MAC_ADDRESS</key>
<string>$MACADDRESS</string>
<key>MANAGEMENT_ID</key>
<string>$MANAGEMENTID</string>
<key>JSS_URL</key>
<string>$JPS_URL</string>
</dict>

15. Click Save .

Self Service is distributed to mobile devices in the scope the next time they check in with Jamf Pro.

Installation Experience
If you did not distribute the Self Service app using device-based volume assignment, users may be prompted
to enter an Apple ID before Self Service installs on their device.

On devices with iOS 10.x or earlier, users are prompted to download an older version of the Self Service app.
The user must tap Download to install the last compatible version of the Self Service app.

182
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Jamf Self Service for iOS Branding Settings

The Branding settings allow you to customize elements within the Jamf Self Service for iOS app to present
your end users with a familiar look and feel. You can customize Self Service by configuring the following
settings:

Note: The following settings can only be configured if your device has been updated to iOS 15 or later.
If you would like to make changes to your Self Service for iOS instance using iOS 14 or earlier, you can
still do so via the Jamf Pro API. For more information, see Self Service Branding iOS in the Jamf
Developer Portal.

Icon
The icon displays in the header in the Self Service app. When uploading a custom icon, Jamf
recommends that you use a GIF or PNG file format that is 180x180 pixels.

183
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Note: Jamf Pro now supports authentication for locally hosted icons in Jamf Self Service for iOS
15.2 and later. For information about enabling this authentication, contact Jamf Support.

Branding Name
The branding name displays in the header in the Self Service app. By default, "Self Service" is displayed
as the branding name.
Landing Page
Content that displays when the Self Service app launches (e.g., Browse, Home, or Notifications).

The following elements will change natively with light or dark mode:

• Branding Name Color

• Header Background Color
• Menu Icon Color.
• Status Bar Color

Note: Customizing the icon or branding name does not change the app icon or app name as it displays
on the Home Screen of a device. The Self Service icon and name cannot be changed outside of the
app.

The preview field to the right of the Branding settings automatically displays your changes so you can finalize
your branding configuration before deploying it to end users.

Configuring the Branding Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Self Service section, click Branding .
3. Click the default branding configuration.
4. Click Edit .
5. Configure your branding settings on the pane.
A preview of your changes automatically display in the right-side pane.

6. Click Save .

The branding configuration is displayed in Self Service the next time computers check in with Jamf Pro.

184
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

App Request
App Request allows you to enable a select group of users to request iPad apps directly from Jamf Self Service
for iOS. This is useful for environments such as schools, where you may want to empower teachers to request
educational apps on behalf of the students in their classrooms.

Before you enable App Request, make sure you do the following:

• Determine who can submit app requests— After your organization has identified the users who should
have access to the App Request feature in Self Service, you must create a static user group that includes
those users. The users you want to enable as requesters must be able to log in to Self Service.
• Determine who should review and approve app requests— Determine who should review and approve
app requests—Your organization should determine who should approve app requests and how that approval
should be submitted. After a request is submitted, an email containing the request details and a link to the
app information in the App Store is automatically sent to the email addresses to specified when configuring
App Requests. The email addresses you add as reviewers do not need to match a user in Jamf Pro.

After you determine who should be added as requesters and approvers, you are ready to enable App Request.
You can specify how the App Request form displays in Self Service by configuring up to five text fields. The
customizable labels allow you to specify what information is needed from requesters when they submit a
request. For example, you may want to include fields similar to the following:

• Reason for Request

• Quantity Needed
• Intended Users
• Training Details

Configuring App Request

Requirements
To enable App Request, you need:

• An SMTP server set up in Jamf Pro (For more information, see SMTP Server Integration.)
• A static user group that contains the users you want to enable as requesters (For more information, see
Static Groups.)

To access App Request, requesters must be using an iPad with Self Service 10.9.0 or later installed. In
addition, requesters must be logged in to Self Service to submit requests.

185
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

1. In Jamf Pro, click Settings in the sidebar.

2. In the Self Service section, click App Request .
3. Click Edit .
4. From the App Request Form tab, select the Enable App Request in Self Service for iOS checkbox.
5. Select the App Store you want Self Service to use.

Note: "User's Location" is selected by default.

6. Configure up to five text fields to display in the App Request form in Self Service.

Note: Each field you configure requires user input before the App Request form can be submitted.
You must configure at least one field in order to save the App Request configuration.

7. Click the Requesters and Approvers tab.

8. From the Requesters pop-up menu, select the static group you want to enable as requesters.
9. In the Approver Email Addresses field, enter the emails of those you want to enable as approvers.
10. Click Save .

The "Request App" option is made available in Self Service the next time the Self Service app is refreshed on
the device.

App Request User Experience

When a requester performs a search, Self Service searches the App Store in addition to the content available
in Self Service. When the requester taps on an App Store result, they are presented with the app details.

186
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

When the requester taps Request App, a form similar to the following displays:

187
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Note: All fields require user input before the Submit button is activated.

When a request is submitted, an email containing the request details is automatically sent to approvers. After
all approvals are given, you can use Jamf Pro to either automatically install the app on the devices included in
the request or make the app available in Self Service for users to install themselves. For more information, see
Content Distribution Methods using Jamf Pro.

Jamf Self Service for iOS URL Schemes

You can use URL Schemes to automatically install apps on a mobile device through Jamf Self Service for iOS.
This allows you to quickly set up a new mobile device without users having to search for multiple apps in Self
Service.

After you have configured a URL scheme, you can provide it to your users (e.g., via email or a webpage).
Tapping the URL on a mobile device prompts Self Service to open. Users may need to log in to Self Service in
order to complete the installation.

188
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Jamf Self Service

Note: This does not work for app installations that redirect users to the App Store (e.g., apps without
volume purchasing licenses available).

Configuring a URL Scheme

To configure a URL scheme, copy the following URL and replace listOfApps with the bundle identifiers of the
mobile device apps you wish to install:

selfserviceios://appInstall?apps=listOfApps

To locate the app's bundle identifier, navigate to the app in Jamf Pro. The Bundle Identifier field is located on
the General pane of the app. For example, the following URL scheme will automatically install the "Dropbox",
"Adobe Photoshop Express", and "Numbers" apps on a mobile device:

selfserviceios://appInstall?apps=com.getdropbox.Dropbox,com.adobe.PSMobile,com.apple.N
umbers

Providing a URL Scheme Using a Third-party App

You can provide a URL scheme to your users using a third-party app. To configure this, add the following code
snippet to the app and replace the example URL with your URL scheme:

Let URLString = “selfserviceios://appInstall?apps=listOfApps"

if let url = URL(string: URLString) { if UIApplication.shared.canOpenURL(url) { UIAppl
ication.shared.open(url, options: [:], completionHandler: nil) }
}

If you have the Microsoft Endpoint Manager integration enabled, you can direct your users to the Register
with Microsoft object in Self Service 10.10.5 or later using the following URL scheme:

selfserviceios://registerdc

189
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

Server Infrastructure
About Distribution Points
Distribution points are servers used to host files for distribution to computers and mobile devices. The following
types of files can be distributed from a distribution point using Jamf Pro:

• Packages
• In-house apps
• In-house books

Jamf Pro supports two types of distribution points:

• File share distribution points

• A cloud distribution point

You can use any combination of these types of distribution points.

By default, the first distribution point you add to Jamf Pro is the principal distribution point. The principal
distribution point is used by all other distribution points as the authoritative source for all files during replication.
You can change the principal distribution point at any time.

Note: On computers with macOS 10.15 or later that do not have an MDM profile, you must use an
HTTP, HTTPS, or cloud distribution point to install packages.

Distribution Point Types Comparison

When planning your distribution point infrastructure, it is important to understand the differences between each
type of distribution point. The following table explains the key differences:

File Share Distribution Point Cloud Distribution Point

Description Standard server that is configured to Distribution point that uses one of the
be a distribution point following content delivery networks
(CDNs) to host files:
• Rackspace Cloud Files

190
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

File Share Distribution Point Cloud Distribution Point

• Amazon Web Services

• Akamai
• Jamf Cloud Distribution Service
(JCDS)

Maximum Number per Jamf Pro Unlimited One

Instance

Server/Platform Requirements Any server with an Apple Filing None

Protocol (AFP) or Server Message
Block (SMB) share

Note: File share distribution

points cannot be mounted and
hosted on the same server.

Protocol AFP, SMB, HTTP, or HTTPS HTTPS

Ports • AFP: 548 443

• SMB: 139
• HTTP: 80
• HTTPS: 443

Authentication Options • AFP or SMB: None

◦ No authentication
◦ Username and password
• HTTP or HTTPS:
◦ No authentication
◦ Username and password

Files that Can Be Hosted Packages • Packages

• In-house apps
• In-house books

Parent-Child Capabilities No No

File Replication Method Replication to file share distribution Replication to a cloud distribution point
points must be initiated from Jamf must be initiated from Jamf Admin.
Admin.

Selective Replication Not available when replicating to file Available when replicating to a cloud
share distribution points. distribution point if the principal

191
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

File Share Distribution Point Cloud Distribution Point

distribution point is a file share

distribution point.
The files for replication must be
specified in Jamf Pro and the
replication initiated from Jamf Admin.

File Share Distribution Points

A server with an AFP or SMB share can be used as a file share distribution point. Before you can use a file
share distribution point with Jamf Pro, you must set up the distribution point and add it to Jamf Pro.

Note: A server with an AFP share cannot share files on the Apple File System (APFS), which is the
default file system for computers with macOS 10.13 or later. Computers with macOS 10.13 or later that
are HFS+ formatted can still support AFP. If you need a file share distribution point for APFS formatted
computers, SMB is an option.

When you add a file share distribution point to Jamf Pro, you can do the following:

• Make it the principal distribution point.

• Choose a failover distribution point.

Note: Failover distribution points can be configured for policies, but not for patch policies.

• Configure HTTP downloads.

Related Content

• Network Segments

• Configuring Red Hat Enterprise Linux 7.6 for SMB/HTTPS File Share Distribution with Jamf Pro
• Using Apache HTTP Server to Enable HTTP Downloads on a Linux File Share Distribution Point
• Using IIS to Enable HTTPS Downloads on a Windows Server 2016 or 2019 File Share Distribution Point

192
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

Adding a File Share Distribution Point

Requirements
To add a file share distribution point to Jamf Pro, you must set up a file share distribution point. For more
information, see the Setting Up a File Share Distribution Point article.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Server section, click File share distribution points .
3. Click New .
4. Use the General pane to configure basic settings for the distribution point.
5. Click the File Sharing tab and enter information about the AFP or SMB share.
6. (Optional) Click the HTTP tab and configure HTTP downloads.
7. Click Save .

Replicating Files to a File Share Distribution Point

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

During replication, all files on the principal distribution point are replicated to the file share distribution point that
you choose.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the sidebar, select the file share distribution point you want to replicate files to.
3. Click Replicate.

Cloud Distribution Point

The cloud distribution point uses a content delivery network (CDN) to host packages, in-house apps, and in-
house books. Jamf Pro supports the following content delivery services:

• Rackspace Cloud Files

• Amazon S3 and Amazon CloudFront
• Akamai NetStorage

193
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

• Jamf Cloud Distribution Service (JCDS)

When you configure the cloud distribution point in Jamf Pro, you can choose to make it the principal distribution
point. You can also choose whether to replicate specific files or the entire contents of the principal distribution
point if the principal distribution point is a file share distribution point.

Service/Vendor Link Notes

Rackspace Cloud Files

Amazon S3 and Jamf Pro supports the use of signed URLs created with
Amazon CloudFront Amazon CloudFront.
Due to the file size download limit set by Amazon
CloudFront, files larger than 30 GB may not download
successfully. For more information, see Quotas in the
Amazon CloudFront Developer Guide.

Akamai NetStorage Jamf Pro supports Akamai Remote Authentication. For

more information about Akamai Remote Authentication,
contact your Akamai Account Manager.

Jamf Cloud Distribution Service (JCDS) If your Jamf Pro server is hosted in Jamf Cloud and you
have the subscription-based option, you can use JCDS as
your cloud distribution point.
It is recommended that you do not attempt to upload files
larger than 20 GB.

Related Content

• Network Segments

• Information Required to Configure a Cloud Distribution Point in Jamf Pro

• Jamf Cloud Distribution Service

• Using signed URLs (AWS)

• Amazon S3
• Amazon CloudFront

Configuring the Cloud Distribution Point

Requirements
If you plan to use Akamai for your cloud distribution point, Akamai must be configured to use File Transfer
Protocol Secure (FTPS), and the FTP domain name must be the FTPS domain name.

194
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

Files that are uploaded to a cloud distribution point cannot have filenames that include the following
characters:

/:?<>\*|”[]{}@!%^#

1. In Jamf Pro, click Settings in the sidebar.

2. In the Server section, click Cloud distribution point .
3. Click Edit .
4. Choose a content delivery network from the Content Delivery Network pop-up menu.
5. Configure the settings on the pane.
6. Click Save .

Testing the Cloud Distribution Point

After the cloud distribution point is configured, you can test the connection to the content delivery network.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Server section, click Cloud distribution point .
3. Click Test .
4. Click Test again.

A message displays, reporting the success or failure of the connection.

Replicating Files to the Cloud Distribution Point

Requirements
During replication, files on the principal distribution point are replicated to the cloud distribution point via
Jamf Admin. The files that are replicated depend on whether the cloud distribution point is configured to
replicate specific files or the entire contents of the principal distribution point.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the sidebar, select the cloud distribution point you want to replicate files to.
3. Click Replicate.

195
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

Software Update Servers

Adding an internal software update server to Jamf Pro is the first step to running Software Update from an
internal software update server using a policy.

Using an internal software update server allows you to reduce the amount of bandwidth used when distributing
software updates from Apple. Instead of each computer downloading updates from Apple’s Software Update
server, updates are only downloaded from Apple once per server.

Using an internal software update server also allows you to control and approve updates before you make
them available.

Note: Specific software update servers cannot be specified for computers with macOS 11 or later. They
will instead query Apple’s update servers directly when checking for and downloading available software
updates.

Adding a Software Update Server

1. In Jamf Pro, click Settings in the sidebar.
2. In the Server section, click Software update servers .
3. Click New.
4. Configure the settings on the pane.
5. Click Save.

Related Content

• Running Software Update Using a Policy

Jamf Infrastructure Manager Instances

A Jamf Infrastructure Manager instance is a service that is managed by Jamf Pro. It can be used to host the
following:

• LDAP Proxy—This allows traffic to pass securely between Jamf Pro and an LDAP directory service. The
Infrastructure Manager and the LDAP Proxy typically reside within the DMZ. The LDAP Proxy requires
integration with an LDAP directory service.
• Healthcare Listener—This allows traffic to pass securely from a healthcare management system to Jamf
Pro.

196
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

When you install an instance of the Infrastructure Manager, Jamf Pro allows you to enable the LDAP Proxy or
the Healthcare Listener. Infrastructure Manager instances can be installed on Linux and Windows.

Managing a Jamf Infrastructure Manager Instance

You can use Jamf Pro to edit or delete an Infrastructure Manager instance. When editing an Infrastructure
Manager instance, only the display name and recurring check-in frequency can be changed.

Note: The default check-in frequency at which the Infrastructure Manager instance checks in with Jamf
Pro is 30 seconds.

Jamf Pro also displays the following inventory information for each Infrastructure Manager instance:

• Last Check-in
• IP Address at Last Check-in
• Operating System
• Operating System Version

Requirements
To manage a Jamf Infrastructure Manager instance, you must have a Jamf Infrastructure Manager instance
installed. For more information on installing a Jamf Infrastructure Manager instance see the Jamf
Infrastructure Manager for LDAP Proxy Installation Guide.

For more information on installing a Jamf Infrastructure Manager instances that hosts Healthcare Listener,
see the Healthcare Listener Installation and Configuration Guide.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Server section, click Infrastructure Managers .
3. In the list of Infrastructure Manager instances and their installed services, click the instance you want to
manage.

Note:
◦ An Infrastructure Manager instance cannot be deleted if there are dependencies for the
Infrastructure Manager. For example, an Infrastructure Manager cannot be deleted if there is an
LDAP Proxy hosted on it. To delete the Infrastructure Manager, you must first disable the LDAP
Proxy.

197
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

◦ If a Healthcare Listener is hosted on the Infrastructure Manager, the Healthcare Listener is

deleted when the Infrastructure Manager is deleted.

LDAP Proxy
Jamf Pro allows you to enable an LDAP Proxy. Enabling an LDAP Proxy creates a secure tunnel to allow traffic
to pass between Jamf Pro and an LDAP directory service. For example, if your environment uses a firewall, an
LDAP Proxy can be used to allow a directory service on an internal network to pass information securely
between the directory service and Jamf Pro.

The LDAP Proxy is hosted by the Infrastructure Manager, a service that is managed by Jamf Pro. After you
install an instance of the Infrastructure Manager, Jamf Pro allows you to enable an LDAP Proxy if you have an
LDAP server set up in Jamf Pro.

Configuring the LDAP Proxy

Requirements
To configure an LDAP Proxy, you need the following:

• An Infrastructure Manager instance installed and configured (For more information, see the Jamf
Infrastructure Manager Installation Guide.)
• An LDAP server configured in Jamf Pro (For more information, see LDAP Directory Service Integration.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click LDAP servers .
3. Click the LDAP Server to which you want to assign an LDAP Proxy.
4. Click Edit .
5. Select the Enable LDAP Proxy checkbox.
6. Select the proxy server to use.
The proxy binding address is automatically populated based on the server you select.
7. Enter a port number.
8. Click Save .

198
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Server Infrastructure

Healthcare Listener
Healthcare Listener is an electronic health record (EHR) integration with Jamf Pro. It can receive messages
from an EHR system (e.g., discharge, transfer), and automatically trigger management commands in Jamf Pro
(e.g., remote wipe, remote lock) for iOS, iPadOS, and tvOS devices.

For more information on Healthcare Listener, see the Healthcare Listener Installation and Configuration Guide.

199
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

Network Organization
Buildings and Departments
Buildings and departments are organizational components that allow you to group computers and mobile
devices by physical location and organizational infrastructure. You can use them to perform inventory
searches, create smart groups, and configure the scope of remote management tasks.

Adding a Building or Department

1. In Jamf Pro, click Settings in the sidebar.
2. In the Network Organization section, click Buildings or Departments .
3. Click New.
4. Enter a display name for the building or department.
5. Click Save .

Network Segments
A network segment is a range of IP addresses that can be used to group computers and mobile devices based
on their network location. Network segments can be class B or class C subnets, or any IP range therein.

Adding network segments to Jamf Pro allows you to do the following:

• Ensure that computers and mobile devices use the closest distribution point by default.
• Ensure that computers use the closest NetBoot server by default.
• Specify a software update server for computers to use by default.
• Automatically update the building and department to which computers and mobile devices belong.
• Base the scope of remote management tasks on network segments.

If a computer belongs to multiple network segments, Jamf Pro uses and updates both IP addresses to
distribute content.

Related Content

• Collecting the IP Address and Reported IP Address in Jamf Pro

200
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

Adding a Network Segment

1. In Jamf Pro, click Settings in the sidebar.
2. In the Network section, click Network segments .
3. Click New.
4. Configure the network segment using the settings on the pane.
5. Click Save .

iBeacon Regions
Jamf Pro allows you to utilize Apple’s iBeacon technology to monitor when computers and mobile devices
enter or exit an iBeacon region. This allows you to ensure that configuration profiles and policies are only
installed on a device when the device is in the specified region.

You can use iBeacon regions as the basis for the following:

• The scope of a configuration profile

• The scope of a policy (This initiates the policy the first time that a computer checks in to Jamf Pro while in
the specified region.)
• A custom trigger for a policy (The event name for initiating a policy when an iBeacon region change occurs
is “beaconStateChange”. This initiates the policy immediately when a computer enters the specified region.)

If you have an iBeacon device in your environment, you can add that device to Jamf Pro as an iBeacon region.
Jamf Pro can then detect when computers and mobile devices enter or exit the region.

Related Content

• Getting Started with iBeacon (Apple)

General Requirements
To monitor an iBeacon region for computers, you need:

• One or more iBeacon devices in your environment

• Computers that are Bluetooth Low Energy capable and have Bluetooth turned on
• The Computer Inventory Collection settings configured to monitor iBeacon regions (For more information,
see Computer Inventory Collection Settings.)

To monitor an iBeacon region for mobile devices, you need:

• One or more iBeacon devices in your environment

201
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

• Mobile devices with:

◦ iOS 7 or later
◦ Bluetooth Low Energy capability
◦ Bluetooth turned on
◦ Jamf Self Service for iOS installed (For more information, see Jamf Self Service for iOS.)
◦ Location Services enabled for Jamf Self Service for iOS
• The Mobile Device Inventory Collection settings configured to monitor iBeacon regions (For more
information, see Mobile Device Inventory Collection Settings.)

Note: iBeacon region monitoring is not available for personally owned devices.

Adding an iBeacon Region

1. In Jamf Pro, click Settings in the sidebar.
2. In the Network section, click iBeacons .
3. Click New.
4. Enter a display name for the iBeacon region.
5. Define the iBeacon region using the settings on the pane.
6. Click Save .

Sites
Sites are components that Jamf Pro administrators can create to determine which objects (for example,
computers, mobile devices, or apps) Jamf Pro users can view and manage. Sites and the objects within sites
do not have to be organized based on physical location. For example, a Jamf Pro administrator in a school
system could create sites for K-2, 3-5, 6-8, and 9-12 and then delegate control of each site to a specific Jamf
Pro user.

Sites are only necessary when full Jamf Pro administrators need to allow specific users to manage a subset of
objects. If all Jamf Pro users should have access to all objects, do not configure sites.

Jamf Pro users with full Jamf Pro administrator privileges can add and modify sites, or any instance-wide
setting in Jamf Pro. Jamf Pro users with site-only administrator privileges can only access some of the settings
in Jamf Pro.

Site-only Jamf Pro users can configure the following settings:

• Volume Purchasing

202
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

• Automated Device Enrollment

• Event Logs
• Enrollment Customization
• Remote Administration
• Jamf Connect
• Jamf Protect
• Self Service Bookmarks
• Network Integration
• Computer Management Inventory Display
• Device Management Inventory Display
• Jamf Pro Summary
• Acknowledgments

If you want to want full Jamf Pro administrator privileges, you must request access from a Jamf Pro user with
full Jamf Pro administrator privileges within your organization.

When a user logs in to a Jamf Pro user account with site access, the user can view and edit only the objects
within that site. If the user has access to multiple sites, a menu is displayed at the top of the page, allowing the
user to switch between sites.

Creating a Site

Requirements
You can only create sites from buildings or departments if you are adding sites for the first time and have
buildings or departments set up in Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Network section, click Sites .
3. Click New.
4. If prompted, choose a method for adding sites:
◦ To add sites manually, select Add sites manually and click Next.
◦ To create a site for each existing building, select Create sites from Buildings and click Next.
◦ To create a site for each existing department, select Create sites from departments and click Next.

5. If prompted, enter a display name for the site and click Save .

Site Objects
The following objects can be added to a site:

203
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

• Computers
• Mobile devices
• Users
• Enrollment invitations
• Enrollment profiles
• Advanced searches
• Smart groups
• Static groups
• Self Service bookmarks
• Policies
• Configuration profiles
• Restricted software records
• Licensed software records
• Classes
• Apps
• Books
• Automated device enrollment (formerly DEP) instances
• PreStage enrollments
• Volume purchasing (formerly VPP) locations
• Network integration instances
• Patch management software titles

There are several ways to add computers to a site:

• Create sites from existing buildings and departments. This automatically adds computers to the site that
corresponds with the building or department they belong to.
• Enroll computers using one of the following methods:
◦ Provide an enrollment URL to users for user-initiated enrollment. If using an enrollment invitation,
computers will be added to the site specified in the invitation. If an enrollment URL is provided to users
via a different method, users are prompted to select a site during enrollment.
◦ Use the network scanner.
• Mass edit the Site field for computers that are already enrolled with Jamf Pro. For more information, see
Mass Actions for Computers.
• Manually edit the Site field for individual computers that are already enrolled with Jamf Pro.

There are several ways to add mobile devices to a site:

204
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

• Create sites from existing buildings and departments. This automatically adds mobile devices to the site that
corresponds with the building or department they belong to.
• Enroll mobile devices using one of the following methods:
◦ Provide an enrollment URL to users for user-initiated enrollment. If using an enrollment invitation, mobile
devices will be added to the site specified in the invitation. If an enrollment URL is provided to users via a
different method, users are prompted to select a site during enrollment.
◦ Apply an enrollment profile to a mobile device using Apple Configurator.
• Mass edit the Site field for mobile devices that are already enrolled with Jamf Pro. For more information,
see Mass Actions for Mobile Devices.
• Manually edit the Site field for individual mobile devices that are already enrolled with Jamf Pro.

There are several ways to add users to a site:

• Add the user to a computer or mobile device that belongs to a site.

• Add a computer or mobile device with a user assigned to it to a site.
• Mass add users to a site for users in Jamf Pro. For more information, see Mass Actions for Users.
• Manually add users to a site for individual users in Jamf Pro.

To add other objects to a site, choose a site from the Site pop-up menu when configuring the objects in Jamf
Pro.

Network Integration
Jamf Pro can be integrated with a network access management service, such as Cisco Identity Services
Engine (ISE). Network integration allows the service to communicate with Jamf Pro to verify that the computers
and mobile devices on your network are compliant with your organization’s standards. With information from
Jamf Pro, the service can determine the level of network access to grant to a computer or mobile device,
provide messaging to end users, and refer end users to enroll their computers and mobile devices to Jamf Pro
to become compliant.

Note: When the network access management service refers end users to enroll their computer or
mobile device with Jamf Pro, an enrollment URL is provided to the user in a webpage when they access
the Internet. The end user can then access the enrollment URL to enroll with Jamf Pro via user-initiated
enrollment.

Network integration can also allow the network access management service to send remote commands to
computers and mobile devices via Jamf Pro, including passcode lock and wipe commands.

205
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

Creating a network integration instance in Jamf Pro prepares Jamf Pro to integrate with a network access
management service. This allows you to do the following:

• When sites are defined in Jamf Pro, select the site to add the network integration instance to.
• Select the saved advanced computer search and advanced mobile device search to be used by the network
access management service to verify computers and mobile devices that are compliant with your
organization’s standards. Computers and mobile devices that appear in the search results are reported as
compliant to the network access management service.
• Specify compliance verification failure and compliance remediation messaging that can be displayed to end
users via the network access management service.
• Configure the passcode to be used when remotely locking or wiping computers via the network access
management service.
• After saving the network integration instance, view the network integration URL to be used by the network
access management service to communicate with the specific Jamf Pro network integration instance.

Important: When using network integration on a per-site basis in Jamf Pro, ensure that any site-
specific configuration profiles and policies in Jamf Pro do not conflict with computer and mobile device
compliance verification performed through network integration.

Related Content

• Sites
• Advanced Computer Searches
• Advanced Mobile Device Searches

Adding a Network Integration Instance

Requirements
For more information and requirements for configuring your network access management service to
communicate with an MDM server, see your vendor’s documentation. For information specific to Cisco ISE
integrations, see the Integrating Jamf Pro with Cisco ISE 3.1 article.

To allow the network access management service to send remote commands via Jamf Pro, your
environment must meet the requirements for sending remote commands to computers and mobile devices.
For more information, see Remote Commands for Computers and Remote Commands for Mobile Devices.

1. In Jamf Pro, click Settings in the sidebar.

206
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

2. In the Network section, click Network integration .

3. Click New.

Note: Only one network integration instance can be added per site in Jamf Pro. If all sites already
have a network integration instance, you will not be able to add a new one.

4. Configure the network integration instance using the settings on the pane, including the site, the advanced
computer search and advanced mobile device search to be used for compliance verification, compliance
messaging to be displayed to users, and the remote lock and wipe passcode setting for computers.

Note: If you select the "Create Random Passcode" option for the passcode assignment method for
computers, to identify the passcode used for a remote lock or wipe on a specific computer, you will
need to view the management history for the computer in Jamf Pro. For more information, see
Computer History Information.

5. Click Save .

After saving the network integration instance, a unique network integration URL appears at the bottom of the
pane. This URL will be used by the network access management service to communicate with the specific
Jamf Pro network integration instance.

Scope
Scope gives you granular control over which computers, mobile devices, and users receive remote
management tasks. For example, you can use scope to ensure that a policy to install desktop publishing
software only runs on computers in the Design department, or that a book is only distributed to students in a
particular class. Scope can be based on the following items:

• Individual computers, mobile devices, or users

• Computer, mobile device, or user groups
• Departments
• Buildings
• Directory Service or local users
• Directory Service user groups

Note: Jamf Pro may experience performance issues if too many Directory Service groups are
included in the scope of an object. If you need to use multiple Directory Service criteria within a

207
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

scope, consider creating a smart group with those criteria, and then scope to that smart group
instead.

• Network segments
• Classes
• iBeacon regions

The items available vary depending on the remote management task you are configuring the scope for. For
example, only book scope can be based on classes.

Note: Scope cannot be based on personally owned mobile devices.

Configuring Scope
For most remote management tasks, configuring the scope involves adding targets, limitations, and
exclusions. (The process varies depending on the remote management task you are configuring the scope for.)

Adding Targets

Targets make up the initial pool of computers, mobile devices, or users that receive the remote management
task. You can add all computers, mobile devices, or users, or you can add a combination of specific items
(e.g., computers, groups, buildings).

1. On the Targets pane, use the pop-up menus to choose items to add to the scope.

Note: All computers, mobile devices, and users selected from the pop-up menus will be added to
the scope. One pop-up menu selection does not override another. For example, selecting "All
Computers" and "Specific Users" as targets to the scope of a book will cause the book to be
distributed to all mobile devices, as well as any computers or mobile devices that the chosen user or
users are assigned to.

208
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

2. If you chose to add specific items:

a. Click Add.
b. On each tab, click Add for the items you want to add.

c. Click Done in the top-right corner of the pane.

The items you added are displayed in a list on the Targets pane.

Adding Limitations

Adding limitations to the scope of a remote management task allows you to do the following:

• Limit the task to specific users in the target—For example, if you want a certain application to open at
login for specific users regardless of the computer they use, you can use all computers as the target and
add specific users as limitations.
• Limit the task to specific network segments in the target—For example, if you want each computer in
a department to install a package but only while on the company’s production network, you can use the
department as the target and add a specific network segment as a limitation.
• Limit policies and configuration profiles to devices in the target when the devices are in a specific
iBeacon region—For example, if you want to install a configuration profile on mobile devices when they are
in a specific iBeacon region, you can add the iBeacon region as a limitation.

1. On the Limitations pane, click Add.

2. On each tab, add items as needed.
To add a network segment, click the Network Segments tab, and then click Add for the network
segment.

To add a Directory Service or local user, click the Directory Service/Local Users tab. Then enter the
username in the search field and click Add.

209
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

To add a Directory Service user group, click the Directory Service User Groups tab, enter the name of
the group in the search field and click Search. Then click Add for the group you want to add.

Important: For computers, if you add a Directory Service user or group as a limitation, Jamf Pro will
only apply the limitation if the user currently logged into the computer matches the user assigned to
the computer in Jamf Pro.

3. Click Done in the top-right corner of the pane. The items you added are displayed in a list on the
Limitations pane.

Adding Exclusions

Adding exclusions to the scope of a remote management task allows you to exclude specific computers or
mobile devices, groups, buildings, departments, users, user groups, or network segments. For example, if you
want to restrict an application for everyone except the head of the department, you can add them as an
exclusion.

You can also add iBeacon regions as exclusions to the scope of policies and configuration profiles. For
example, if you want to prevent a mobile device from having a configuration profile installed when it is in a
specific iBeacon region, you can add the iBeacon region as an exclusion.

1. On the exclusions pane, click Add.

210
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

2. On each tab, add items as needed. To add a Directory Service or local user, click the Directory Service/
Local Users tab. Then enter the username in the search field and click Add.

To add a Directory Service user group, click the Directory Service User Groups tab, enter the name of
the group in the search field and click Search. Then click Add for the group you want to add.

To add another type of item, click the appropriate tab and then click Add for the item you want to add.

Important: For computers, if you add a Directory Service user or group as an exclusion, Jamf Pro
will only apply the exclusion if the user currently logged into the computer matches the user
assigned to the computer in Jamf Pro.

3. Click Done in the top right-corner of the pane.

The items you added are displayed in a list on the Exclusions pane.

Removing Targets

For most remote management tasks, removing a target from the scope also removes the remote management
task from the device the next time the device checks in with Jamf Pro. However, some remote management

211
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Network Organization

tasks—such as policies or PreStage enrollment—are not removed from the device after the target is removed
from the scope.

For information on how a feature behaves when a target is removed from the scope, see the documentation for
that feature.

212
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment

Enrollment with Jamf Pro

Enrollment adds devices to Jamf Pro and establishes remote management capabilities for your organization.
When devices are enrolled, inventory information is submitted to Jamf Pro. This allows you to perform
inventory tasks, remote management, and configuration tasks on devices.

Jamf Pro supports the following Apple enrollment methods:

Automated Device Enrollment

Apple's Automated Device Enrollment, also known as zero-touch deployment, immediately enrolls and
configures a device when a user turns it on. No user interaction from IT. This enrollment method is most
commonly used for devices owned by your organization and establishes the following device statuses:

• Supervised—Supervision prevents users from removing the MDM profile installed by Jamf Pro.
• User Approved MDM—User Approved MDM grants Jamf Pro administrators additional device
management privileges, such as managing third-party kernel extensions.

Device Enrollment

Apple's Device Enrollment allows users to manually enroll a device with Jamf Pro. This method is
designed for institutional devices that are not eligible for Automated Device Enrollment. For computers,
Device Enrollment is profile-driven. Users and administrators are provided a direct Jamf Pro enrollment
URL that opens the enrollment portal in a web browser. For mobile devices, Device Enrollment can be
profile-driven or account-driven. Users and administrators can be provided a direct Jamf Pro enrollment
URL that opens the enrollment portal in a web browser, or can sign in with a Managed Apple ID directly
on the device to initiate enrollment.

User Enrollment
(iOS and iPadOS only) Apple's User Enrollment methods are designed for enrolling personally owned
devices with Jamf Pro. User Enrollment results in unsupervised devices and allows personal and
institutional data on the device to be managed separately. Administrators can configure two User
Enrollment methods:

• Account-Driven User Enrollment—(iOS 15 and iPadOS 15 or later) Users open the Settings app,
navigate to General > VPN & Device Management, and then sign in with a Managed Apple ID. After
sign-in, users are redirected to your organization's Jamf Pro enrollment portal.
• Profile-Driven User Enrollment—(iOS 13 and iPadOS 13 or later) Also known as "User-Initiated
Enrollment via URL". Users are provided a direct Jamf Pro enrollment URL that opens your
organization's enrollment portal in Safari.

213
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Disclaimer:

Personal device profiles are deprecated and no longer a recommended enrollment method for
personally owned devices. User Enrollment is the Apple-preferred method for enrolling personally
owned devices in a Bring Your Own Device (BYOD) program.

Related Content

• Intro to Apple device enrollment types (Apple)

Automated Device Enrollment for Computers

Apple's Automated Device Enrollment, also known as zero-touch deployment, immediately enrolls and
configures a device when a user turns it on. No user interaction from IT. This enrollment method is most
commonly used for devices owned by your organization and establishes the following device statuses:

• Supervised—Supervision prevents users from removing the MDM profile installed by Jamf Pro.
• User Approved MDM—User Approved MDM grants Jamf Pro administrators additional device
management privileges, such as managing third-party kernel extensions.

Jamf Pro's Global Management settings allow you integrate with Automated Device Enrollment, which
establishes communication between Jamf Pro and Apple Business Manager or Apple School Manager. For
more information, see Automated Device Enrollment Integration.

When the integration is complete, you can then use a Jamf Pro PreStage enrollment to configure and deploy
the Automated Device Enrollment experience to computers. Available settings include the following:

• Supervising and requiring MDM profile installation on devices

• Adding Enrollment Customization configurations
• Requiring single sign-on (SSO) to begin enrollment and integrating with Jamf Connect to create a user's
local account based on user information from your identity provider (IdP)
For more information about this workflow, see the Customizing the Jamf Pro Enrollment Experience Using
Enrollment Customization and Jamf Connect technical paper.
• Skipping Setup Assistant screens

Creating or Editing a Computer PreStage Enrollment

PreStage enrollments allow you to configure and deploy the Automated Device Enrollment experience to
devices.

214
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Requirements
Before you can use a PreStage enrollment, you must do the following:

• Integrate Jamf Pro with Automated Device Enrollment

For more information, see Automated Device Enrollment Integration.
• Enable user-initiated enrollment for macOS in Jamf Pro
For more information, see User-Initiated Enrollment Settings.

1. In Jamf Pro, click Computers in the sidebar.

2. Click PreStage Enrollments in the sidebar.
3. On the PreStage Enrollments page, do one of the following:
◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

The PreStage enrollment payload settings display for you to configure.

When you save your PreStage enrollment, the settings sync with Apple. Jamf Pro automatically syncs with
Apple every two minutes and displays device information updates in the PreStage enrollment. If you
continuously edit and save a PreStage enrollment syncing delays may occur.

Adding Devices to a PreStage Enrollment Scope

The scope of a PreStage enrollment specifies which devices enroll with Jamf Pro using the PreStage
enrollment's settings. Only devices associated with the chosen Automated Device Enrollment Instance for
the PreStage enrollment are eligible for the scope.

If you clone a PreStage enrollment, the scope of the original PreStage enrollment is not included in the cloned
PreStage enrollment.

Best Practice: Automatically configuring scope

Best practice workflows cover common scenarios; however, the following recommendations may not
apply in your environment.
If you have only one Automated Device Enrollment instance integration with Jamf Pro, Jamf
recommends selecting the Automatically assign new devices checkbox in the PreStage enrollment's
General payload. This automatically adds new devices to the PreStage scope and eliminates the need
to continuously update the scope.

215
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Click the Scope tab.
3. Do one of the following:
◦ Select each device that you want to enroll via Automated Device Enrollment using settings in the
PreStage enrollment.
◦ Click Select All to add all devices associated with the Automated Device Enrollment instance,
regardless of any results that have been filtered using the Filter Results, to the PreStage enrollment.

4. Click Save .

Configuring Remote Management Settings during Automated

Device Enrollment
PreStage enrollments allow you to configure common remote management and security settings for computers
during Automated Device Enrollment.

Note: Computers with macOS 11 or later are automatically supervised and require users to install the
MDM profile when enrolled via Automated Device Enrollment. For more information about supervision,
see About Apple device supervison in Apple Platform Deployment.

Requirements
To require user authentication during enrollment, you must integrate Jamf Pro with LDAP or a cloud IdP.
For more information, see LDAP Directory Service Integration or Cloud Identity Providers.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Select the Require Authentication checkbox to require users to enter a username or password to enroll
and set up the computer.
LDAP authentication during enrollment also automatically populates user and location information in the
device's inventory information.

216
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Note: If you add an Enrollment Customization configuration and have computers assigned to the
PreStage enrollment that are capable of running a macOS version earlier than 10.15, Jamf
recommends selecting the Require Authentication setting as a fail-safe to ensure those
computers are not inadvertently enrolled without authentication. For computers with macOS 10.15
or later, the Enrollment Customization settings will transparently overwrite this setting.

3. Select the Make MDM Profile Mandatory checkbox.

This setting requires users to install the MDM profile during enrollment. Users are automatically required to
apply the MDM profile on computers with macOS 10.15 or later.
4. Select the Allow MDM Profile Removal checkbox.
This setting allows users to remove the MDM profile after enrollment. Removing the MDM profile prevents
Jamf Pro from sending remote commands or distributing configuration profiles to the computer.
5. (macOS 10.15 or later only) Select the Prevent user from enabling Activation Lock checkbox.
This ensures users cannot enable Activation Lock. For more information, see the Leveraging Apple's
Activation Lock Feature with Jamf Pro article.
6. (Apple silicon with macOS 11.5 or later only) Select the Set Recovery Lock Password checkbox, and
then choose an option from the Set Password Method pop-up menu.
This ensures users cannot access recoveryOS on computers without a password. recoveryOS password
methods include the following:
◦ "Manually enter password (applies to all computers)"—Enter a recoveryOS password that applies
to all computers in the scope of the PreStage enrollment.
◦ "Automatically generate random password for each computer"—Generate a unique password for
each computer in the scope of the PreStage enrollment. This password is stored in each computer's
inventory information in Jamf Pro. If you also select Rotate Recovery Lock password, the password is
changed each time it's viewed in Jamf Pro.
7. Click Save .

Skipping Computer Setup Assistant Steps

You can skip Setup Assistant during the Automated Device Enrollment. This reduces the total device setup
time for users.

When advancing through the Setup Assistant, the device defaults to Pacific Time Zone (PT) after it enrolls with
Jamf Pro. If you automatically advance through the Setup Assistant, you can configure the language and
location so the locale on the computer is automatically configured.

For more information about skipping Setup Assistant screens, see Manage Setup Assistant for Apple devices
in Apple Platform Deployment.

217
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. In the General pane, do one of the following to skip Setup Assistant steps:
◦ Go to the Setup Assistant Options settings and select the screens that you want to skip during
enrollment.
◦ Select the Automatically advance through Setup Assistant (macOS 11 or later only) checkbox to
skip all Setup Assistant screens. This option allows you to choose the initial language and location of the
computer for users.

3. Click Save .

Installing Configuration Profiles during Automated Device

Enrollment
You can distribute configuration profiles during Automated Device Enrollment. This allows you to install
configuration profiles before end users complete the Setup Assistant. For example, you can distribute a
configuration profile that enforces a passcode policy that end users must comply with during account creation.

Note: Jamf recommends only adding configuration profiles that are essential to the enrollment
experience to a PreStage enrollment. Installing too many configuration profiles early in the Setup
Assistant process may cause unexpected enrollment issues.

Important: Configuration profiles that contain payload variables are not replaced with their respective
values when distributed via a PreStage enrollment. Jamf recommends distributing profiles with variables
after the computer is enrolled with Jamf Pro.

Requirements
You must create configuration profiles for enrollment prior to configuring a PreStage enrollment. The scope
of the configuration profile must also include computers in the scope of the PreStage enrollment. For more
information, see Computer Configuration Profiles.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

218
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

2. In the Configuration Profiles pane, select one or more configuration profiles.

3. Click Save .

The configuration profiles are installed on computers during Automated Device Enrollment.

Installing Packages during Automated Device Enrollment

You can distribute and install packages that support the enrollment process during Automated Device
Enrollment.

Example: If you use Jamf Connect to create local accounts based on users in your cloud identity
provider (IdP), you can add the Jamf Connect PKG to the Enrollment Packages payload in a PreStage
enrollment.

On computers with macOS 10.14.4 or later, you can add and install multiple packages.

Requirements
You must upload packages to Jamf Pro prior to adding them to a PreStage enrollment. Packages must
meet the following criteria when deployed via Automated Device Enrollment:

• Signed distribution packages— PKGs must be signed using a certificate that is trusted by the device
at the time of enrollment. Jamf recommends using a certificate generated from either the Jamf Pro built-
in certificate authority (CA) or from an Apple Developer Program account. For more information, see the
Creating a Signing Certificate Using Jamf Pro's Built-in CA to Use for Signing Configuration Profiles and
Packages article. You can use Composer or a third-party packaging tool to build a signed PKG. For
more information about building packages using Composer, see Package Building in the Composer User
Guide.
• Package hosting—Cloud distribution points in Jamf Pro automatically meet packaging hosting
requirements.If using an HTTPS distribution point, the following is required:
◦ The distribution point web server cannot require authentication.You can also secure the download of
the enrollment package from an external distribution server using a JSON Web Token (JWT) in Jamf
Pro. This ensures that enrollment packages are downloaded securely to computers from external
distribution servers. For more information, see JSON Web Token for Securing In-House Content.
◦ The distribution point must be reachable by enrolling computers and not hosted on a private network.
◦ The SSL certificate must be trusted by enrolling computers.Using a publicly trusted SSL certificate is
recommended. Alternatively, you can include a configuration profile with a certificate authority (CA)
configured in the PreStage enrollment. Using Internet Information Services (IIS) to enable HTTPS
downloads on a Windows Server 2016 or 2019 file share distribution point is not supported.

219
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

• Custom manifest file—Packages must have a corresponding manifest file in PLIST format that contains
the URL to download the package from an HTTPS server and other required information for the
package. By default, Jamf Pro creates this file when you upload it directly to Jamf Pro or add it to Jamf
Admin. If your environment uses an HTTPS server that is not a Jamf Pro HTTPS-capable distribution
point to host your packages, you must create a custom manifest file and upload it along with the package
to Jamf Pro. To use a custom manifest file, ensure that you upload the file when you upload the
package. For more information about uploading packages to Jamf Pro, see Package Management.For
more information about creating and hosting a manifest file, see the Preparing to distribute in-house
macOS apps in Apple's Deployment Reference for Mac.
• Multiple packages— Adding multiple PKGs is only supported for computers with macOS 10.14.4 or
later.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. In the Enrollment Packages pane, click Add next to one or more PKGs.

Best Practice: Jamf recommends only adding packages that are essential to the enrollment
experience to a PreStage enrollment. Too many packages may cause unexpected enrollment issues
or take additional time to download if there is a poor network connection. For packages that are not
required during enrollment, create a policy that runs after enrollment is complete.

3. Click Save .

Added packages are installed on computers going through Automated Device Enrollment while in the Setup
Assistant.

Adding an Enrollment Customization Configuration

The Enrollment Customization configurations in Jamf Pro customize the Automated Device Enrollment user
experience.

This includes configuring custom panes and branding that display to users during enrollment. Enrollment
customizations also allow you set up local account provisioning using Jamf Connect and your cloud identity
provider (IdP). For step-by-step instructions on setting up this enrollment experience, see the Customizing the
Jamf Pro Enrollment Experience Using Enrollment Customization and Jamf Connect technical paper.

220
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Requirements
• An existing Enrollment Customization configuration in Settings > Global > Enrollment
Customization.
For more information, see Enrollment Customization Settings.
• Computers in the PreStage enrollment with macOS 10.15 or later

In the General pane of a PreStage enrollment, choose an Enrollment Customization configuration from the
Enrollment Customization Configuration pop-up menu.

Provisioning Local Accounts during Automated Device Enrollment

You can create a managed local administrator account, also known as the "managed administrator", and
configure the local account information for the primary user during Automated Device Enrollment.

On computers with macOS 10.15 or later, you can also configure the following:

• Pre-fill the primary user's local account full name and account name. If your environment includes an LDAP
or cloud IdP server, you can enter user variables. You can also prevent the enrolling user from editing this
information during enrollment.
• Managed administrators can receive a secure token during login if a Bootstrap Token is escrowed to Jamf
Pro.
◦ For more information, see Use secure token, bootstrap token, and volume ownership in deployments in
Apple Platform Deployment.
◦ For more information about how to manually create and escrow the Bootstrap Token on the computer
and to allow Jamf Pro to store the token, see the Manually Leveraging Apple's Bootstrap Token
Functionality article.

Requirements
To enable the user variables to populate with the value for the LDAP or cloud identity provider (IdP)
attribute, you need an LDAP or cloud IdP server configured in Jamf Pro. For more information, see LDAP
Directory Service Integration and Cloud Identity Providers.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

221
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

2. (Optional) In the Account Settings pane, do the following to create a local administrator account
(managed administrator):
a. Select the Create a local administrator account before the Setup Assistant checkbox.
b. Complete the Username and Password fields, and then verify the password.

Warning: Do not use the same username for the management account created in User-Initiated
Enrollment settings and a managed local administrator account created in a PreStage
enrollment. If the same username is used for both, those accounts may not be created correctly
during Automated Device Enrollment, and unexpected errors may occur. In addition, the
password for the local administrator password solution (LAPS) will not be retrievable in the Jamf
Pro API.

c. Select the Hide managed administrator from Users & Groups.

This prevents users from seeing or interacting with the managed administrator account in System
Settings (macOS 13 or later) or System Preferences (macOS 12 or earlier).
d. Select the Make the local administrator account MDM-enabled checkbox.
This makes the managed administrator account MDM-enabled.

Warning: Making the managed administrator MDM-enabled prevents the subsequent local user
account from being MDM-enabled. If the primary local account is not MDM-enabled, user-level
configuration profiles cannot be installed for the user. For more information, see MDM-Enabled
Local User Accounts.

3. Select one the following to configure the primary user's local account type:
◦ Administrator Account—Creates the primary user as a local administrator
◦ Standard Account—Creates a standard user account
◦ Skip Account Creation—
Skips account creation during enrollment. Select this option when:
▪ Another solution, such as Jamf Connect, is configured to create primary user local accounts during
Automated Device Enrollment.
▪ You only want to create the managed administrator during enrollment.
4. Select the Pre-fill primary account information checkbox, and then choose one of the following options:
◦ Custom Details—
This option allows you to enter the account full name and the account name for the computer. This
information is applied to all computers enrolled via the PreStage enrollment. If LDAP or a cloud IdP are
integrated with your Jamf Pro environment, you can use variables to dynamically populate user
information from LDAP or an IdP. The following variables are supported:
▪ $USERNAME
▪ $FULLNAME

222
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

▪ $REALNAME
▪ $EMAIL
▪ $PHONE
▪ $POSITION
▪ $ROOM
▪ $EXTENSIONATTRIBUTE_#

Note:
▪ If a blank value is returned for a variable, the Lock primary account information setting is
ignored to allow users to enter the missing user account information.
▪ Only user extension attributes are available as variables. Computer and mobile device
extension attributes are not supported.

◦ Device Owner's Details—This option sets the account full name and account name based on the
Username and Full Name values in the computer's inventory information at the time of enrollment. If
authentication is required during enrollment, the user's information is associated with the device using a
lookup from Jamf Pro to LDAP or your cloud (IdP).

Note: If the PreStage enrollment includes an Enrollment Customization configuration with the
Single Sign-On Authentication PreStage Pane, and then an LDAP directory or cloud IdP lookup is
not available, Jamf Pro only receives the account name and cannot obtain the full name during
account creation. The username information from your IdP is populated by the NameID attribute
defined within your IdP's SAML application. Check your IdP for options to customize this value.

5. Select the Lock primary account information checkbox to prevent users from changing the pre-filled
account name and account full name during Setup Assistant.
6. Click Save .

Configuring User and Location Information

You can use the User and Location payload to specify user and location information for devices. This
information is stored in Jamf Pro for each device enrolled using a PreStage enrollment.

Note: Using Inventory Preload or requiring authentication during enrollment also automatically
populates this user and location information for devices.

1. On the PreStage Enrollments page, do one of the following:

223
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Click the User and Location tab.
3. Enter the user and location information for devices that are enrolled using the PreStage enrollment.
4. Click Save .

Configuring Purchasing, Attachments, and Certificate Information

in a PreStage Enrollment
Configuring purchasing, attachments, and certificate information in a PreStage enrollment automatically adds
the configured information to the inventory information of each device in scope during Automated Device
Enrollment.

Configure and save any of the following PreStage enrollment payloads to include information or attachments in
inventory of devices:

Purchasing

You can use the Purchasing payload to specify purchasing information for the devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Attachments

You can use the Attachments payload to upload attachments to store for mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Certificates

You can use the Certificates payload to establish trust during enrollment if your Jamf Pro instance is
hosted on-premise and uses an SSL certificate that is not natively trusted by Apple products. The device
attempts a secure connection with Jamf Pro using only this certificate to enroll.

For more information about the certificates that are trusted by Apple, see Available trusted root
certificates for Apple operating systems from Apple's support website.

Note: If your Jamf Pro instance uses an SSL certificate that was created by the Jamf Pro built-in
CA, an anchor certificate for enrollment is automatically added to this payload.

224
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

If your Jamf Pro server is cloud hosted (i.e., URL ends with jamfcloud.com ) you should not configure
this payload.

Device Enrollment for Computers

Apple's Device Enrollment allows users to manually enroll a device with Jamf Pro. This method is designed for
institutional devices that are not eligible for Automated Device Enrollment. Device Enrollment is profile-driven.
Users are provided a direct Jamf Pro enrollment URL that opens the enrollment portal in a web browser.

Jamf Pro's User-Initiated Enrollment settings allow you to enable and configure the Device Enrollment
experience for users. Settings include the following:

• Custom enrollment messaging for multiple languages

• Create a management account and enable SSH (remote login)
• Require LDAP sign-in to enroll and use LDAP groups to restrict which users can enroll with Jamf Pro

During enrollment, users are prompted to download an MDM profile, and the computer achieves User
Approved MDM status. Computers with macOS 11 or later are automatically supervised after Device
Enrollment.

Enabling Device Enrollment for Computers

Device Enrollment for computers is enabled via Jamf Pro's User-Initiated Enrollment settings.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click User-initiated enrollment .
3. Click Edit .
4. Click the macOS tab.
5. Select the Enable user-initiated enrollment for computers checkbox.
6. (Optional) Click the Access tab and configure whether an LDAP group has access to enroll mobile devices
using an enrollment URL without an invitation.
If sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during enrollment.

7. Click Save .

Device Enrollment is enabled for enrollment with Jamf Pro, and you can now share an enrollment URL or send
enrollment invitations to users.
Related Content

• User-Initiated Enrollment Settings

225
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Providing an Enrollment URL for Device Enrollment

Requirements
• Device Enrollment enabled for computers via Jamf Pro's User-Initiated Enrollment settings
For more information, see Enabling Device Enrollment for Computers.
• (LDAP sign-in only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration.
• Safari on user devices to access the enrollment URL

The enrollment URL is the full URL for the Jamf Pro server followed by /enroll . To direct users to the
enrollment portal, you provide an enrollment URL.

Example:

• Cloud-Hosted—https://JAMF_PRO_URL.jamfcloud.com/enroll
• On-Premise—https://JAMF_PRO_URL.com:8443/enroll

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account.

When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro
during enrollment.

When a user logs in with a Jamf Pro user account, an LDAP user can be assigned to the device.

Sending a Computer Enrollment Invitation via Email

Enrollment invitations via email give you more control over user access to the enrollment portal by allowing you
to do the following:

• Set an expiration date for the invitation

• Require users to log in to the portal
• Allow multiple uses of the invitation
• Add the device to a site during enrollment
• View the status of the invitation

226
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Requirements
• Device Enrollment enabled for computers via Jamf Pro's User-Initiated Enrollment Settings
For more information, see Enabling Device Enrollment for Computers.
• (LDAP sign-in only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration.
• An SMTP server set up in Jamf Pro.
For more information, see SMTP Server Integration.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Enrollment Invitations in the sidebar.
3. Click New.
4. Follow the onscreen instructions to send the enrollment invitation.

An enrollment invitation is immediately sent to the email addresses you specified.

To view devices in your organization that enroll with Jamf Pro via a specific enrollment invitation, navigate to
the enrollment invitation.

Device Enrollment Experience for Computers

When a user accesses an enrollment URL, they are guided through a series of steps to enroll the computer.
The enrollment steps vary depending on the version of macOS installed on the computer. The text in the
images below may vary depending on if the text or languages are customized with Jamf Pro's User-Initiated
Enrollment settings.

1. The user is prompted to log in with either their directory credentials or a Jamf Pro user account with user-
initiated enrollment privileges. Directory credentials may include one of the following authentication types:
◦ LDAP
◦ Single sign-on (SSO)
◦ Cloud identity provider (IdP)
After entering their credentials, the user must click Log In. If the credentials are entered via the Jamf Pro
log in page, the user must click Log In. If the user is authenticating via a single sign-on provider, the user
will be redirected to their organization's login page.

227
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

The login prompt is not displayed if the enrollment portal was accessed via an enrollment invitation in which
the Require Login option is disabled.
2. Users who authenticated using a Jamf Pro user account and users who accessed the enrollment portal via
an invitation for which the "Require Login" option is disabled see an "Assign to user" dialog.

3. An LDAP or Cloud Identity Provider user may optionally be linked to the enrolling computer by performing a
search in the field in this dialog. The user must enter their username and click the magnifying glass icon to
search for a match in the LDAP or Cloud Identity Provider directory.
a. If a matching user is found, a checkmark will be displayed at the end of the text field. The user can click
Enroll to continue with enrollment, and the computer will be associated with their username.

228
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

b. If the user is not found, an X is displayed at the end of the text field. The user can leave the Assign to
user field blank and then click the Enroll button to continue enrollment without associating the
computer to a user.

Note: To assign a user to a device, the Jamf Pro user account must have the "Assign Users to
Computers" privilege.

c. If prompted to select a site, the user may choose a site to associate their computer with. This will apply
the appropriate site settings as defined by your organization to the computer.

229
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

4. (Optional) If the user signed in with a directory user and the text for an End User License Agreement
(EULA) was entered in Jamf Pro, the user must accept the EULA to continue.

5. (Optional) If the user-initiated enrollment settings are set with the Skip certificate installation during
enrollment checkbox deselected, the user is prompted to install a profile containing the CA certificate
before they install the MDM profile.

The user must follow the onscreen instructions to install the CA certificate. After the CA certificate is
installed, the user must return to their web browser to install the MDM profile and complete enrollment.

Note: If your Jamf Pro instance is hosted on-premise, computers with macOS 13 or later do not
automatically trust certificates from manually installed configuration profiles. Users must open

230
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Keychain Access, double-click your organization's JSS Built-in CA Certificate, and trust the
certificate. For instructions, see Change the trust settings of a certificate in Keychain Access on Mac
from the Keychain Access User Guide.

6. When prompted, the user must click Continue to download and install the MDM profile.

7. For computers with macOS 11 or later, when the downloaded profile is opened, the user is notified in the
Notification Center that a profile was downloaded and can be reviewed in System Preferences. The user
must then navigate to System Preferences > Profiles , select the MDM profile, and click Install to finish
the profile installation. Users are then prompted to trust the MDM enrollment profile and enter their local
administrator account password to complete the MDM enrollment profile installation process.

Important: The user has eight minutes to install the MDM enrollment profile before the profile is no
longer displayed in System Preferences. If this occurs, the user must double-click the downloaded
enrollment profile to install the MDM enrollment profile in System Preferences.

8. When the user returns to the web browser, the following message will be displayed indicating that the
computer is enrolled with Jamf Pro.

Related Content

• User-Initiated Enrollment Settings

231
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Automated Device Enrollment for Mobile Devices

Apple's Automated Device Enrollment, also known as zero-touch deployment, immediately enrolls and
configures a device when a user turns it on. No user interaction from IT. This enrollment method is most
commonly used for devices owned by your organization and establishes the following device statuses:

• Supervised—Supervision prevents users from removing the MDM profile installed by Jamf Pro.
• User Approved MDM—User Approved MDM grants Jamf Pro administrators additional device
management privileges, such as managing third-party kernel extensions.

Jamf Pro's Global Management settings allow you integrate with Automated Device Enrollment, which
establishes communication between Jamf Pro and Apple Business Manager or Apple School Manager. For
more information, see Automated Device Enrollment Integration.

When the integration is complete, you can then use a Jamf Pro PreStage enrollment to configure and deploy
the Automated Device Enrollment experience to devices. Settings include the following:

• Supervising and requiring MDM profile installation on devices

• Adding Enrollment Customization configurations
• Skipping Setup Assistant screens. Which screens you can skip varies between tvOS and iOS.

Creating or Editing a Mobile Device PreStage Enrollment

PreStage enrollments allow you to configure and deploy the Automated Device Enrollment experience to
devices.

Requirements
Integration with Automated Device Enrollment

For more information, see Automated Device Enrollment Integration.

1. In Jamf Pro, click Devices in the sidebar.

2. Click PreStage Enrollments in the sidebar.
3. On the PreStage Enrollments page, do one of the following:
◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

The PreStage enrollment payload settings display for you to configure.

232
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

When you save your PreStage enrollment, the settings sync with Apple. Jamf Pro automatically syncs with
Apple every two minutes and displays device information updates in the PreStage enrollment. If you
continuously edit and save a PreStage enrollment syncing delays may occur.

Adding Devices to a PreStage Enrollment Scope

The scope of a PreStage enrollment specifies which devices enroll with Jamf Pro using the PreStage
enrollment's settings. Only devices associated with the chosen Automated Device Enrollment Instance for
the PreStage enrollment are eligible for the scope.

If you clone a PreStage enrollment, the scope of the original PreStage enrollment is not included in the cloned
PreStage enrollment.

Best Practice: Automatically configuring scope

Best practice workflows cover common scenarios; however, the following recommendations may not
apply in your environment.
If you have only one Automated Device Enrollment instance integration with Jamf Pro, Jamf
recommends selecting the Automatically assign new devices checkbox in the PreStage enrollment's
General payload. This automatically adds new devices to the PreStage scope and eliminates the need
to continuously update the scope.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Click the Scope tab.
3. Do one of the following:
◦ Select each device that you want to enroll via Automated Device Enrollment using settings in the
PreStage enrollment.
◦ Click Select All to add all devices associated with the Automated Device Enrollment instance,
regardless of any results that have been filtered using the Filter Results, to the PreStage enrollment.

4. Click Save .

Configuring Remote Management and Supervision Settings during

Automated Device Enrollment
PreStage enrollments allow you to configure common remote management and security settings to devices
during Automated Device Enrollment.

233
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Note: Devices with iOS 13 or later are automatically supervised and require users to install the MDM
profile when enrolled via Automated Device Enrollment. For more information about supervision, see
About Apple device supervison in Apple Platform Deployment

Requirements
To require LDAP authentication to complete enrollment, integration with LDAP is required. For more
information, see LDAP Directory Service Integration.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Select the Require Credentials for Enrollment checkbox to require users to enter an LDAP username or
password.
LDAP authentication during enrollment also automatically populates user and location information in the
device's inventory information.

Note: If you add an Enrollment Customization configuration to the PreStage enrollment, this setting
is ignored for devices with iOS 13 or later, and iPadOS 13 or later.

3. (iOS 12 or earlier only) Make sure the Supervise Devices with iOS 12.x or earlier checkbox is selected
if your environment includes devices with this OS version.
4. (iOS 12 or earlier only) Make sure the Make MDM Profile Mandatory for devices with iOS 12.x or
earlier checkbox is selected if your environment includes devices with this OS version.
5. Select any of the following settings for supervised devices:
◦ Pairing—Allow a mobile device to connect to Mac computers via USB
◦ Prevent unenrollment—Disallow users from removing the MDM profile
◦ Install configuration profiles before Setup Assistant—Begin installing configuration profiles that
include the device in its scope after the user completes enrollment and connects to WiFi but before the
Setup Assistant displays.
6. Make sure the Prevent user from enabling Activation Lock checkbox is selected.
This ensures users cannot enable Activation Lock. For more information, see the Leveraging Apple's
Activation Lock Feature with Jamf Pro article.

7. Click Save .

234
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Skipping Mobile Device Setup Assistant Steps

You can skip Setup Assistant during the Automated Device Enrollment. This reduces the total device setup
time for users.

When advancing through the Setup Assistant, the device defaults to Pacific Time Zone (PT) after it enrolls with
Jamf Pro. If you automatically advance through the Setup Assistant, you can configure the language and
location so the locale on the computer is automatically configured.

For more information about skipping Setup Assistant screens, see Manage Setup Assistant for Apple devices
in Apple Platform Deployment.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. (tvOS only) In the General pane, locate the Setup Assistant settings and select the Automatically
advance through Setup Assistant (tvOS only) checkbox.
3. In the General pane, go to the Setup Assistant Options settings and select the screens that you want to
skip during enrollment.

Best Practice: Click All to skip all the Setup Assistant screens and decrease the total enrollment
time for users.

4. Click Save .

Adding an Enrollment Customization Configuration

The Enrollment Customization configurations in Jamf Pro customize the Automated Device Enrollment user
experience.

This includes configuring custom panes and branding that display to users during enrollment.

Requirements
• An Enrollment Customization configuration
For more information, see Enrollment Customization Settings.
• Devices in the PreStage enrollment with iOS 13 or iPadOS 13 or later

235
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

In the General pane of a PreStage enrollment, choose an Enrollment Customization configuration from the
Enrollment Customization Configuration.

Assigning Device Names

The Mobile Device Names payload in a PreStage enrollment configures how enrolled devices are named. This
information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

This payload is optional, but choosing to configure the payload enables Jamf Pro to take action on device
names during enrollment.

If this payload is not configured, Jamf Pro does not take action on mobile device names during enrollment. The
name of the device at the time of enrollment persists after enrollment.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Click the Mobile device names payload and then click Configure.
3. Choose and configure one of the following from the Naming Method pop-up menu:
◦ Default Names—Depending on the enrollment status of the device, the following can happen when this
option is chosen:
▪ If the device is re-enrolled with Jamf Pro, the value of the Mobile Device Name attribute field in the
device's inventory information in Jamf Pro is assigned to the device at enrollment.
▪ If the device is enrolled for the first time with Jamf Pro, the current name of the device persists after
enrollment.
◦ Serial Numbers—The serial number of the device becomes the device's name during enrollment. You
can add a suffix or a prefix to the serial number.

Best Practice: Jamf recommends this naming method, which ensures enrolled devices are easy
to identify and do not create a large number of devices with the default display name such as
"iPhone" and "iPad".

◦ List of Names—Enter names separated by a comma to assign to the devices during enrollment.
◦ Single Names—Enter a single name that is assigned to all devices during enrollment.
4. Click Save .

Devices are named and display in Jamf Pro using the chosen method.

Enabling Shared iPad during Automated Device Enrollment

236
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

You can use the General payload to enable Shared iPad on enrolled iPads. For more information about
Shared iPad, see Shared iPad overview in Apple Platform Deployment.

If you add an Enrollment Customization configuration, the configuration is only applied once during the initial
enrollment with Jamf Pro.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. In the General pane, select the Enable Shared iPad checkbox.
3. Configure the following settings:
◦ Temporary Session Only—Enforce temporary sessions so users can log in only as guests (iPadOS
14.5 or later). To allow typical user sessions, users must log in with their Managed Apple IDs.
◦ Temporary Session Timeout—Specify the period of inactivity on a device before a temporary session
or a user session is automatically closed.
◦ Number of Users—Enter the maximum number of users that can be stored with the iPad. You can
specify up to 99 users. This limits the number of user accounts that can be stored locally on the iPad.
◦ Storage Quota Size—Specify the maximum amount of storage (MB) allocated for each user on devices
with iPadOS 13.4 or later. This overrides the maximum number of users. If the scope of the PreStage
contains devices with iPadOS 13.3 or earlier, the device defaults to the maximum number of users.
4. Click Save .

To enhance Shared iPad workflows in your environment, configure and distribute configuration profiles directly
to a user that logs in to the iPad. For more information, see Mobile Device Configuration Profiles.

Configuring User and Location Information

You can use the User and Location payload to specify user and location information for devices. This
information is stored in Jamf Pro for each device enrolled using a PreStage enrollment.

Note: Using Inventory Preload or requiring authentication during enrollment also automatically
populates this user and location information for devices.

1. On the PreStage Enrollments page, do one of the following:

◦ Click New to create a new PreStage enrollment.

◦ Select an existing PreStage enrollment and click Edit .

2. Click the User and Location tab.
3. Enter the user and location information for devices that are enrolled using the PreStage enrollment.

237
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

4. Click Save .

Configuring Purchasing, Attachments, and Certificate Information

in a PreStage Enrollment
Configuring purchasing, attachments, and certificate information in a PreStage enrollment automatically adds
the configured information to the inventory information of each device in scope during Automated Device
Enrollment.

Configure and save any of the following PreStage enrollment payloads to include information or attachments in
inventory of devices:

Purchasing

You can use the Purchasing payload to specify purchasing information for the devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Attachments

You can use the Attachments payload to upload attachments to store for mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Certificates

You can use the Certificates payload to establish trust during enrollment if your Jamf Pro instance is
hosted on-premise and uses an SSL certificate that is not natively trusted by Apple products. The device
attempts a secure connection with Jamf Pro using only this certificate to enroll.

For more information about the certificates that are trusted by Apple, see Available trusted root
certificates for Apple operating systems from Apple's support website.

Note: If your Jamf Pro instance uses an SSL certificate that was created by the Jamf Pro built-in
CA, an anchor certificate for enrollment is automatically added to this payload.

If your Jamf Pro server is cloud hosted (i.e., URL ends with jamfcloud.com ) you should not configure
this payload.

238
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Device Enrollment for Mobile Devices

Apple's Device Enrollment allows users to manually enroll a device with Jamf Pro. This method is designed for
institutional devices that are not eligible for Automated Device Enrollment. Device Enrollment can be profile-
driven or account-driven. Users and administrators can be provided a direct Jamf Pro enrollment URL that
opens the enrollment portal in a web browser, or can sign in with a Managed Apple ID directly on the device to
initiate enrollment.

You can set up Device Enrollment using the following methods:

Profile-Driven Device Enrollment

Also known as "User-Initiated Enrollment via URL". These settings allow you to enable to Device
Enrollment and customize the enrollment experience for users, including the messaging that displays for
each step of the enrollment process. Users can then enroll their own devices by logging in to a web-
based enrollment portal and following the onscreen instructions. You can provide this URL by sending it
in an email, a SMS invitation from Jamf Pro, or any other means that fit your environment.

Account-Driven Device Enrollment

(iOS 17 and iPadOS 17 or later) Administrators open the Settings app, navigate to General > VPN &
Device Management and then sign in with a Managed Apple ID. After sign-in, users are directed to your
organization's Jamf Pro enrollment portal.
Apple Configurator
If you use Apple Configurator, you can enroll devices with the following:

• Enrollment URLs with Apple Configurator—Enroll devices with Jamf Pro by connecting them to a
computer via USB and using an enrollment URL with Apple Configurator.
• Enrollment Profiles with Apple Configurator—You can create an enrollment profile using Jamf Pro
and by connecting them to a computer via USB to install the profile with Apple Configurator.

Enabling Device Enrollment for Mobile Devices in Jamf Pro

Device Enrollment for institutionally-owned devices is enabled via Jamf Pro's User-Initiated Enrollment
settings. You can enable Profile-Driven Enrollment, Account-Driven Device Enrollment, or both.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click User-initiated enrollment .
3. Click Edit .
4. Click the iOS tab.
5. Select the Enable for institutionally owned devices in one or both sections to enable Profile-Driven
Enrollment, Account-Driven Device Enrollment, or both.

239
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

6. (Optional) Click the Access tab and configure whether an LDAP group has access to enroll mobile devices
using an enrollment URL without an invitation.
When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during
enrollment.

7. Click Save .

Device Enrollment is enabled for enrollment with Jamf Pro for the selected methods.
Related Content

• User-Initiated Enrollment Settings

Sending a Mobile Device Enrollment Invitation via Email or SMS

You can send an email or SMS invitation that contains the enrollment URL from Jamf Pro to one or more users
enrolling institutionally owned mobile devices via Device Enrollment. Enrollment invitations give you more
control over user access to the enrollment portal by allowing you to do the following:

• Set an expiration date for the invitation

• Require users to log in to the portal
• Allow multiple uses of the invitation
• Add the device to a site during enrollment
• View the status of the invitation

Note: Enrollment invitations are not supported for personally owned devices enrolled via User
Enrollment. You must provide the enrollment URL to those users by some other means.

Requirements
• An SMTP server set up in Jamf Pro
For more information, see SMTP Server Integration.
• Email addresses or phone numbers of the users who are enrolling devices

1. In Jamf Pro, click Devices in the sidebar.

2. Click Enrollment Invitations in the sidebar.
3. Click New.
4. Select User-Initiated Enrollment as the enrollment method.
5. Follow the onscreen instructions to send the enrollment invitation.

240
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

An enrollment invitation is immediately sent to the email addresses or phone numbers you specified.

To view devices in your organization that enroll with Jamf Pro via a specific enrollment invitation, navigate to
the enrollment invitation.

Providing an Enrollment URL for Device Enrollment

You can provide the enrollment URL to users in the way that best fits your environment.

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a
user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during
enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the
device.

Note: For Account-Driven Enrollment, the user is redirected to the enrollment portal and prompted to
install the MDM profile on their device after they authenticate to their device with a Managed Apple ID.
Because this enrollment method is initiated when the user signs in with the Managed Apple ID, you do
not have to provide users with the enrollment URL to direct them to the enrollment portal.

Requirements
• Device Enrollment enabled for mobile devices via Jamf Pro's User-Initiated Enrollment settings
For more information, see Enabling Device Enrollment for Mobile Devices in Jamf Pro.
• (LDAP sign-in only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration.
• Safari on user devices to access the enrollment URL.

The enrollment URL is the full URL for the Jamf Pro server followed by /enroll . To direct users to the
enrollment portal, you provide an enrollment URL.

Example:

• Cloud-Hosted—https://JAMF_PRO_URL.jamfcloud.com/enroll
• On-Premise—https://JAMF_PRO_URL.com:8443/enroll

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account.

241
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro
during enrollment.

When a user logs in with a Jamf Pro user account, an LDAP user can be assigned to the device.

Device Enrollment Experience for Mobile Devices

When a user accesses the enrollment URL from an institutionally owned iOS or iPadOS device using Safari,
they are guided through a series of steps to enroll the device. The text displayed in the images below may vary
depending on if the text or languages are customized in the User-Initiated Enrollment settings. For more
information, see User-Initiated Enrollment Settings.

The following workflow describes how user-initiated enrollment can be used to enroll institutionally owned
mobile devices:

1. The user is prompted to log in with either their directory credentials or a Jamf Pro user account with user-
initiated enrollment privileges. Directory credentials may include one of the following authentication types:
◦ LDAP
◦ Single sign-on (SSO)
◦ Cloud Identity Provider
After entering their credentials, the user clicks Log In. If the credentials are entered via the Jamf Pro log in
page, the user must click Log In. If the user is authenticating via a single sign-on provider, the user will be
redirected to their organization's login page.

The login prompt is not displayed if the enrollment portal was accessed via an enrollment invitation in which
the Require Login option is disabled.
2. The user is prompted to enroll the device as a personally owned device or an institutionally owned device.
This step is only displayed if both institutionally owned device enrollment and personally owned device
enrollment are enabled in Jamf Pro.

242
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

You can display a description to users who enroll an institutionally owned device.

3. Users who authenticated using a Jamf Pro user account and users who accessed the enrollment portal via
an invitation for which the "Require Login" option is disabled will see an "Assign to user" dialog.

243
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

4. An LDAP or Cloud Identity Provider user may optionally be linked to the enrolling device by performing a
search in the field in this dialog. The user must enter their username and click the magnifying glass icon to
search for a match in the LDAP or Cloud Identity Provider directory.
a. If a matching user is found, a checkmark will be displayed at the end of the text field. The user can click
Enroll to continue with enrollment, and the device will be associated with their username.

b. If the user is not found, an X is displayed at the end of the text field. The user can leave the Assign to
user field blank and then click the Enroll button to continue enrollment without associating the device
to a user.

244
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Note: To assign a user to a device, the Jamf Pro user account must have the "Assign Users to
Mobile Devices" privilege.

c. If prompted to select a site, the user may choose a site to associate their device with. This will apply the
appropriate site settings as defined by your organization to the device.

5. (Optional) If the user signed in with a directory user and the text for an End User License Agreement
(EULA) was entered in Jamf Pro, the user must accept the EULA to continue.

245
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

6. (Optional) If the Skip certificate installation during enrollment checkbox is deselected in User-Initiated
Enrollment settings, the user is prompted to install a profile containing the CA certificate before they install
the MDM profile.

The user must follow the onscreen instructions to install the CA certificate. After the CA certificate is
installed, the user must return to Safari to install the MDM profile and complete enrollment.
7. When prompted, the user must click Continue to download and install the MDM profile. Information about
enrollment can be accessed by clicking the Information icon.

8. For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of
this profile in the Settings app."
9. Next, a Profile Downloaded dialog is displayed:

The user must click Close, and then navigate to the Settings app and click the Profile Downloaded in
the left sidebar to complete the installation.
10. The user may need to click Install multiple times to continue and must follow the onscreen instructions to
trust the MDM profile, which may include entering their passcode if one is required.

246
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Important: The user has eight minutes to install the enrollment profile before iOS discards the
profile. If this occurs, the user must restart the enrollment process from the beginning.

11. When the user returns to the Safari web browser, the following message will be displayed indicating that
the device is enrolled with Jamf Pro.

Setting up Account-Driven Device Enrollment

Setting up Account-Driven Device Enrollment involves creating and hosting enrollment information in a JSON
file on a web server. This allows devices to initiate a service discovery process to retrieve information and
direct a device to the Jamf Pro enrollment portal. For more information about JSON files, see Working with
JSON.

Account-Driven Device Enrollment Requirements

General Requirements

• A push certificate in Jamf Pro

For more information, see Push Certificates.
• Mobile devices with iOS 17 or later or iPadOS 17 or later
• (LDAP login only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration.
• (SSO login only) Single Sign-On Authentication enabled in Jamf Pro, with the Enable Single Sign-On for
User Authentication during Enrollment checkbox selected.
For more information, see Single Sign-On (SSO).

Managed Apple ID Requirements

To create Managed Apple IDs for Account-Driven Device Enrollment, you must either use federated
authentication between Apple and your identity provider (IdP) or create them manually in Apple Business
Manager or Apple School Manager.

For more information, see the following resources from Apple:

• Use Managed Apple IDs in Apple Business Manager

247
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

• Use Managed Apple IDs in Apple School Manager

Note: For Account-Driven Device Enrollment, Managed Apple IDs must belong to a verified domain. For
more information, see Verify domains in Apple Business Manager and Apple School Manager from
Apple's support website.

Defining Jamf Pro Enrollment Information for Account-Driven

Device Enrollment
A device must authenticate with the Jamf Pro server to initiate the service discovery process and direct a user
to the enrollment portal.

After a user signs in with a full Managed Apple ID, the following process occurs:

1. The device extracts the domain information (information following the @ symbol) from the Managed Apple
ID.
2. The device sends an HTTP request to the web server hosting the enrollment information, and
authenticates with the Jamf Pro server.

Example: If the user Samantha Johnson signs in to a device with the Managed Apple ID
[email protected] , the device extracts mycompany.com and uses the service
discovery process to make an HTTP request for the enrollment information that is hosted at
mycompany.com .

3. The device uses that information to redirect the user to the Jamf Pro enrollment portal.

For more information about the service discovery process, see the Discover Authentication Servers
documentation from the Apple Developer website.

To enable a device to authenticate with the Jamf Pro server, you must create a JSON file named
com.apple.remotemanagement and define the following properties in it:

BaseURL

The full URL for your Jamf Pro instance followed by /servicediscoveryenrollment/v1/
deviceenroll

Version
The enrollment version

248
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Important: This must be defined as " mdm-adde ".

The contents of the JSON file should look similar to the following:

{
"Servers": [
{
"Version":"mdm-adde",
"BaseURL":"https://JAMF_PRO_URL.com/servicediscoveryenrollment/v1/deviceenroll"
}
]
}

Note: The service discovery JSON file for your Managed Apple ID domain can only specify either
Account-Driven Device Enrollment or Account-Driven User Enrollment for devices to use. It cannot be
specified for both.

Hosting Jamf Pro Enrollment Information on a Web Server for

Account-Driven Device Enrollment
To host the Jamf Pro enrollment information on a web server, you must define the path to your web server. If
the verified domain you use for Managed Apple IDs is already configured to host files, you can host the
enrollment information at the same hosting location. If your environment is not configured to do so, you must
set up a web server to host the information.

Note: Jamf recommends consulting your internal web services and hosting team to help you complete
this task.

Requirements
• The web server must have the same fully qualified domain name (FQDN) as the verified domain that the
Managed Apple IDs belong to, and web services must be enabled.
• The JSON file must be hosted on a server which supports HTTPS GET requests.

249
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

• The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of
trusted root certificates on iOS devices, see Lists of available trusted root certificates in iOS from Apple's
support website.

The resulting URL for the file must be similar to the following:

https://mycompany.com/.well-known/com.apple.remotemanagement

Note: In the above example, mycompany.com must be the same verified domain that the Managed
Apple IDs belong to that are enrolling a device.

You must configure the server to return the appropriate Content-Type header with the file, as follows:

Content-Type is 'application/json'

Note: Your server software may refer to Content-Type as "MIME type".

For more information about how to modify the MIME type, see the following documentation:

• Adding Static Content MIME Mappings from Microsoft's documentation

• Apache Module mod_mime from Apache's documentation
• Full Example Configuration from NGINX's documentation

To verify the contents of the JSON file are hosted correctly, execute the following command:

curl -I https://mycompany.com/.well-known/com.apple.remotemanagement

The command should print something similar to the following:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Day, 00 Month Year 00:00:00 GMT
Content-Type: application/json
Content-Length: 150
Last-Modified: Day, 00 Month Year 00:00:00 GMT
Connection: keep-alive

250
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

ETag: "xxxxxx-xxxxxx"
Accept-Ranges: bytes

Device Enrollment with Apple Configurator

You can manually enroll mobile devices via Apple Configurator. You can generate an enrollment URL or create
an enrollment profile. Both methods involve connecting the mobile device via USB to a computer with Apple
Configurator installed.

Enrollment URLs with Apple Configurator

You can enroll mobile devices with Jamf Pro by using Apple Configurator. This involves enabling Apple
Configurator enrollment in Jamf Pro, and then connecting devices to a computer via USB to enroll them using
Apple Configurator and an enrollment URL.

You can enable the following types of Apple Configurator enrollment URLs:

Static URL

Allows you to manually provide the URL to the person that operates the Apple Configurator workstation in
the way that best fits your environment. The static URL cannot expire and does not allow you to enroll
devices into sites as a part of the enrollment process.

The static enrollment URL for Jamf Pro is your Jamf Pro server followed by /configuratorenroll (e.g./
https://JAMF_PRO_URL.jamfcloud.com/configuratorenroll)

Dynamic URL

A secure enrollment experience that allows you to view a randomly generated enrollment URL in Jamf
Pro or send that URL to the person that operates the Apple Configurator workstation via an enrollment
invitation. When you view or send a dynamic URL via an enrollment invitation, you can set the expiration
date for the URL and choose a site to add devices to during enrollment.

Related Content

• Apple Configurator User Guide for Mac (Apple)

Enabling Apple Configurator Enrollment URLs

1. In Jamf Pro, click Settings in the sidebar.
2. In the Device management section, click Apple Configurator enrollment .
3. Click the Enrollment tab, and then click Edit.

251
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

4. Select Enable Apple Configurator Enrollment via Dynamic URL, Enable Apple Configurator
Enrollment via Static URL, or both.
5. Click Save .

A static or dynamic URL can now be used in Jamf Pro or shared with an Apple Configurator workstation via an
enrollment invitation.

Generating a Dynamic URL for Enrollment via Apple Configurator

Enrollment
You can generate the dynamic Apple Configurator enrollment URL or send an email or SMS invitation that
contains the URL from Jamf Pro to the person that operates the Apple Configurator workstation. The
enrollment URL is used with Apple Configurator to enroll mobile devices with Jamf Pro.

Requirements
• Apple Configurator 2 or later
• An email address or phone number of the operator of the Apple Configurator workstation

1. In Jamf Pro, click Devices in the sidebar.

2. Click Enrollment Invitations in the sidebar.
3. Click New.
4. Select Apple Configurator Enrollment as the enrollment method.
5. Follow the onscreen instructions to view the invitation URL directly in Jamf Pro or to send the enrollment
invitation via email or SMS text messaging.

If you chose to view the enrollment URL, it displays in Jamf Pro. If you chose to send the enrollment URL, an
enrollment invitation containing the dynamic URL is sent to the specified email addresses or phone numbers.

To view devices in your organization that enroll with Jamf Pro via a specific enrollment invitation, navigate to
the enrollment invitation.

Enrollment Profiles with Apple Configurator

Enrollment profiles are .mobileconfig files that enroll mobile devices with Jamf Pro. This enrollment method
involves the following:

1. Creating an enrollment profile in Jamf Pro

2. Connecting a device to a computer via USB
3. Installing the enrollment and trust profile using Apple Configurator.

252
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

When you create an enrollment profile using Jamf Pro, you specify user and location information, purchasing
information, and a site for mobile devices enrolled using the profile. To enroll mobile devices using Apple
Configurator, you must download both the enrollment profile and its Trust Profile from Jamf Pro and import
both profiles to Apple Configurator.

Training Video

Watch the Manually Enroll Devices with Apple Configurator 2 video to learn how to create enrollment
profiles with Apple Configurator 2.

Related Content

• Apple Configurator User Guide for Mac (Apple)

Creating an Enrollment Profile for Use with Apple Configurator

1. In Jamf Pro, click Devices in the sidebar.
2. Click Enrollment Profiles in the sidebar.
3. Click New.
4. Use the General pane to configure basic settings for the enrollment profile.
5. (Optional) Click the User and Location Information tab and specify user and location information for the
devices.
6. (Optional) Click the Purchasing Information tab and specify purchasing information for the devices.
7. (Optional) Click the Attachments tab and click Upload to upload an attachment.
8. Click Save .

Downloading Enrollment and Trust Profiles

You must to download the enrollment and trust profiles (.mobileconfig) from Jamf Pro so that you can
import them into Apple Configurator.

The trust profile contains the CA certificate that establishes trust between the certificate authority (CA) and
mobile devices. This profile is automatically created by Jamf Pro when you create an enrollment profile.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Enrollment Profiles in the sidebar.
3. Click the enrollment profile you want to download.
4. Click Download to download the Enrollment profile.
You may be prompted to install the profile. Click Cancel to decline.

253
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

5. Click Trust Profile .

You may be prompted to install the profile. Click Cancel to decline.

The enrollment profile downloads immediately as a .mobileconfig file, and the trust profile downloads
immediately with the filename Trust Profile.mobileconfig.

When the trust profile is imported to Apple Configurator, it displays in the Profiles list with a name that identifies
it as the CA certificate profile.

For more information about components installed on mobile devices during enrollment by referring to
Components Installed on Mobile Devices.

User Enrollment for BYOD

Apple's recommended method for enrolling or migrating personally owned mobile devices in Jamf Pro is User
Enrollment. For more information on User Enrollment, see User Enrollment and MDM from Apple's support
website. You can choose from and configure two different User Enrollment methods:

• Account-Driven User Enrollment—(iOS 15 and iPadOS 15 or later) Users open the Settings app,
navigate to General > VPN & Device Management, and then sign in with a Managed Apple ID. After sign-
in, users are redirected to your organization's Jamf Pro enrollment portal.
• Profile-Driven User Enrollment—(iOS 13 and iPadOS 13 or later) Also known as "User-Initiated
Enrollment via URL". Users are provided a direct Jamf Pro enrollment URL that opens your organization's
enrollment portal in Safari.

Both User Enrollment methods allow administrators to build a Bring Your Own Device (BYOD) program with
the following device and data privacy and security advantages:

Transparency

Users can review the IT management capabilities of personally owned mobile devices before enrolling
their device. User Enrollment results in an unsupervised device state, allowing users to remove the MDM
profile.

Data Separation, Access, and Privacy

Users can securely access institutional resources such as email, contacts, calendars, Wi-Fi, and VPN,
while keeping their personal data secure. Users maintain a personal Apple ID for their personal data and
use a Managed Apple ID for institutional data.
Security
IT can only remove institutional data from the device, ensuring protection of the user's personal data,
such as photos and documents. Since users must interactively complete enrollment, User Approved
MDM status is achieved and grants administrators additional device management privileges.

254
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Disclaimer:

Personal device profiles are deprecated and no longer a recommended enrollment method for
personally owned devices. User Enrollment is the Apple-preferred method for enrolling personally
owned devices in a Bring Your Own Device (BYOD) program.

User Enrollment Requirements

General Requirements
• A push certificate in Jamf Pro
For more information, see Push Certificates in the Jamf Pro Documentation.
• (LDAP login only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration in the Jamf Pro Documentation.
• (SSO login only) Single Sign-On Authentication enabled in Jamf Pro, with the Enable Single Sign-On for
User Authentication during Enrollment checkbox selected.
For more information, see Single Sign-On (SSO).
• The following Jamf Pro and personally owned device versions:

Note: Personally owned mobile devices must also have free storage space for corporate data.

◦ Jamf Pro 10.33.0 or later

Account-Driven User Enrollment
◦ iOS or iPadOS 15 or later

◦ Jamf Pro 10.17 or later

Profile-Driven User Enrollment
◦ iOS or iPadOS 13.1 or later

Managed Apple ID Requirements

To create Managed Apple IDs for Account-Driven User Enrollment or Profile-Driven User Enrollment, you must
either use federated authentication between Apple and you identity provider (IdP) or create them manually
inApple Business Manager or Apple School Manager.

For more information, see the following resources from Apple:

Apple School Manager User Guide:

• Intro to federated authentication with Apple School Manager

255
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

• Use Managed Apple IDs in Apple School Manager

Apple Business Manager User Guide:

• Intro to federated authentication with Apple Business Manager

• Use Managed Apple IDs in Apple Business Manager

Note: For Account-Driven User Enrollment, Managed Apple IDs must belong to a verified domain. For
more information, see Verify domains in Apple Business Manager and Apple School Manager from
Apple's support website

Account-Driven User Enrollment Web Hosting Requirements

You must define the Jamf Pro enrollment information in a JSON file and host it on a web server that is
accessible to any device you want enrolled with Jamf Pro. To set this up, you need the following:

• The web server must have the same fully qualified domain name (FQDN) as the verified domain that the
Managed Apple IDs belong to, and web services must be enabled.
• The JSON file must be hosted on a server which supports HTTPS GET requests.
• The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted
root certificates on iOS devices, see Available trusted root certificates for Apple operating systems from
Apple's support website.

For more information about defining the Jamf Pro enrollment information in a JSON file and hosting it on a web
server, see Setting up Account-Driven User Enrollment in the Jamf Pro Documentation.

Enabling User Enrollment for Mobile Devices in Jamf Pro

User Enrollment for personally owned mobile devices is enabled via Jamf Pro's User-Initiated Enrollment
settings. You can enable Profile-Driven User Enrollment, Account-Driven User Enrollment, or both.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click User-initiated enrollment .
3. Click Edit .
4. Click the iOS tab.
5. Select the Enable for personally owned devices checkbox in one or both sections to enable Profile-
Driven User Enrollment, Account-Driven User Enrollment, or both.

256
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

6. (Optional) Click the Access tab and configure whether an LDAP group has access to enroll mobile devices
using an enrollment URL without an invitation.
When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during
enrollment.

7. Click Save .

User Enrollment is now enabled for enrollment with Jamf Pro for the selected methods.
Related Content

• User-Initiated Enrollment Settings

Setting up Account-Driven User Enrollment

Setting up Account-Driven User Enrollment involves creating and hosting enrollment information in a JSON file
on a web server. This allows devices to initiate a service discovery process to retrieve the information and
direct the user to the enrollment portal on their device. For more information about JSON files, see Working
with JSON.

257
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Defining Jamf Pro Enrollment Information for Account-Driven User

Enrollment
A device must authenticate with the Jamf Pro server to initiate the service discovery process and direct a user
to the enrollment portal.

After the user signs in with their full Managed Apple ID, the following process occurs:

1. The device extracts the domain information (information following the @ symbol) from the Managed Apple
ID
2. The device sends an HTTP request to the web server hosting the enrollment information, and
authenticates with the Jamf Pro server

Example: If the user Samantha Johnson signs in to a device with the Managed Apple ID
[email protected] , the device extracts mycompany.com and uses the service
discovery process to make an HTTP request for the enrollment information that is hosted at
mycompany.com .

3. The device uses that information to redirect Samantha Johnson to the Jamf Pro enrollment portal

For more information about the service discovery process, see this Discover Authentication Servers
documentation from the Apple Developer website.

To enable a device to authenticate with the Jamf Pro server, you must create a JSON file named
com.apple.remotemanagement and define the following properties in it:

BaseURL

The full URL for your Jamf Pro instance followed by /servicediscoveryenrollment/v1/userenroll

Version
The enrollment version.

Important: This must be defined as " mdm-byod ".

The contents of the JSON file should look similar to the following

{
"Servers": [
{

258
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

"Version":"mdm-byod",
"BaseURL":"https://JAMF_PRO_URL.com/servicediscoveryenrollment/v1/userenroll"
}
]
}

Note: The service discovery JSON file for your Managed Apple ID domain can only specify either
Account-Driven Device Enrollment or Account-Driven User Enrollment for devices to use. It cannot be
specified for both.

Hosting Jamf Pro Enrollment Information on a Web Server for

Account-Driven User Enrollment
To host the Jamf Pro enrollment information on a web server, you must define the path to your server. If the
verified domain you use for Managed Apple IDs is already configured to host files, you can host the enrollment
information at the same hosting location. If your environment is not configured to do so, you must set up a web
server to host the information.

Note: Jamf recommends consulting your internal web services and hosting team to help you complete
this task.

Requirements
• The web server must have the same fully qualified domain name (FQDN) as the verified domain that the
Managed Apple IDs belong to, and web services must be enabled.
• The JSON file must be hosted on a server which supports HTTPS GET requests.
• The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of
trusted root certificates on iOS devices, see Lists of available trusted root certificates in iOS from Apple's
support website.

The resulting URL for the file must be similar to the following:

https://mycompany.com/.well-known/com.apple.remotemanagement

259
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Note: In the above example, company.com must be the same verified domain that the Managed Apple
IDs belong to that are enrolling a device.

You must configure the server to return the appropriate Content-Type header with the file. This must be the
following:

Content-Type is 'application/json'

Note: Your server software may refer to this as "MIME type".

For more information about how to modify the MIME type, see the following documentation:

• Adding Static Content MIME Mappings from Microsoft's documentation

• Apache Module mod_mime from Apache's documentation
• Full Example Configuration from NGINX's documentation

To verify the contents of the JSON file are hosted correctly, execute the following:

curl -I https://mycompany.com/.well-known/com.apple.remotemanagement

The command should print something similar to the following:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Day, 00 Month Year 00:00:00 GMT
Content-Type: application/json
Content-Length: 150
Last-Modified: Day, 00 Month Year 00:00:00 GMT
Connection: keep-alive
ETag: "xxxxxx-xxxxxx"
Accept-Ranges: bytes

Account-Driven User Enrollment Experience

Account-Driven User Enrollment initializes when a user signs in to their device with a Managed Apple ID. After
sign-in, users are redirected to your organization's enrollment portal and prompted to install the MDM profile on
their device.

260
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

The text displayed in the enrollment portal may vary depending which text or languages are customized for
your organization with Jamf Pro's user-initiated enrollment settings.

Note: If users are re-enrolling a device previously enrolled using a legacy Personal Device Profile, Jamf
recommends you remove the device's previous record from Jamf Pro before re-enrollment.

The following workflow describes how Account-Driven User Enrollment can be used to enroll personally owned
mobile devices with Jamf Pro:

1. The user signs in to their device using a Managed Apple ID by navigating to Settings > General > VPN &
Device Management > Sign In to Work or School Account:

2. The user is prompted to enter a Managed Apple ID:

261
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Important: The user must enter the full Managed Apple ID. For example,
"[email protected]"

After the user enters the Managed Apple ID, the user taps Continue.
3. The enrollment portal displays and prompts the user to enter their Jamf Pro User Account, single sign-on
credentials, or directory credentials (for example, LDAP).

262
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

After entering their single sign-on or directory credentials, the user taps Log In.
4. The user is directed to the Settings app and enters their Managed Apple ID email address and password
when prompted.

263
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

After entering the Managed Apple ID and password, the user taps Continue.
5. The user is prompted to allow remote management.

264
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

The MDM Profile downloads on the device when the user taps Allow Remote Management.

265
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

Enrollment Single Sign-on (SSO)

Environments with a Bring Your Own Device (BYOD) program using supported identity providers can configure
an Enrollment single sign-on (SSO) workflow to enhance the Account-Driven User Enrollment experience.

With Enrollment SSO, the Account-Driven User Enrollment experience now includes the installation of an
authentication app, which will facilitate enrollment into Jamf Pro. Once the user is enrolled in Jamf Pro, the
authentication app remains installed as a managed app to provide additional authentications.

Note: Enrollment SSO with Jamf Pro currently only supports Okta.

General Requirements
You must have the following to configure Enrollment SSO:

266
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

• Mobile devices with iOS 16 or iPadOS 16 or later

• Single Sign-On Authentication enabled in Jamf Pro
• Account-Driven User Enrollment configured in Jamf Pro. For details, see Setting up Account-Driven User
Enrollment.
• Enable for personally owned devices enabled for Account-Driven User Enrollment, with Enrollment
Method set to User Enrollment. For details, see Enabling User Enrollment for Mobile Devices in Jamf Pro.

Configuring Enrollment SSO with Okta Verify

Using Okta Verify as an Enrollment SSO app with Jamf Pro requires the configuration of multiple items within
Jamf Pro, including Single Sign-On settings, a managed app configuration for the Okta Verify app, and a
configuration profile with a Single Sign-on Extension payload configured.

Requirements
• Okta as an identity provider
• Okta FastPass authentication enabled for your Jamf Pro app in the Okta dashboard. For details, see
Okta FastPass from Okta.

Note: End users will be guided to set up and register within the Okta Verify app if they select the
Sign in with Okta FastPass option when authenticating with Jamf Pro during enrollment. If the user
signs in to Okta without selecting Okta FastPass, the Okta Verify app can be set up by the user later,
after the device enrolls with Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. In the System section, click Single sign-on .
3. Select the Enable Single Sign-On for Account-Driven Enrollment checkbox.
4. Enter the host URL found in your Okta dashboard in the URL field.
5. Enter the Management Hint found in your Okta dashboard in the Management Hint field.
6. (Optional) Specify a user group.
7. Click Save .
8. In Jamf Pro, click Devices in the sidebar.
9. Click Mobile Device Apps in the sidebar.
10. Click New.
11. Select App Store app or apps purchased in volume and click Next.
12. Do one of the following:

267
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

◦ To add the app by browsing the App Store or apps purchased in volume, enter Okta Verify, choose an
App Store country and click Next. Then click Add.
◦ To add the app by uploading a VPP code spreadsheet, click Choose File and upload the Excel
spreadsheet (.xls) that contains VPP codes for the app.
◦ To add the app by manually entering information about it, click Enter Manually.
13. Use the General tab to configure basic settings for the app and select "Install Automatically" from the
Distribution Method pop-up menu.
14. Click the App Configuration tab. Copy and paste the following PLIST into the Preferences field.

<dict>
<key>managementHint</key>
<string>your-secret-key-here</string>
</dict>

Note: Replace your-secret-key-here with the secret key found in your Okta dashboard after enabling
Okta FastPass.

15. Click the Scope tab and configure the scope of the app.
16. Click Save .
17. Click Configuration Profiles in the sidebar, and then click New.
18. Use the General payload to configure basic settings for the profile.
19. Use the Single Sign-On Extensions payload to configure settings for the profile as follows:
a. Click Add.
b. Entercom.okta.mobile.auth-service-extensionin the Extension Identifier field.
c. EnterOkta Devicein the Realm field.
d. Enter your host URL in the Hosts field. For example, myorganization.okta.com .
e. In the Custom Configuration setting section, upload a PLIST that contains the following:

<?xml version="1.0" encoding="UTF-8"?>

<plist>
<dict>
<key>managementHint</key>
<string>your-secret-key-here</string>
</dict>
</plist>

Note: Replace your-secret-key-here with the secret key found in your Okta dashboard after
enabling Okta FastPass.

268
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

20. Click the Scope tab and configure the scope of the profile.
21. Click Save .

Providing an Enrollment URL for Profile-Driven User Enrollment

You can provide the enrollment URL to users in the way that best fits your environment.

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a
user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during
enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the
device.

Note: For Account-Driven User Enrollment, the user is redirected to the enrollment portal and prompted
to install the MDM profile on their device after they authenticate to their device with a Managed Apple
ID. Because this enrollment method is initiated when the user signs in with the Managed Apple ID, you
do not need to provide users with the enrollment URL to direct them to the enrollment portal.

Requirements
• Profile-Driven User Enrollment enabled for mobile devices via Jamf Pro's User-Initiated Enrollment
settings
For more information, see Enabling User Enrollment for Mobile Devices in Jamf Pro.
• (LDAP sign-in only) An LDAP server set up in Jamf Pro
For more information, see LDAP Directory Service Integration.
• Safari on user devices to access the enrollment URL

The enrollment URL is the full URL for the Jamf Pro server followed by /enroll . To direct users to the
enrollment portal, you provide an enrollment URL.

Example:

• Cloud-Hosted—https://JAMF_PRO_URL.jamfcloud.com/enroll
• On-Premise—https://JAMF_PRO_URL.com:8443/enroll

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account.

269
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro
during enrollment.

When a user logs in with a Jamf Pro user account, an LDAP user can be assigned to the device.

Related Content

• User-Initiated Enrollment Settings

Profile-Driven User Enrollment Experience

Profile-Driven User Enrollment initiates via an enrollment URL, that is opened on the device in Safari. Your
organization's enrollment URL is your Jamf Pro instance URL with /enroll added at the end:

https://JAMF_PRO_URL.jamfcloud.com/enroll

The text displayed in the enrollment portal may vary depending which text or languages are customized for
your organization with Jamf Pro's user-initiated enrollment settings.

Note: If users are re-enrolling a device previously enrolled using a legacy Personal Device Profile, Jamf
recommends you remove the device's previous record from Jamf Pro before re-enrollment.

The following workflow describes how user enrollment can be used to enroll personally owned mobile devices:

1. The user is prompted to log in with either their directory credentials or a Jamf Pro user account with user-
initiated enrollment privileges. Directory credentials may include one of the following authentication types:
◦ LDAP
◦ Single sign-on (SSO)
◦ Cloud identity provider (IdP)
After entering their credentials, the user must click Log In. If the user is authenticating via a single sign-on
provider, the user will be redirected to their organization's login page.

2. The user is prompted to enroll the device as a personally owned device or an institutionally owned device.

270
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

This step is only displayed if both institutionally owned device enrollment and personally owned device
enrollment are enabled in Jamf Pro. Any customized text for your organization with Jamf Pro's User-
Initiated Enrollment settings is also displayed.

3. If prompted to select a site, the user may choose a site to associate their device with. This will apply the
appropriate site settings defined by your organization to the device.

271
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

4. If the Skip certificate installation during enrollment checkbox is deselected in Jamf Pro's User-
Initiated Enrollment settings, the user is prompted to install a profile with the CA certificate before they
install the MDM profile.

The user must follow the onscreen instructions to install the CA certificate. After the CA certificate is
installed, the user must return to Safari to install the MDM profile.
5. When prompted, the user must enter their Managed Apple ID email address to download their MDM profile.

272
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

6. A Profile Downloaded dialog will be displayed. The user must click Close.

7. In the Settings app, the user taps Enroll in YOUR ORGANIZATION to continue and follows the onscreen
enrollment prompts. The user must sign in using the same Managed Apple ID that they entered earlier. If
the user authenticates using a Managed Apple ID that does not match the one entered prior to
downloading the MDM profile, the enrollment will fail and the user must restart the enrollment process.

For more information on the sign-in process for Profile-Driven User Enrollment, see User Enrollment MDM
information in Apple Platform Deployment.

Important: The user has eight minutes to install the enrollment profile before iOS discards the
profile. If this occurs, the user must restart the enrollment process.

8. When the user returns to the Safari, the following message will be displayed indicating that the device is
enrolled with Jamf Pro.

273
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Enrollment with Jamf Pro

274
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Declarative Device Management

Declarative Device Management

Declarative device management adds more capabilities to Apple's MDM protocol that can be used in addition
to existing MDM protocol capabilities. Declarative device management allows managed devices to proactively
and autonomously apply management settings and report state changes to the MDM server asynchronously.
This results in less communication with the MDM server and faster, more reliable device updates.

Jamf Pro automatically enables declarative device management capabilities for compatible managed devices.
Devices with declarative device management enabled report their state changes automatically to the MDM
server via a communication channel called the status channel. Subscribed status items, when changed on the
device, are proactively reported and reflected in device inventory information.

Some inventory attributes subscribe to the status channel and proactively update themselves. For more
information, see:

• Computer Inventory and Criteria Reference

• Mobile Device Inventory and Criteria Reference

Declarative device management is also used for (Beta) managed software updates on computers and mobile
devices enrolled with Jamf Pro. For more information, see:

• (Beta) Updating macOS Using Managed Software Updates

• (Beta) Updating iOS, iPadOS, and tvOS Using Managed Software Updates

For more information on declarative device management and the status channel, see Declarative device
management in Apple Platform Deployment.

General Requirements
Jamf Pro automatically enables declarative device management on devices that meet the following
requirements:

• Computers with macOS 13 or later

• Devices with iOS 16 or iPadOS 16 or later

Note: Devices enrolled via User Enrollment support declarative device management on iOS 15 or
later, or iPadOS 15 or later.

• Apple TV devices with tvOS 16 or later

275
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Declarative Device Management

Declarative Device Management Capabilities with Jamf Pro

Jamf Pro automatically sends a remote management command to enable declarative device management on
the device during the following events:

• Enrollment with Jamf Pro for newly enrolled devices. Declarative device management is supported with all
enrollment types (Automated Device Enrollment, Device Enrollment, and User Enrollment)
• During the next device check-in for existing devices that are eligible for declarative device management

Example:
When a device is upgraded to iOS 16 or iPadOS 16, it automatically becomes enabled for declarative
device management, and the following operations occur:

• Via the status channel, the device proactively reports the new OS version to Jamf Pro, and Jamf Pro
updates its inventory information.
• Any smart groups or advanced searches that use OS version as criteria are recalculated.
• The device evaluates itself against existing declarations installed on the device and applies any
configuration updates based on available activation logic.

Identifying Devices That Have Declarative Device Management

Enabled
You can identify if an individual computer or mobile device has declarative device management enabled by
viewing its General inventory information.

To identify if multiple devices have declarative device management enabled, you can create an advanced
search as described below.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Search Inventory in the sidebar.
3. Click New.
4. Use the Search pane to configure basic settings for the search.
To save the search, select the Save this Search checkbox.
5. Click the Criteria tab and add the following advanced search criteria:
◦ Criteria—Declarative Device Management
◦ Operator—is
◦ Value—Enabled
6. Click Save .

276
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Declarative Device Management

Devices that have declarative device management enabled display in the advanced search results.

277
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Managing Computers
Building the Framework for Managing
Computers
Recurring Check-in Frequency
The recurring check-in frequency is the interval at which computers check in with Jamf Pro for available
policies.

By default, the recurring check-in frequency is set to “Every 15 Minutes”.

Related Content

• Policy Management
• Components Installed on Managed Computers

Configuring the Recurring Check-in Frequency

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Check-in .
3. Click Edit .
4. Configure the recurring check-in frequency using the pop-up menu on the pane.
5. Click Save .

Each computer checks in at the specified interval, starting at the time the setting is applied to the computer.
This means that check-in times will vary across computers.

Startup Script
The Startup Script settings in Jamf Pro allow you to create a startup script on computers and use it to perform
the following actions at startup:

• Log Computer Usage information (date/time of startup).

• Check for policies triggered at startup.

278
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Ensure SSH (Remote Login) is enabled on computers.

Related Content

• Computer Usage
• Policy Management
• Components Installed on Managed Computers

Configuring the Startup Script

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Check-in .
3. Click Edit .
4. Configure the startup script settings using the checkboxes on the pane.
5. Click Save .

Login Events
The Login Events settings in Jamf Pro allow you to create login events on computers and use them to perform
the following actions:

• Log Computer Usage information (username and date/time) at login.

• Check for policies triggered at login or logout.

Related Content

• Computer Usage
• Policy Management
• Components Installed on Managed Computers

Configuring Login Events

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Check-in .
3. Click Edit .
4. Configure the login events settings using the checkboxes on the pane.
5. Click Save .

279
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Security Settings
The Security settings in Jamf Pro allow you to do the following:

• Enable certificate-based authentication.

• Enable push notifications.
• Automatically install the Privacy Preferences Policy Control profile.
• Automatically install a Jamf Notifications profile.
• Configure SSL certificate verification.
• Specify the condition under which the checksum will be used to validate packages. If you choose to validate
packages, the validation occurs after the package is downloaded.
• Specify a maximum clock skew between managed computers and the Jamf Pro host server.

When a Mac computer attempts to communicate with the Jamf Pro server and the security requirements
specified in Jamf Pro are not met, communication is blocked.

Related Content

• SSL Certificate

• Certificate-Based Authentication for Mac Computers

Automatically Installing the Privacy Preferences Policy Control

Profile
When you enroll a computer with Jamf Pro, the computer automatically becomes managed by Jamf Pro. This
allows you to perform remote management tasks on the computer. To perform some tasks on computers with
macOS 10.14 or later, you must allow the Jamf management framework to access the target computer's
system files and processes by installing the Privacy Preferences Policy Control profile.

Note: The Privacy Preferences Policy Control profile is part of a security feature introduced in macOS
10.14.For more information about the Privacy Preferences Policy Control profile, see Privacy
Preferences Policy Control MDM payload settings for Apple devices in Apple Platform Deployment.

This option is enabled by default and allows Jamf Pro to automatically install the Privacy Preferences Policy
Control profile on computers with macOS 10.14 or later that have a User Approved MDM status. This allows
the Jamf management framework to be installed on computers to access the necessary system files and
processes for managing computers and performing the remote management tasks on the computers.

280
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The Enable certificate-based authentication and Enable push notifications settings must be enabled to
access this feature.

For more information about the contents of the Privacy Preferences Policy Control profile, see the "Privacy
Preferences Policy Control Profile Contents" section of the Preparing your Organization for User Data
Protections on macOS 10.14 article.

Automatically Installing a Jamf Notifications Profile

Configuring the Automatically install a Jamf Notifications profile setting in Jamf Pro automatically enables
notifications from the Jamf management framework and Jamf Self Service for macOS. End users are not
prompted to allow notifications the first time they log in to Self Service.

This option is enabled by default and allows Jamf Pro to automatically install the Notifications profile on
computers with macOS 10.15 or later.

The Enable certificate-based authentication and Enable push notifications settings must be enabled to
access this feature.

Configuring SSL Certificate Verification

Configuring the SSL Certificate Verification setting in Jamf Pro ensures that computers only communicate with
a host server that has a valid SSL certificate. This prevents computers from communicating with an imposter
server and protects against machine-in-the-middle attacks.

Consider the following when configuring SSL certificate verification:

• If you are using the self-signed certificate from Apache Tomcat that is built into Jamf Pro, you must select
"Always except during enrollment".
• If you are using an SSL certificate from an internal CA or a trusted third-party vendor, select either "Always"
or "Always except during enrollment". It is recommended that you use "Always" if computers in your
environment are configured to trust the certificate before they are enrolled.

For more information, see the following articles:

• Safely Configuring SSL Certificate Verification

• Change to the SSL Certificate Verification Setting in Jamf Pro 9.98 or Later

281
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Configuring Security Settings

Requirements
To enable push notifications, you must have a push certificate in Jamf Pro. For more information, see Push
Certificates.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Security .

3. Click Edit .
4. Configure the settings on the pane.
5. Click Save .

Inventory for Computers

Computer Inventory Information
Jamf Pro stores detailed inventory information for every enrolled computer. Computer inventory information is
collected using a combination of the following:

• Jamf management framework—The Jamf management framework is installed on every enrolled

computer. For more information, see Applications and Utilities.
• MDM commands—MDM commands are typically issued immediately after Jamf management framework
inventory commands are executed. You can view the sent MDM commands by navigating to the
Management History category in the History tab of the computer inventory information.
• Declarative status channel—Inventory attributes that are reported via the declarative status channel will
autonomously report inventory changes when attribute values change. For example, if a computer updates
to a new macOS version, the computer will report the new macOS version value to Jamf Pro immediately
after the update is complete. For more information, see Declarative Device Management.

By default, the preconfigured "Update Inventory" policy triggers inventory collection. This policy collects
inventory from all computers once every week.

You can trigger an inventory update on a local computer by executing the jamf recon command in Terminal.

Related Content

• Recurring Check-in Frequency

282
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Renaming a Computer
• Deleting a Computer from Jamf Pro

Viewing and Editing Inventory Information

1. In Jamf Pro, click Computers in the sidebar.
2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches.

Note: You can quickly search for all computer records in Jamf Pro without entering a query by
clicking Search.

3. Click the computer you want to view information for.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
The computer's inventory information is displayed.
4. To make changes to an editable inventory field, select the category that contains the information you want
to edit, click Edit, and make changes as needed.
If you are editing user and location information, the changes are applied in the Users tab. This specified
information is also applied in the inventory information for mobile devices and other computers that the
user is assigned to. For information on assigning a user to a computer or removing a user assignment, see
User Assignments.
5. (Optional) To populate computer purchasing information from Apple’s Global Service Exchange (GSX),
click Search to look up and populate information from GSX.

Note: The Search button is only displayed if you have a GSX connection set up in Jamf Pro.

6. Click Save .

Computer Inventory and Criteria Reference

This section lists the inventory attributes you can view for a computer. These attributes can be used as criteria
for your smart computer groups and advanced computer searches. Attribute labels are the same in inventory
information and in criteria lists unless otherwise noted.

When viewing attributes listed in this section, consider the following:

283
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Most attributes are collected by the Jamf management framework. Attributes collected by MDM commands
are noted in this section.
• Attributes that are also reported via the declarative status channel are identified in this section. For more
information, see Declarative Device Management.
• Inventory attributes with a minimum macOS version requirement are noted in the Jamf Pro interface.
• Some attributes are editable.

The following categories of inventory information are only displayed if the Computer Inventory Collection
settings are configured to collect them:

• Local User Accounts

For more information, see "Local User Accounts Category" below.
• Printers
• Active services
• Last backup date/time for managed mobile devices that are synced to computers
• User and location information from an external directory service, such as an LDAP server or Cloud Identity
Provider.

Note: This is only available if an external directory service is configured in Jamf Pro. User and
location data from Inventory Preload may also populate this category.

• Package receipts
• Available software updates
• Application usage information
For more information, see "Applications Category" below.
• Fonts
• Plug-ins
• iBeacon regions

General Category
The General category includes the following information for a computer:

Inventory Attribute/ Declarative Status

Notes
Criteria Supported

Computer Name

284
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Attribute/ Declarative Status

Notes
Criteria Supported

Jamf Pro Computer ID

Jamf Pro Management ID

Site

Last Inventory Update

Last Check-in

IP Address To learn how these inventory attributes are collected and

how you can manually retrieve the reported IP address,
Reported IP Address (Last see the Collecting the IP Address and Reported IP Address
Reported IP Address in Jamf Pro article.
criteria)

jamf binary Version

Platform

Managed (Managed By A computer is considered managed when it has the Jamf

criteria) management framework installed and enrolled with Jamf
Pro.
The Managed By criteria returns the name of the
management account on the computer.

Supervised Collected by the DeviceInformation MDM command

macOS 10.15 or later

Enrollment Method

Last Enrollment

MDM Profile Expiration Date

(criteria only)

MDM Capability Displays whether the computer has the MDM profile
installed.

Enrolled via Automated Displays whether a computer was enrolled via Automated
Device Enrollment Device Enrollment.
macOS 10.13.4 or later
Collected by the SecurityInfo MDM command

User Approved MDM Displays the status of User Approved MDM enrollment.
macOS 10.13.4 or later

285
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Attribute/ Declarative Status

Notes
Criteria Supported

Collected by the SecurityInfo MDM command

For information about User Approved MDM and Jamf Pro,
see the Managing User Approved MDM with Jamf Pro
article.

MDM Capable Users

Asset Tag

Bar Code 1

Bar Code 2

Bluetooth Low Energy Possible values are the following:

Capability • Capable
• Not Capable
• Unknown—This value indicates that Jamf Pro is unaware
of the mobile device's capability to detect iBeacons
using Bluetooth Low Energy because Jamf Self Service
has never been opened on the mobile device.

Supports iOS and iPadOS

App Installations

Logged in to the App Store This value reports as “Active” when a user-level
configuration profile is installed from Self Service using
MDM-enabled credentials.
Collected by the iTunes Account Status MDM
command

MDM Profile Renewal

Needed - CA Renewed
(criteria only)

Declarative Device ✔
Management

Hardware Category
The Hardware category includes the following information for a computer:

• Make
• Model

286
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Model Identifier
• UDID
• Serial Number
• Processor Speed
• Number of Processors
• Number of Cores (Total Number of Cores criteria)
• Processor Type
• Apple silicon (Collected by the DeviceInformation MDM command for macOS 12 or later)
• Architecture Type
• Bus Speed
• Cache Size
• Primary Network Adapter Type
• Primary MAC Address (MAC Address criteria)
• Secondary MAC Address
• Secondary Network Adapter Type
• Total RAM (Total RAM MB criteria)

Note: Capacity is reported using the decimal system (base 10), which calculates 1GB as 1 billion
bytes.

• Available RAM Slots

• Battery Capacity
• SMC Version
• NIC Speed
• Optical Drive
• Boot ROM—As criteria, this includes computers based on their specific boot ROM, based on the ROM's
release number (Example: "10.2.1 [29006] rev 0").

Operating System Category

The Operating System category includes the following information for a computer:

Inventory Attribute/Criteria Notes Declarative Status Supported

Operating System

287
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Attribute/Criteria Notes Declarative Status Supported

Operating System Version ✔

Operating System Build ✔

Operating System Supplemental Build ✔

Version

Operating System Rapid Security ✔

Response

Software Update Device ID macOS 12 or later

Collected by the
DeviceInformation MDM
command

Active Directory Status

Master Password Set

FileVault Users

Service Pack

User and Location Category

All User and Location category inventory attributes are editable and can be populated automatically by
assigning a user to a computer. For more information, see User Assignments. The User and Location category
includes the following information for a computer:

• Username
• Full Name
• Email address
• Position
• Department
• Building
• Room

Note:

288
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• To collect User and Location information for computers, the Collect User and Location
Information from LDAP setting must be enabled in the Computer Inventory Collection settings. For
more information, see Computer Inventory Collection Settings.
• If the computer is re-enrolled via a PreStage enrollment, there are settings that can affect the user
and location information for that computer. For more information, see Automated Device Enrollment
for Computers and Re-enrollment Settings.

Security Category
The Security category allows you to view the following information for a computer:

• System Integrity Protection

• Gatekeeper
• XProtect Definitions Version
• Disable Automatic Login
• Remote Desktop Enabled (Collected by the SecurityInfo MDM command for macOS 10.14.4 or later)
• Activation Lock (Collected by the DeviceInformation MDM command for macOS 10.15 or later)

Note: For more information on macOS compatibility, see About Activation Lock on your Mac from
Apple's support website.

• Recovery Lock (Collected by the SecurityInfo MDM command for macOS 11.5 or later)
• Secure Boot Level (Collected by the SecurityInfo MDM command for macOS 10.15 or later)

Note: This attribute displays whether the computer allows or disallows booting from external media.

• External Boot Level (Collected by the SecurityInfo MDM command for macOS 10.15 or later)
• Bootstrap Token Allowed (Collected by the DeviceInformation MDM command for macOS 11 or later)
• Bootstrap Token Escrowed
• Firewall (Collected by the SecurityInfo MDM command for macOS 10.12 or later)

For more information about the reporting capabilities for some attributes in the Security category, see the Jamf
Pro Reporting Capabilities for Apple's macOS Security Features article.

289
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Purchasing Category
You can look up and populate purchasing information from Apple’s Global Service Exchange (GSX) if you
have a GSX connection set up in Jamf Pro. For more information, see GSX Connection. The Purchasing
category allows you to view the following information for a device:

• Purchased or Leased
• PO Number (PO criteria)
• PO Date
• Vendor
• Warranty Expiration
• AppleCare ID
• Lease Expiration
• Purchase Price
• Life Expectancy
• Purchasing Account
• Purchasing Contact

You can choose "Purchased or Leased" as criteria in your smart groups and advanced searches.

Extension Attributes Category

This category displays a list of custom data fields collected using extension attributes.

Note: Extension attributes are displayed in device inventory information in the category in which they
are configured to display.

Storage Category
The Storage category includes the following information for a computer:

• Model
• Revision
• Serial Number
• Drive Capacity (Drive Capacity MB criteria)
• S.M.A.R.T. Status
• Number of Partitions

290
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: The value for the FileVault 2 State of a partition will be reported as “Unknown” if inventory was
not updated since the last Jamf Pro upgrade or if Jamf Pro is unable to detect encryption status due
to an error.

You can also use the following storage criteria in your smart groups and advanced searches:

• Boot Drive Available MB

• Boot Drive Percentage Full
• Core Storage Partition Scheme on Boot Partition
• Partition Name
• Last iCloud Backup

Disk Encryption Category

This category displays disk encryption information for partitions on a computer. The Disk Encryption category
includes the following information:

Inventory Attribute/Criteria Notes

Name

Last Inventory Update

FileVault 2 Partition Encryption State Possible values are:

• Decrypted
• Decrypting
• Encrypted
• Encrypting
• Ineligible
• Not Encrypted
• Unknown—This value indicates inventory has not been updated since the last
Jamf Pro server upgrade, or that Jamf Pro is unable to detect encryption
status due to an error
As criteria, this can be coupled with the “Partition Name” criteria to report on the
encryption state of a specific partition you specify by name.

Personal Recovery Key Validation Displays whether the personal (also known as "individual") recovery key on a
("FileVault 2 Individual Key Validation" computer matches the personal recovery key escrowed for that computer in
criteria) Jamf Pro. This value will be reported as “Unknown” when any of the following
conditions are met:
• macOS version is 10.8 or earlier

291
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Attribute/Criteria Notes

• There is no recovery key in Jamf Pro to validate against

• Inventory has not been updated since the last Jamf Pro upgrade
Other possible values are:
• Invalid (recovery key does not match)
• Valid (recovery key matches)

Personal Recovery Key To view the recovery key, click Show Key.

Device Recovery Key If a personal recovery key was escrowed using a configuration profile, this will
display the "Record Number" message from the escrow profile. If the PRK was
escrowed using a Jamf Pro policy, this inventory value is not present.

Disk Encryption Configuration Displays the name of the disk encryption configuration if the computer is
encrypted via policy. If the computer is encrypted via configuration profile or
locally on the computer, this field is left blank. As criteria, this includes
computers with a specified FileVault disk encryption configuration in Jamf Pro.

FileVault 2 Enabled Users Lists usernames of cryptographic users that have a secure token.

You can also use the following disk encryption criteria in your smart groups and advanced searches:

Criteria Notes

FileVault Status Includes computers based on the number of FileVault-enabled users out of the
number of users that can be FileVault enabled. Possible values are:
• All Accounts
• No Accounts
• Some Accounts
This criteria applies to both FileVault 2 and Legacy FileVault-enabled users.

FileVault 2 Recovery Key Type Includes computers based on the recovery key types that are reported in their
Jamf Pro inventory. Possible values are the following:
• Individual and Institutional
• Only Individual
• Only Institutional

FileVault 2 Institutional Key Includes computers based on whether an institutional recovery key exists on a
computer. Possible values are:
• Not Present
• Present

292
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Criteria Notes

FileVault 2 User Includes computers where the specified user is a FileVault enabled user. For
example, to report on computers on which John Smith is a FileVault enabled
user, you would enter the criteria FileVault 2 User has "John Smith".

FileVault 2 Eligibility Possible values are the following:

• Eligible
• Legacy FileVault Encrypted
• No Recovery Partition
• Recovery Partition Unusable Format (recovery partition is in the HFS disk
format)
• Unknown (inventory has not been updated since the last Jamf Pro server
upgrade or unable to assess eligibility due to an error)
• Unsupported OS Version
For all values other than “Eligible”, the search returns the first ineligible reason
found, based on this order of priority:
1. No Recovery Partition
2. Recovery Partition Unusable Format
3. Unsupported OS Version
4. Legacy

FileVault 2 Status The partitions that are FileVault 2 encrypted. Possible values are:
• All Partitions Encrypted
• Boot Partitions Encrypted
• N/A (no partitions are detected on the computer, which is most likely due to
an error)
• No Partitions Encrypted

Applications Category
This category includes information about the applications installed on a computer. You can use the following
applications criteria in your smart groups and advanced searches:

• Application Title
• Application Version—This criteria can be used in tandem with Application Title to include computers based
on a specific version of a specific application.
• iTunes Store Account

293
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Profiles Category
This category includes information about the configuration profiles installed on a mobile device. Inventory
information for the Profiles category is collected by the ProfileList MDM command.

You can use the following profiles criteria in your smart groups and advanced searches:

• Profile Name
• Profile Identifier

Certificates Category
The Certificates category displays a list of certificates installed on a device. Inventory information is collected
for the Certificates category by the CertificateList MDM command.

You can use the following certificates criteria in your smart groups and advanced searches:

• Certificate Issuer
• Certificate Name
• Certificates Expiring

Package Receipts Category

This category includes information about the packages installed on a computer. You can use the following
packages criteria in your smart groups and advanced searches:

• Cached Packages
• Packages Installed by Casper (Jamf Pro)
• Packages Installed By Installer.app/SWU

Local User Accounts Category

This category displays a list of local user accounts and information about them. Inventory information for the
Local User Accounts category is collected by the UserList MDM command for computers with macOS 10.13
or later enrolled via Automated Device Enrollment.

Note: The Local User Accounts category information is populated by the jamf binary if computers do not
meet the UserList MDM command requirements.

294
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

You can access commands to remotely unlock a local user account, or remotely remove a local or mobile user
account by clicking Manage for a user. For more information, see Remote Commands for Computers.

This information is only displayed if the Computer Inventory Collection settings are configured to collect it. For
more information, see Computer Inventory Collection Settings. The following table lists the Local User
Accounts category inventory attributes that you can view for a computer:

Inventory Attribute/Criteria Notes

UID

Username

Password Type Only displayed if Jamf Pro can identify the user account type (e.g., “Local",
“LDAP", or "Mobile LDAP")
Minimum Passcode Length (Required
Passcode Length criteria)

Maximum Passcode Age

Minimum Number of Complex

Characters

Password History

Full Name

Admin

Home Directory

Legacy FileVault Enabled

FileVault 2 Enabled

User Azure Active Directory ID Unique identifier within Microsoft Entra ID for users that registered their
computers with Entra ID. If the user registers many local accounts or multiple
computers, their User Azure Active Directory ID is always the same.

Computer Azure Active Directory ID (Legacy Conditional Access integration) Unique identifier within Microsoft Entra
ID for the computer local account. The Computer Azure Active Directory ID is
unique across each computer and each local user account. Every time a user
registers a computer with Entra ID that local account will be given a unique
identifier.

Conditional Access Inventory State Displays one of the following values when the legacy macOS Intune Integration
is enabled:
• "Activated"—Computer is registered with Entra ID and regularly checks in
with Jamf Pro.

295
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Attribute/Criteria Notes

• "Unresponsive"—Computer has not checked in with Jamf Pro in the last 24

hours using the standard Jamf Pro check-in process, or the computer has
not checked in with Microsoft Intune in the last 24 hours. Unresponsive
devices are marked "non-compliant" after the validity period passes. (The
validity period is specified in the "Compliance status validity period (days)"
setting in Microsoft Intune. Default is 30 days.)
• "Deactivated"—Computer is no longer registered with Entra ID

Device Compliance Integration - Criteria available only for Device Compliance devices that can be used for
Compliance Status Smart Groups. This value is not visible anywhere outside of a smart group.
You can also look up compliance information via the Jamf Pro API. For more
information, see Get compliance information for a single computer device in the
Jamf Pro Developer Portal.

Device Compliance Integration - Criteria available only for Device Compliance devices that can be used for
Registration Status Smart Groups. This value is not visible anywhere outside of a smart group.
You can also look up compliance information via the Jamf Pro API. For more
information, see Get compliance information for a single computer device in the
Jamf Pro Developer Portal.

Compliant Displays one of the following values within Microsoft Entra ID for each
registered device:
• Yes— The device has been registered with Entra ID and has a status of
compliant in Jamf Pro.
• No— The device has been registered with Entra ID and has a status of non-
compliant in Jamf Pro.
• N/A— The device has been registered in Entra ID but compliance status has
not been received by Jamf Pro.

Scheduled Tasks (criteria only)

Attachments Category
You can upload and delete attachments to the inventory record using this category. To upload an attachment,
click Upload. To delete an attachment, click Delete.

Content Caching Category

Inventory information for the Content Caching category is collected by the ContentCachingInformation
MDM command for computers with macOS 10.15.4 or later. For more information on content caching reporting
capabilities, see Apple's documentation.

296
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The Content Caching category allows you to view the following information for a computer:

• Activated (Content Caching - Activated criteria)

• Active (Content Caching - Active criteria)
• Actual Cache Used
• Alerts
• Cache Details
• Cache Free
• Cache Limit (Content Caching - Cache Limit bytes criteria)
• Cache Status (Content Caching - Cache Status criteria)
• Cache Used (Content Caching - Actual Cache Used bytes criteria)
• Data Migration Completed
• Data Migration Error
• Data Migration Progress
• Max Cache Pressure in Last Hour
• Parents
• Personal Cache Free
• Personal Cache Limit
• Personal Cache Used
• Port
• Public Address
• Registration Error
• Registration Response Code
• Registration Started
• Registration Status
• Restricted Media
• Server GUID
• Startup Status
• Tetherator Status (Content Caching - Tetherator Status criteria)
• Total Bytes are Since
• Total Bytes Dropped
• Total Bytes Imported
• Total Bytes Returned to Children
• Total Bytes Returned to Clients
• Total Bytes Returned to Peers

297
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Total Bytes Returned from Origin

• Total Bytes Returned from Parents
• Total Bytes Returned from Peers

Computer Inventory Collection Settings

Computers can submit many types of inventory information to Jamf Pro. Basic inventory information—such as
hardware, operating system, user and location information, storage, and applications—is collected
automatically.

The Computer Inventory Collection settings in Jamf Pro allow you to collect the following additional items:

• Local user accounts, with the option to include home directory sizes and hidden system accounts
• Printers
• Active services
• Last backup date/time for managed mobile devices that are synced to computers
• User and location from an LDAP directory service (only available if an LDAP server is set up in Jamf Pro)
• Package receipts
• Available software updates
• Application usage information
• Fonts
• Plug-ins
• iBeacon regions

For descriptions of the information collected for each of these items, as well as information on the items that
are collected automatically, see Computer Inventory and Criteria Reference.

You can also use the Computer Inventory Collection settings to do the following:

• Prevent Jamf Pro from collecting unmanaged certificates.

• Specify custom search paths to use when collecting applications, fonts, and plug-ins.
• Monitor iBeacon regions so that computers submit information to Jamf Pro when they enter or exit a region.

Note: By default, Jamf Pro uses Unix user paths to save space in the application details database table.
To manage this feature, navigate to Settings > Computer Management > Inventory Collection >
Software.

298
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Time and Traffic Estimates for Collecting Additional Items

Collecting additional inventory items may add reporting time and network traffic to the inventory process.

The following table provides estimates of how much time and traffic may be added when collecting user home
directory sizes, available software updates, fonts, and plug-ins. These estimates are based on a MacBook Pro
with approximately 300 GB of user home directories, 100 applications, 300 fonts, and 900 plug-ins.

Additional Inventory Item Time (Seconds) Traffic (KB)

(No additional items) 9 102

Home directory sizes 25 104

Available software updates 110 104

Fonts 10 128

Plug-ins 13 248

The following table provides estimates of how much time and traffic may be added when collecting Application
Usage information. These estimates are based on a MacBook Pro with eight applications used per day, one
week between inventory reports, and one computer user.

Additional Inventory Item Time (Seconds) Traffic (KB)

(No additional items) 16 24

Application Usage information 17 48

Search Paths for Collecting Applications, Fonts, and Plug-ins

The following table lists the default search paths that are used when collecting applications, fonts, and plug-ins
from computers.

Collected Item Default Search Paths

Applications (and
/Applications/
Application Usage
information, if collecting)

299
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Collected Item Default Search Paths

Fonts
/Library/Fonts/
/System/Library/Fonts/
/Library/Application Support/Adobe/Fonts/
~/Library/Fonts/

(collected at the user level for each account)

Plug-ins
/Library/Internet Plug-Ins/

If you store these items in locations not listed in the table, you can use the Computer Inventory Collection
settings to specify custom search paths for those locations.

Configuring the Computer Inventory Collection Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Inventory collection .
3. Click Edit .
4. On the General pane, select the checkbox for each inventory item you want to collect.
5. To collect Application Usage information or add custom paths in which to search for applications, do the
following:
a. Click the Software tab, and then click Applications.
b. To collect Application Usage information, select the Collect Application Usage Information
checkbox.
c. To add a custom search path, click Add. Then enter the full path for the location you want to search
and the platform to which it applies.
d. Repeat step c to specify additional custom search paths as needed.
6. To collect fonts and add custom paths in which to search for fonts, do the following:
a. Click the Software tab, and then click Fonts.
b. Select the Collect Fonts checkbox.
c. To add a custom search path, click Add. Then enter the full path for the location you want to search
and the platform to which it applies.
d. Repeat step c to specify additional custom search paths as needed.
7. To collect plug-ins and add custom paths in which to search for plug-ins, do the following:
a. Click the Software tab, and then click Plug-ins.
b. Select the Collect Plug-ins checkbox.

300
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

c. To add a custom search path, click Add. Then enter the full path for the location you want to search
and the platform to which it applies.
d. Repeat step c to specify additional custom search paths as needed.
8. Click Save .

Computer Extension Attributes

Extension attributes allow you to collect extra inventory information. Extension attribute values are populated
using an input type, which can be any of the following:

• Text field
• Pop-up menu
• Script
• Directory Service attribute mapping

In Jamf Pro, you can create extension attributes manually or from an available template in Jamf Pro. You can
also create extension attributes programmatically via the Jamf Pro API. For more information, see Extension
Attributes in the Jamf Pro Developer Portal.

Examples:

• A text field input can collect the retire date of a computer.

• A script input can collect data about your company's antivirus software on a computer.

Extension attributes can be used as criteria in a smart group or as a variable in a configuration profile, which
allows you to administer dynamic management workflows and tasks based on the data collected with
extension attributes.

Note: Depending on the input type and data type (string, integer, date (YYYY-MM-DD hh:mm:ss)),
extension attributes may add time and network traffic to the inventory collection process.

Extension Attribute Input Types

Extension attributes collect inventory data by using an input type. You can configure the following input types:

Text Fields
You can display a text field in inventory information. You can enter a value in the field during enrollment
anytime using Jamf Pro.

301
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: Text fields can only be configured by a manually created extension attribute or
programmatically via the Jamf Pro API.

Pop-up Menus
You can display a pop-up menu in inventory information. You can choose a value from the pop-up menu
when enrolling a computer any time using Jamf Pro.

Note: Pop-up menus can only be configured by a manually created extension attribute or
programmatically via the Jam Pro API.

Scripts

You can run a script that returns a data value each time a computer submits inventory to Jamf Pro. You
can write your own extension attribute script or create one from a template in Jamf Pro.

Keep the following in mind when writing extension attribute scripts:

• Scripts can be written in any language that has an interpreter installed. The most common interpreters
are Bash, Perl, and Python.
• When an extension attribute is populated by a script, the text between the <result></result> tag
is stored in Jamf Pro.
• You can temporarily disable extension attributes to troubleshoot processes.

The following example script collects the hostname from Mac computers:

#!/bin/bash
echo "<result>`hostname 2>&1`</result>"

Directory Service Attribute Mapping

You can use a Directory Service attribute mapping to populate an extension attribute. Extension
attributes can be populated by multiple-value attributes from an LDAP server, such as "memberOf". The
multiple values can later be used when creating smart groups and advanced searches with the extension
attribute criteria and the "has" or "does not have" operators.

Keep the following limitations in mind when using Directory Service multiple-value extension attributes:

• When creating smart groups and advanced searches, the criteria value must accurately reflect the
value returned in inventory. To ensure you use the correct value, copy the extension attribute
inventory value, and paste it in the criteria value field.

302
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Multiple-value attribute mapping will not work with nested groups. Only the groups directly listed on
the User record will be displayed in the mapped LDAP extension attribute.
• For the extension attributes to work correctly, values returned from the LDAP server cannot contain
the sequence of repeating vertical-bar characters (ASCII code 124, HTML entity = &vert;).

Extension Attribute IDs and Variables

Creating a computer extension attribute generates a variable that can be used to populate configuration profile
settings. The variable is $EXTENSIONATTRIBUTE_# , where # is the extension attribute ID.

For information about using payload variables for configuration profiles, see Computer Configuration Profiles.

For extension attributes that use a text field, pop-up menu, or script input type, the ID number is found in the
extension attribute URL. In the example URL below, "id=2" indicates the extension attribute ID number:

Example: https://JAMF_PRO_URL.jamfcloud.com/computerExtensionAttributes.html?id=2&o=r

For extension attributes with the Directory Service attribute mapping input type, the ID number is displayed in
the Directory Service Attribute Variable field after you save the extension attribute.

Manually Creating a Computer Extension Attribute

Requirements
If you are creating a computer extension attribute with the “Directory Service Attribute Mapping” input type,
you need the following:

• An LDAP server configured in Jamf Pro (For more information, see LDAP Directory Service Integration.)
• The Computer Inventory Collection settings configured to collect user and location information from
LDAP (For more information, see Computer Inventory Collection Settings.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Extension attributes .

3. Click New.
4. Configure the following settings:
a. Name your extension attribute.
b. (Optional) Enter a description.
c. Choose the type of data being collected from the Data Type pop-up menu.

303
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

d. Choose a category in which to display the extension attribute in Jamf Pro from the Inventory Display
pop-up menu.
e. Choose an input type to populate your extension attribute from the Input Type pop-up menu.
5. Click Save .

Creating a Computer Extension Attribute from a Template

Jamf Pro has built-in templates for many commonly used extension attributes.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Extension attributes .

3. Click New From Template.
4. Click the extension attribute template you want to use.
5. (Optional) Make changes to the settings as needed.
6. Click Save .

Disabling a Computer Extension Attribute

To troubleshoot workflows, you can temporarily disable extension attributes with the script input type. You can
also choose whether to retain or delete data collected by that extension attribute.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Extension attributes .

3. Select the extension attribute you want to disable.

Note: Only extension attributes with the script input type can be disabled.

4. Click Edit .
5. Deselect the Enabled checkbox.
6. Click Save .
7. Use the pop-up dialog to choose one of the following:
◦ To retain data collected by the extension attribute, select Retain Existing Data, and then click Save.

Note: All settings and computers using data collected by disabled extension attributes will display
or use the last value collected by the extension attribute before it is disabled.

◦ To delete data collected by the extension attribute, select Delete Existing Data, and then click Save.

304
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: If smart computer groups or other settings are using the extension attribute data, deleting
existing data may prevent those items from functioning correctly.

Uploading a Computer Extension Attribute

You can upload an extension attribute obtained from an external source.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Extension attributes .

3. Click Upload and upload the extension attribute.
4. Click Save .

Computer Inventory Display Settings

The Computer Inventory Display settings allow each Jamf Pro user to choose which attribute fields to display in
the results of a simple computer search.

Configuring the Computer Inventory Display Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Inventory display .
3. On each pane, select or deselect the checkbox for each attribute field you want to display or remove.
4. Click Save .

Simple Computer Searches

A simple computer search functions like a search engine, allowing you to quickly search the items in your
inventory for a general range of results.

The following table shows the items that you can search by and the attributes on which you can base each
search:

Inventory Item Searchable Attributes

Computers (This includes both managed and unmanaged Computer name

computers.) MAC address
Bar code

305
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Inventory Item Searchable Attributes

IP address
Asset tag
Serial number
Username
Full name
Email address
Phone number
Position
Department
Building
Room

Applications Application name

Local User Accounts Username

Application Usage Application name

Fonts Font name

Package Receipts Package receipt name

Plug-ins Plug-in name

Printers Printer name

Services Service name

Software Updates Software update name

Software update version

Note: Computers and applications are searchable by default. The other items are searchable if Jamf
Pro is configured to collect them as inventory.

Search Syntax
This section explains the syntax to use for search functions. In general, searches are not case-sensitive.

Note: The default search preference is “Exact Match”. For most items, the option can be changed to
either “Starts with” or “Contains”. For more information about configuring account preferences, see Jamf
Pro User Accounts and Groups.

306
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The following table explains the syntax you can use for search functions:

Search Function Usage Example

Return all Results Use an asterisk (*) without any other Perform a search for “*” or leave the
characters or terms, or perform a search field empty to return all results.
blank search.

Perform Wildcard Searches Use an asterisk after a search term to Perform a search for “key*” to return
return all results with attributes that all results with names that begin with
begin with that term. “key”.

Use an asterisk before a search term Perform a search for “*note” to return
to return all results with attributes that all results with names that end with
end with that term. “note”.

Use an asterisk before and after a Perform a search for “*ABC*” to return
search term to return all results that all results that includes “ABC”.
include that term.

Include Multiple Search Terms Use multiple search terms separated Perform a search for “key*, *note” to
by a comma (,) to return all results that return all results that begins with “key”
include those search terms. and ends with “note”.

Exclude a Search Term Use a hyphen (-) before a search term Perform a search for “ABC*, -*note” to
to exclude results that include the return all results with names that begin
term. with “ABC” except for those that end
with “note”.

Performing a Simple Computer Search

1. In Jamf Pro, click Computers in the sidebar.
2. Click Search Inventory in the sidebar.
3. Choose an item from the Search pop-up menu.
4. Enter one or more search terms in the fields provided.
5. Press the Enter key.
The list of search results is displayed.

If you searched for an item other than computers, you can view the computers associated with a result by
clicking Expand next to the result. You can also change the item on which the results are based by
choosing an item from the pop-up menu at the top of the page.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see Computer Reports or Mass Actions for Computers.

307
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Advanced Computer Searches

Advanced computer searches allow you to use detailed search criteria to search the managed and unmanaged
computers in Jamf Pro. These types of searches give you more control over your search by allowing you to do
the following:

• Generate specific search results.

• Specify which attribute fields to display in the search results.
• Save the search.

Criteria Operators
The following table lists operators and examples of how they might be used to qualify values:

Operator Definition Example

is Matches the specified string exactly The criteria "'Computer Name' is 'Test Computer
6'" includes computers with the name "Test
Computer 6". By contrast, a computer with the
name "Test Computer 7" is not included.

is not Matches values that do not match the specified The criteria "'Display Name' is not 'CEO iPad'"
string exactly includes all devices except those with the exact
display name "CEO iPad". By contrast, a device
with the display name "'CEO iPad Old'" is not
included.

like Matches value that contain the specified string The criteria "'Computer Name' like 'AP Science
Mac'" includes computers with names such as
"AP Science Mac 1", "AP Science Mac 2", and
"AP Science Mac 3".

not like Matches values that do not contain the specified The criteria "'Display Name' not like 'Staff'"
string includes devices with display names such as
"Student A", "Student B", and "Smith Personal
iPhone".

matches regex Matches values that match the specified regular The criteria "'Computer Name' matches regex
expression (regex). For more information on '^LAB-.*$s'" includes computers with names
regex, see the Using Regex with Smart Groups such as "LAB-ART-101", "LAB-CS-101", and
and Advanced Searches article. "LAB-CS-102".

does not match Matches values that do not match the specified The criteria "'Display Name' does not match
regex regular expression (regex). For more information regex '^HS'" includes devices with display

308
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Operator Definition Example

on regex, see the Using Regex with Smart names such as "iPad HS loaner" and "11 HS
Groups and Advanced Searches article. iPad".

And/Or Groupings
If you have multiple criteria, you can use "and/or" groupings to define the relationships between them and
create logic that includes the devices you want in your advanced search. The following groupings are available
when multiple criteria are used:

• and—Only devices that fulfill all related criteria will be included in membership.
• or—Devices that fulfill any of the related criteria will be included in membership.

If more complex logic is necessary to define the relationships between your criteria, you can use the
parenthesis pop-ups to group criteria together.

Creating an Advanced Computer Search

1. In Jamf Pro, click Computers in the sidebar.
2. Click Search Inventory in the sidebar.
3. Click New.
4. Use the Search pane to configure basic settings for the search.
To save the search, select the Save this Search checkbox.
5. Click the Criteria tab and add criteria for the search:
a. Click Add.
b. Click Choose for the criteria you want to add.

Note: Only your 30 most frequently used criteria are listed. To display additional criteria, click
Show Advanced Criteria.

c. Choose an operator from the Operator pop-up menu.

d. Enter a value in the Value field or browse for a value by clicking Browse .
e. Repeat steps a through d to add criteria as needed.
6. Choose an operator from the And/Or pop-up menus to specify the relationships between criteria.
7. To group criteria and join multiple operations, choose parentheses from the pop-up menus around the
criteria you want to group.

309
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Operations in the search take place in the order they are listed (top to bottom).
8. Click the Display tab and select the attribute fields you want to display in your search results.
9. Click Save .

10. To view the search results, click View .

The results of a saved search are updated each time you view the membership.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see Computer Reports or Mass Actions for Computers.

Computer Reports
Data displayed in smart and static groups or computer search results can be downloaded from Jamf Pro. You
can also email reports for advanced computers searches.

The following file formats are available for downloading or email reporting:

• Comma-separated values file (.csv)

• Tab-separated Values (.tsv)
• XML file

Note: Importing exported reports that contain long number strings in .csv format (e.g. IMEIs, serial
numbers) into Excel will cause the number strings to appear incorrectly.

You can organize the data by basing the report on any of the following inventory items:

• Computers
• Applications
• Fonts
• Plug-ins

310
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Packages installed by Jamf Pro

• Packages installed by Installer.app/Software Update
• Cached packages
• Local user accounts
• Mapped printers
• Available software updates
• Running services
• Computer groups
• Licensed software
• Certificate name

The data is displayed in alphanumeric order by the selected inventory item.

Creating Reports for Smart and Static Groups or Simple Computer

Searches
1. In Jamf Pro, click Computers in the sidebar.
2. Do one of the following:
◦ View computer group memberships. For more information, see Smart Groups or Static Groups
◦ View simple or advanced computer search results. For more information, see Simple Computer
Searches or Advanced Computer Searches.

Note: You can only create a report from a simple computer search if you searched by computers.

◦ View license usage matches. For more information, see Viewing License Usage Matches.
3. At the bottom of the list, click Export.
4. Follow the onscreen instructions to export the data. The report downloads immediately.

Creating Reports for Advanced Computer Searches

You can download unsaved and saved advanced computer search reports. Advanced computer search reports
can also be emailed instantly or on a defined schedule.

Downloading an Advanced Computer Search Report

1. In Jamf Pro, click Computers in the sidebar.

2. Do one of the following:
◦ Select the saved advanced computer search for which you want to create a report.

311
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

◦ Click New, and then use the Criteria and Display panes to configure your search.
3. Click the Reports tab.
4. Select a file format for the report.
5. Select the inventory item on which to base the report results.
6. Click Download Report. The report downloads immediately.

Emailing an Advanced Computer Search Report

Note: To email reports from newly created advanced searches, you must select Save this search and
complete the Display Name field in the Search Pane.

Requirements
To email a saved advanced computer search report, an SMTP server must be set up in Jamf Pro.

For more information, see SMTP Server Integration.

1. In Jamf Pro, click Computers in the sidebar.

2. Do one of the following:
◦ Select the advanced computer search for which you want to create a report.
◦ Click New, and then use the Search, Criteria, and Display panes to configure your search.
3. Click the Reports tab.
4. Select a file format.
5. Select the inventory item on which to base the report results.
6. In the Email Reporting section, enter email addresses, a subject for the email, and the body text for the
email.
7. Click Send Email Report. The report is sent immediately.
8. To set up another email report, click the button, and then repeat the process.

Scheduling Email Reports for Saved Advanced Computer Searches

You can email saved advanced computer search reports according to a defined schedule.

Requirements
To email a saved advanced computer search report, an SMTP server must be set up in Jamf Pro.

For more information, see SMTP Server Integration.

312
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

1. In Jamf Pro, click Computers in the sidebar.

2. Select the advanced computer search for which you want to create a report.
3. Click the Reports tab.
4. Select a file format for the report.
5. Select the inventory item on which to base the report results.
6. In the Email Reporting section, enter email addresses, a subject for the email, and the body text for the
email.
7. Select Schedule automatic email reports.
8. Set the frequency and interval schedule that you want to email the report.
9. Click Save .

The reports will be emailed on the specified schedule.

To set up another email report, click the button, and then repeat the process.

Mass Actions for Computers

Mass actions allow you to perform potentially tedious tasks for multiple computers at the same time. Mass
actions can be performed on smart or static group membership lists, computer search results, or lists of license
usage matches. The following table explains the mass actions you can perform using Jamf Pro:

Mass Action Description

Edit the building or Mass editing the building or department for computers allows you to add the computers to a
department building or department or change the building or department they belong to. This option is only
displayed if there are one or more buildings or departments in Jamf Pro. For more information,
see Buildings and Departments.

Edit the site Mass editing the site for computers allows you to add the computers to a site or change the site
they belong to. When computers are added to a site, any users assigned to those computers are
also added to that site. This option is only displayed if there are one or more sites in Jamf Pro.
For more information, see Sites.

Look up and populate You can mass look up purchasing information from Apple’s Global Service Exchange (GSX) and
purchasing populate the information in Jamf Pro if desired. This requires a GSX connection set up in Jamf
information from Pro. For more information, see GSX Connection.
Apple's Global
Service Exchange
(GSX) Note: GSX may not always return complete purchasing information. Only the
information found in GSX is returned.

313
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Mass Action Description

Send a mass email to You can send a mass email to users associated with the computers in Jamf Pro. The email is
users sent to the email address associated with each computer. This requires an SMTP server set up
in Jamf Pro. For more information, see SMTP Server Integration.

Delete the computers You can mass delete computers from Jamf Pro.
from Jamf Pro

Note: For information on all Jamf Pro-related components installed on computers and
instructions for removing the components, see Components Installed on Managed
Computers.

Send remote You can mass send remote commands to computers. The remote commands available for a
commands particular computer vary depending on the computer's OS version. For more information, see
Remote Commands for Computers.

Cancel management You can mass cancel all pending or failed management commands.
commands

Related Content

• Group Management
• Advanced Computer Searches
• Simple Computer Searches
• Viewing License Usage Matches

Performing Mass Actions for Computers

Mass actions can be performed on static or smart group membership lists, computer search results, or lists of
license usage matches. If you want to send the command to many computers, Jamf recommends sending the
mass action to static or smart group membership lists.

Important: Jamf recommends limiting actions for certain commands. For MDM profile renewal, a batch
of 100 or less is recommended. All other commands should be batched into groups of less than 1000.

1. Do one of the following:

a. View a smart or static computer group membership list. For more information, see Viewing Smart
Group Memberships or Viewing Static Group Memberships.
b. Perform a simple or advanced computer search. For more information, see Performing a Simple
Computer Search or Creating an Advanced Computer Search.

314
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

c. View a list of license usage matches. For more information, see Viewing License Usage Matches.
2. At the bottom of the list, click Action.
3. Click the radio button for the mass action you want to perform.
4. Follow the onscreen instructions.

Computer Management Information

Jamf Pro allows you to view management information for each computer, such as group memberships and
Jamf Pro objects that have the computer in scope. The following table lists the management information you
can view for a computer:

Category Notes

Management • To view pending management commands for a computer, the computer and Jamf Pro must
Commands meet the requirements for sending a remote command or installing a computer configuration
profile. For more information, see Remote Commands for Computers or Computer
Configuration Profiles.
• To cancel a pending management command, click Cancel next to the command.
• You cannot view pending management commands if the MDM profile has been removed
from the computer.

Policies --

eBooks --

App Store Apps --

Configuration Profiles This list of profiles does not take into account users assigned to the computer or user actions
taken on the computer.

Activation Lock For information about what the Activation Lock bypass code can be used for, see the
Bypass Leveraging Apple’s Activation Lock Feature with Jamf Pro article.

Operating System This category displays the results of OSUpdateStatus queries when a managed software
update workflow is initiated using MDM command-based workflows in Jamf Pro. The information
displayed can include:
• Product key value of a scheduled update
• The status of the update or completion percentage of the download
• The install action occurring
• Deferral information (for computers with macOS 12.3 or later)
When the workflow is presumed complete the update progress data is no longer displayed in
this category. To view completed software updates, click the History tab, and then click
Operating System History. For more information, see Computer History Information.

315
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Category Notes

Restricted Software --

Computer Groups --

Patch Management • Patch management software titles in Jamf Pro are third-party macOS software titles that can
be used for patch reporting and patch notifications. For more information on patch
management for third-party updates, see Patch Management.
• To view the software titles that are on the latest version, click Latest Version.
A list of software titles on the latest version is displayed.
• To view the software titles that are on a version other than the latest, click Other Version.
A list of software titles on a version other than the latest is displayed.

Viewing Management Information for a Computer

1. In Jamf Pro, click Computers in the sidebar.
2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches.
3. Click the computer you want to view management information for.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the Management tab, and then click the category you want to view management information for.
A list of results is displayed.
5. (Optional) Some categories allow you to filter results for specific users on the computer. To view results for
a specific user, enter the username in the Username field and click Update.
A list of results for the user is displayed.

Computer History Information

Jamf Pro allows you to view history information for each computer, such as logs of computer usage and
management actions. You can also flush policy logs for a computer. The following table lists the history
information you can view for a computer:

Category Notes

Application Usage Logs • Computer Inventory Collection settings must be configured to collect Application
Usage information. For more information, see Computer Inventory Collection Settings .

316
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Category Notes

• To view application usage logs for a specific date range, specify the starting and
ending dates using the Date Range pop-up menus on the pane. Then click Update.

Computer Usage Logs A startup script or login event must be configured to log Computer Usage information. For
more information, see Startup Script and Login Events.

Audit Logs --

Policy Logs --

Patch Management Logs --

Screen Sharing Logs --

Management History To cancel a pending management command, click Cancel next to the command.

Hardware and Software • Computer Inventory Collection settings must be configured to collect applications,
History fonts, or plug-ins. For more information, see Computer Inventory Collection Settings.
• To view hardware/software history for a different date range, specify the starting and
ending dates using the Date Range pop-up menus on the pane. Then click Update.
• Inventory report listings that show a change in a computer’s hardware are displayed in
red.

Operating System History When the OSUpdateStatus query is presumed complete for managed software
updates using MDM command-based workflows, this category displays the historical
information for the updates.

Note: Updates are marked as "Installed" when the update workflow commands
have completed and the OS no longer reports an update in progress. Devices will
display the installed OS version upon the next inventory update or declarative
status report, depending on which event occurs sooner.

User and Location History A record of the current information is added to the list whenever changes are made to the
User and Location category in the computer’s inventory information.

App Store Apps To cancel a pending App Store app installation, click Cancel next to the app.

macOS Intune Integration • To view inventory data for a username, click the View Data Sent button.
Logs • You can manually trigger an update of inventory to be sent to Microsoft Intune. This
allows Jamf Pro to send computer inventory attributes to Microsoft Intune outside of
the standard communication schedule.

317
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Viewing History Information for a Computer

1. In Jamf Pro, click Computers in the sidebar.
2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches.
3. Click the computer you want to view history for.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the History tab, and then click the category for the type of history information you want to view.

Renaming a Computer
Administrators can edit the inventory name of a managed computer in Jamf Pro. To rename the remote
computer to match the inventory name in Jamf Pro, you can use a policy. When changing the remote computer
name, it is best practice to match the hostname and the local hostname of the computer by running a script
with a policy. This allows other computers in the network to discover and connect to the computer in the DNS.

This procedure involves the following steps:

1. Editing the Computer Name in Jamf Pro

2. Changing the Computer Name Using a Policy
3. Updating the Hostname and Local Hostname Using a Policy

Editing the Computer Name in Jamf Pro

To rename the computer in Jamf Pro, you must edit the computer name in the inventory.

Note: Before editing the computer name in Jamf Pro, verify that the current computer name matches
the inventory name in Jamf Pro. The computer name can be found by navigating to System Settings >
General > About (macOS 13 or later) or System Preferences > Sharing > Computer Name
(macOS 12 or earlier).

1. In Jamf Pro, click Computers in the sidebar.

2. Click Search Inventory in the sidebar.
3. In the Search field, enter the computer name that you want to change. For more information, see Simple
Computer Searches.
4. Click the computer name, and click Edit.
5. Enter the new computer name in the Computer Name field.

318
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

6. Click Save.

Changing the Computer Name Using a Policy

Requirements
To use a policy to change the computer name, you need a Jamf Pro user account with privileges to create
or update policies.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Use the Maintenance payload to choose basic settings for the policy, including the Reset Computer
Names checkbox.

Note: Enabling this setting resets the computer's name to the name that is specified in the inventory
record. If a policy submits inventory prior to running this policy, the name will change back to what
the computer is currently set to.

6. Click the Scope tab and configure the scope of the policy.
7. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Note: You can verify that the computer name was changed by reviewing the policy log.

Updating the Hostname and the Local Hostname Using a Policy

To update the hostname, computer name, and the local hostname, you need to create a script that includes the
new computer name. Then, you can run the script using a policy. The command used in this script can update
computers dynamically when DNS services are configured on the network.

When updating the hostname and the local hostname, use the following guidelines:

• Use a hyphen instead of spaces.

319
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• The only special character you can use is a hyphen.

• Case is not sensitive.
• Non-alphanumeric characters are ignored.

You can also add the following options to the command used in the script:

-target <target volume>

Sets the name when the computer is booted to the specified target volume

-name <name>

The new name for the computer

-useMACAddress

Changes the name to the primary MAC address

-useSerialNumber

Changes the name to the serial number

-suffix <suffix>

Adds this suffix to the MAC address or serial number. For example:

sudo jamf setComputerName -useMACAddress -suffix '-example'

-prefix <prefix>

Adds this prefix to the MAC address or serial number. For example:

sudo jamf setComputerName -useMACAddress -prefix '-example'

-fromFile <file path>

The path to a CSV file containing the computer's MAC address or serial number, followed by the new
name. For example:

sudo jamf setComputerName -fromFile '/file/path'

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Scripts .
3. Click New.
4. Use the General pane to configure basic settings for the script, including the display name and category.

320
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: If you do not add the script to a category, Jamf Admin displays the script in blue text in the
Unknown category.

5. Click the Script tab and enter the following in the script editor, modifying it for your environment: sudo
jamf setComputerName
6. Click Save.

You can now run the script by creating a policy with the script added to the Scripts payload.

Deleting a Computer from Jamf Pro

You can remove a computer from your inventory by deleting it from Jamf Pro.

Note: The files and folders installed during enrollment are not removed from the computer when it is
deleted from Jamf Pro. For information on all Jamf Pro-related components installed on computers and
instructions for removing the components, see Components Installed on Managed Computers.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Search Inventory in the sidebar.
3. Perform a simple or advanced computer search. For more information, see Simple Computer Searches or
Advanced Computer Searches .
4. Click the computer you want to delete.
If you performed a simple search for an item other than computers, such as computer applications, you
must click Expand next to an item name to view the computers related to that item.

5. Click Delete , and then click Delete again to confirm.

Related Content

• Mass Actions for Computers

Policies
Policies allow you to remotely automate common management tasks on managed computers. Using a policy,
you can run scripts, manage accounts, and distribute software. When you create a policy, you specify the tasks
you want to automate, how often it should run (“execution frequency”), when the policy should run (“trigger”),
and the users and computers for which it should run (“scope”). You can also make policies available in Self
Service for users to run on their computers as needed.

321
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: Removing a target from the scope of a policy does not remove the settings applied by the policy if
it has already run on the computer.

Execution Frequency for Policies

A policy can run at one of the following frequencies:

• Once per computer—This policy runs on any computer in the current scope one time only. If the
Automatically re-run policy on failure checkbox is enabled, you can configure the policy to retry up to 10
times after a policy fails. If a log entry exists for a given computer in the policy's history, the policy will not
run again for that computer until the log is flushed.
• Once per user per computer—This policy runs once per distinct username per distinct computer. If Self
Service has user logins enabled, the policy will run once through Self Service on each computer the user
logs in to.
• Once per user—This policy runs only once per distinct username. It runs through Self Service as long as
Self Service has user logins enabled. The policy will only run once per username in the scope, not once per
username per computer.
• Once every day—This policy runs if the scoped computer has not submitted a policy log to Jamf Pro in the
past day (24 hours).
• Once every week—This policy runs if the scoped computer has not submitted a policy log to Jamf Pro in
the past seven days (168 hours).
• Once every month—This policy runs if the scoped computer has not submitted a policy log to Jamf Pro in
the past 30 days (720 hours).
• Ongoing—This policy runs each time the specified trigger takes place.

Important: When using an ongoing execution frequency with a recurring check-in trigger, policies will
run during every check-in. This may negatively impact server and client performance.

Triggers for Policies

Triggers are events that initiate a policy. When you create a policy, you can choose one or more pre-defined
triggers, or you can choose a custom trigger.

You can use the following pre-defined triggers to run a policy:

• Startup—When a computer starts up. The startup script must be enabled in the Check-In section of
Computer Management Settings.

322
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Login—When a user logs in to a computer. Login hooks must be enabled in the Check-In section of
Computer Management Settings.
• Network State Change—When a computer’s network state changes (for example, when the network
connection changes, when the computer name changes, or when the IP address changes)
• Enrollment Complete—Immediately after a computer completes the enrollment process
• Recurring Check-In—At the recurring check-in frequency configured in Jamf Pro

Note: On computers with macOS 10.15 or later, Jamf Pro must be safelisted in the Privacy
Preferences Policy Control payload to run policies that access data on a network volume at recurring
check-in. By default, Jamf Pro is automatically safelisted in the Privacy Preferences Policy Control
payload.

• Custom—Initiate the policy manually using the jamf policy -event binary command. For an iBeacon
region change event, use beaconStateChange

Execution Order of Policies

If multiple policies are triggered at the same time, the policies will run based on their name in alphanumeric
order. Policies with names beginning with a number will run before policies that do not.

Policies can be renamed to ensure that they run on a device in a specific order. This is useful when an
application needs to first be uninstalled before installing a newer version. The uninstall policy can be renamed
to ensure that it runs prior to the install policy.

For example, if policies “Alpha” and “Beta” are triggered at the same time, “Alpha” will run first. However, if it
would be preferable for “Beta” to run first, "Beta" should be renamed to “1Beta”.

Policy Management
When you create a policy, you use a payload-based interface to configure settings for the policy and add tasks
to it. For more information on the settings you can configure, see Policy Payload Reference.

After you create a policy, you can view the plan, status, and logs for the policy. You can also flush policy logs.

Note: To run a policy on a computer, the Allow Jamf Pro to perform management tasks checkbox
must be selected in the computer inventory information to enable the management account. For more
information about the management account, see Enrollment with Jamf Pro.

Related Content

323
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Log Flushing
• User Interaction with Policies
• Items Available to Users in Jamf Self Service for macOS

Creating a Policy
1. In Jamf Pro, click Computers in the sidebar.
2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Use the rest of the payloads to configure the tasks you want to perform.
6. Click the Scope tab and configure the scope of the policy.
7. (Optional) Click the Self Service tab and make the policy available in Self Service.

Note: On computers with macOS 10.15 or later, if Jamf Pro is not safelisted in the Privacy
Preferences Policy Control payload, users are prompted when policies that access data on a
network volume are run through Self Service. By default, Jamf Pro is automatically safelisted in the
Privacy Preferences Policy Control payload.

8. (Optional) Click the User Interaction tab and enter messages to display to users or allow users to defer
the policy.
9. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Running a Policy
There are two ways to run a policy with a pre-defined trigger. You can run a policy using the following methods:

• Wait until the configured trigger event occurs.

• Manually trigger the policy using the jamf binary.

To manually trigger the policy using the jamf binary, execute the following command on managed computers:

sudo jamf policy -event <triggerName> -verbose

If the policy has a pre-defined trigger, replace <triggerName> with the appropriate value. The following is a
list of pre-defined triggers:

324
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Startup— startup
• Login— login
• Logout— logout
• Network State Change— networkStateChange
• Enrollment Complete— enrollmentComplete
• Recurring Check-in—None (execute sudo jamf policy -verbose )

If the policy has a custom trigger, replace <triggerName> with the custom trigger name specified in the
policy.

Note: A policy with a custom trigger must be run manually using the jamf binary.

Viewing the Plan for a Policy

The plan for a policy includes the following information:

• An indicator that shows whether the policy is enabled

• The execution frequency
• The triggers
• The scope
• The site that the policy belongs to
• A list of actions for the policy

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. In the list of policies and their plans, click Expand for a policy to view its actions.

Viewing the Status of a Policy

For each policy, you can view a pie chart that shows the number of computers for which the policy has
completed, failed, and is still remaining.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click Grid View at the top of the list.

325
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Viewing and Flushing Logs for a Policy

The logs for a policy include a list of computers that have run the policy and the following information for each
computer:

• The date/time that the policy ran on the computer

• The status
• The actions logged

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click the policy you want to view logs for.
4. Click Logs.
5. To view the actions logged for a computer, click Details for the computer.
To hide the information when you are done viewing it, click Hide.
6. To flush a policy log for a single computer, click Flush for the computer.
7. To flush all logs for the policy, click Flush All at the bottom of the pane.

Adding a Policy to the Jamf Pro Dashboard

Adding a policy to the Jamf Pro Dashboard helps you monitor its status and progress. For example, you can
determine which computers have received software, which have pending installations, and if any policies have
failed to deploy and require troubleshooting.

If you configure a policy to assist with the deployment of a security stack (e.g., an antivirus suite or Jamf
Protect) to computers, you can track its deployment progress by adding the policy to the Jamf Pro Dashboard.
This allows you to view all completed, pending, retrying, and failed deployment attempts for the policy.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click the policy you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the Policy Statuses area of the Jamf Pro Dashboard and find the widget for the policy you
added.
Click any item in the widget to view more details for analysis or troubleshooting.

Monitor the progress of computers that have been scoped to the policy in both the circular percentage graph
and the status categories. Then, use this information to troubleshoot any computers that have Failed, Pending,
or Retrying statuses by clicking the status links and reviewing the computers presented.

326
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Policy Payload Reference

When creating or editing a policy, you use a payload-based interface to configure settings for the policy and
add tasks to it. This section provides an overview of each payload.

Payload Description

General This payload allows you to do the following:

• Enable or disable the policy. (For example, if you need to take the policy out of
production temporarily, you may want to disable it.)
• Add the policy to a site.
• Add the policy to a category.
• Choose one or more triggers.
• Choose the execution frequency.
• Retry the policy if it fails. (This only works with the "Once per computer" execution
frequency.)
• Make the policy available offline. (This only works with the "Ongoing" execution
frequency.)
• Specify the drive on which to run the policy.
• Specify server-side limitations for the policy. (For example, you can specify an
expiration date/time for the policy.) This uses Coordinated Universal Time (UTC).
• Specify client-side limitations for the policy. (For example, you can ensure the policy
does not run on weekends.) This uses the time zone settings of each target computer.

Packages This payload allows you to perform the following software distribution tasks:
• Install packages
• Cache packages
• Install cached packages

Note: To install all cached packages, use the Maintenance payload.

• Uninstall packages
This payload also allows you to do the following when installing packages:
• Specify the distribution point computers should download the packages from.
• Add the packages to the Autorun data of each computer in the scope.
For complete instructions on managing packages, see Package Deployment.

Software Updates This payload allows you to run Apple’s Software Update and choose the software update
server that you want computers to install updates from. For complete instructions on
creating a policy to run Software Update, see Running Software Update Using a Policy in
the Deploying macOS Upgrades and Updates with Jamf Pro 10.34.0 or Later technical
paper.

327
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Payload Description

Scripts This payload allows you to run scripts and choose when they run in relation to other tasks
in the policy. You can also enter values for script parameters. For complete instructions on
running scripts using a policy, see Scripts.

Printers This payload allows you to map and unmap printers. You can also make a printer the
default. For complete instructions on administering printers using a policy, see Printers.

Disk Encryption This payload allows you to enable FileVault on computers with macOS 10.8 or later by
distributing disk encryption configurations.
This payload also allows you to issue a new FileVault recovery key for computers with
macOS 10.9 or later.
For complete instructions on enabling FileVault with a policy, see Enabling FileVault Disk
Encryption Using a Policy.

Dock Items This payload allows you to add and remove Dock items. When you add Dock items, you
can also choose to add them to the beginning or end of the Dock. For complete
instructions on administering Dock items, see Dock Items.

Local Accounts This payload allows you to create and delete local accounts, and reset local account
passwords. When you create an account, you can do the following:
• Specify a location for the home directory.
• Configure the account picture.
• Allow the user to administer the computer.
• Enable the account for FileVault 2 on computers with macOS 10.9 or later.
This payload also allows you to disable an existing local account for FileVault on
computers with macOS 10.9 or later.
For complete instructions on administering local accounts, see Local Accounts.

Management Account This payload allows you to rotate the management account password.

Important: When configuring the management account password settings, it is

recommended that you select the "Randomly generate new password" option for
maximum security.

For complete instructions on administering the management account, see Management

Accounts

Directory Bindings This payload allows you to bind computers to a directory service.
For complete instructions on binding to a directory service, see Directory Bindings.

EFI Password This payload allows you to set or remove an Open Firmware or EFI password.
For complete instructions on administering Open Firmware and EFI passwords, see
Setting or Removing an EFI Password.

328
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Payload Description

Note: Only computers with Intel processors have a configurable EFI password. On
Mac computers with Apple silicon, enable FileVault to require users to enter a
password on start up from macOS recovery or a different startup disk.

Restart Options This payload allows you to restart computers after the policy runs and do the following:
• Specify the disk to restart computers from.
• Specify criteria for the restart depending on whether or not a user is logged in.
• Configure a restart delay.
• Restart computers using the RestartDevice MDM command, including the option
to rebuild the kernel cache with specific kernel extension (kext) paths.

Note:
◦ Computers with Apple Silicon (i.e., M1 chip) must have a bootstrap token
escrowed to Jamf Pro in order to leverage this command.
◦ Computers running a version of macOS prior to 11.0 cannot leverage the
the kernel cache rebuild functionality of the RestartDevice MDM
command.

• Perform an authenticated restart on computers with macOS 10.8.2–10.12.x, or macOS

10.14 or later that are FileVault 2 enabled.

Note: For this to work on computers with FileVault 2 activated, the enabled
FileVault 2 user must log in after the policy runs for the first time and the
computer has restarted.

• Configure the restart timer to start immediately without requiring the user to
acknowledge the restart message.
You can also display a message to users before a policy restarts computers. For more
information, see User Interaction with Policies.

Maintenance This payload allows you to perform the following maintenance tasks:
• Update inventory.
• Reset computer names.
• Install all cached packages.
• Fix disk permissions (macOS 10.11 or earlier).
• Fix ByHost files.
• Flush caches.

329
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Payload Description

• Verify the startup disk.

For complete instructions on installing all cached packages, see Package Deployment.

Files and Processes This payload allows you to search computers for specific files and processes, and use
policy logs to log when they are found. You can kill processes that are found and delete
files that are found when searching by path.
This payload also allows you to execute commands.

Microsoft Intune This payload allows you to register computers with Microsoft Entra ID using the Company
Integration Portal app for macOS from Microsoft. End users need to launch the Company Portal app
through Jamf Self Service for macOS to register their devices with Entra ID as a computer
managed by Jamf Pro. It is recommended that you notify end users to let them know they
will be prompted to take action prior to deployment.
The payload also automatically triggers an inventory submission from the computer to
Jamf Pro.
For complete instructions on using the Microsoft Intune Integration payload, see the
Integrating with Microsoft Intune to Enforce Compliance on Macs Managed by Jamf Pro
technical paper.

User Interaction with Policies

User Interaction allows you to display custom messages to users about the policies that run on their computers
and allow users to defer policies. You can display these messages to users before and after a policy runs and
before a policy restarts computers.

When allowing users to defer a policy, you can specify a date and time, or number of days after the user is first
prompted by the policy at which to prohibit further deferral (called the “deferral limit”). This allows you to give
users more control over when the policy runs while ensuring that the policy eventually runs.

Before a policy runs on a computer, the user is prompted to choose to have the policy run immediately or to
defer the policy for one of the following:

• 1 hour
• 2 hours
• 4 hours
• 1 day
• The amount of time until the deferral limit is reached

330
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

If the user chooses to defer the policy, they are prompted with the original message after the chosen amount of
time. When the deferral limit is reached, a message is displayed to notify the user, and the policy runs
immediately.

To avoid policy deferment issues and excessive re-runs, the deferment must not exceed the execution
frequency configured for the policy.

Note: When a policy fails and is made available in Self Service with an execution frequency of "Once
per computer" and is configured to automatically retry, the policy will still display in Self Service so users
can retry it. If the user does not re-run the policy using Self Service, the jamf binary will automatically re-
run it on the next configured trigger.

Configuring User Interaction for a Policy

1. In Jamf Pro, click Computers in the sidebar.
2. Click Policies in the sidebar.
3. Create or edit a policy.
For more information, see Policy Management.
4. Click the User Interaction tab.
5. Configure the settings on the pane.

Note: When configuring User Interaction messages for computers with macOS 10.8 or later, most
messages are displayed in Notification Center in a category called “Management”. Otherwise,
messages are displayed using the Jamf Helper utility.

6. When you are done configuring the policy, click Save .

Packages
A package is a self-contained group of files that can be deployed to remote computers. Jamf uses the term
"Package" to refer to Apple Installer packages (PKGs) and disk images (DMGs) that are used to deploy
software and files to computers. You can use Composer or a third-party packaging tool to build packages of
software, applications, preference files, or documents. For more information about building packages using
Composer, see the Composer User Guide.

331
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

You can use Jamf Pro and Jamf Admin to manage packages you plan to deploy to computers in your
environment. Managing packages involves adding the package to your distribution point and to Jamf Pro, and
configuring settings for the package.

After a package is added to the distribution point and Jamf Pro, you can deploy the package to computers
using a policy in Jamf Pro.

Package Management
You can use Jamf Pro and Jamf Admin to manage packages you plan to deploy to computers in your
environment. Managing packages involves adding the package to your distribution point and to Jamf Pro, and
configuring settings for the package.

Before you can deploy packages to remote computers, you must have a distribution point set up in Jamf Pro.
For more information, see About Distribution Points.

Package Upload Methods

You can add the package to your distribution point using the following methods:

• Jamf Pro—If you have a cloud distribution point configured as your principal distribution point, you can
upload the package directly to Jamf Pro. This adds the package to the principal distribution point and Jamf
Pro.
• Jamf Admin—The Jamf Admin application is a repository that allows you to add and manage packages. It
also allows you to create configurations (images) using these items and replicate files to distribution points.
Adding a package to Jamf Admin automatically adds the package to the principal distribution point and Jamf
Pro. To add a package to Jamf Admin, the file must be in one of the following formats:
◦ Disk Image (.dmg)
◦ Installer Package (.pkg)
◦ Metapackage (.mpkg)
◦ Compressed archive (.zip)
◦ Application (.app)

Depending on the type of distribution point in your environment, you can use the following methods for adding
packages to your distribution point and Jamf Pro:

Distribution Point Method Description

Any Distribution Point Add the package to Jamf Admin This method adds the package to the
principal distribution point and Jamf Pro.

332
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Distribution Point Method Description

You can then add the package to other

distribution points via replication.

Cloud Distribution Point Upload the package directly to Jamf Pro This method adds the package to the
principal distribution point and Jamf Pro.
You can then add the package to other
distribution points via replication.

File Share Distribution Point Manually This method involves manually copying the
package to the distribution point and then
entering information about the package in
Jamf Pro.

Note: On computers with macOS 10.15 or later that do not have an MDM profile, you must use an
HTTP, HTTPS, or cloud distribution point to install packages.

Package Settings
When you add a package to a distribution point and Jamf Pro, you can configure settings for the package, such
as choosing a priority for the package installation. Adding, editing, or deleting a package in Jamf Admin is
reflected in Jamf Pro and vice versa. Some settings are only available when using Jamf Admin to manage the
package.

The following table explains the different settings you can configure for packages:

Setting Jamf Pro Jamf Admin Description

Category ✔ ✔ You can add the package to a category, an

organizational component that allows you to
group the package in Jamf Admin and Jamf
Pro. Before you can add a package to a
category, you must add the category to Jamf
Admin or Jamf Pro.

Priority ✔ ✔ You can choose a priority for deploying or

uninstalling the package. Consider the
following when configuring priority:
• Packages with higher priority install first.
• Package priority defaults to "10".

333
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Setting Jamf Pro Jamf Admin Description

• A package with a priority of "1" is

deployed or uninstalled before other
packages.
• Multiple packages with the same priority
install in alphabetical order based on the
package name.

Fill User Templates (FUT) ✔ ✔ You can fill user templates with the contents
of the home directory in the package's Users
folder. This setting applies to DMGs only.

Fill Existing User Home Directories ✔ ✔ You can fill existing user home directories
(FEU) with the contents of the home directory in the
package’s Users folder. This setting applies
to DMGs only.

Index Packages ✔ Indexing a package creates a log of all the

files contained within the package. This
allows you to uninstall the package and view
the contents of the package from Jamf Pro.
The time it takes to index a package
depends on the amount of data in the
package.

Allow Package to be Uninstalled ✔ ✔ You can allow the package to be uninstalled.

You must index a package using Jamf Admin
before you can uninstall it.

Require Restart ✔ ✔ You can specify whether computers must be

restarted after installing the package.

Operating System requirements ✔ ✔ You can specify operating system and

architecture type requirements for deploying
the package. For example, if you enter
"10.13", packages are only installed on
computers with macOS 10.13.

Install Only if Available in Software ✔ ✔ You can choose to install the package only if
Update there is an available update. The display
name of the package must match the name
in the command-line version of the Software
Update. This setting applies to PKGs only.

Limit Architecture Type ✔ ✔ You can choose to deploy the packages to

computers that meet specific architecture
types only. For example, you can specify

334
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Setting Jamf Pro Jamf Admin Description

"PowerPC" as a requirement. You can also

specify a previously configured package as a
substitute package to deploy to computers
that do not have the required architecture
type.

Adding a Package to Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. Drag the package to the main repository in Jamf Admin.
The package is displayed in blue text in the Unknown category until you add it to a category.
3. Double-click the package in the main repository.
4. Click the General tab and configure basic settings for the package, including the display name and
category.

335
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

5. Click the Options tab and configure additional settings for the package, including the priority, and
operating system and architecture type requirements.

6. Click OK.

Uploading a Package to Jamf Pro

Requirements
To upload a package to Jamf Pro, your principal distribution point can be a cloud distribution point or local
file share distribution point.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Packages .
3. Click New.
4. Use the General pane to configure basic settings for the package, including the display name and
category.

Note: If you do not add the package to a category, Jamf Admin displays the package in blue text in
the Unknown category.

5. Click Choose File and select the PKG to upload.

336
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

6. (Optional) If you are uploading an enrollment package, you can upload a custom manifest file by clicking
Upload Manifest File. You can remove the file by clicking Delete Manifest File.
7. Click the Options tab and configure additional settings for the package, including the priority.
8. (Optional) Click the Limitations tab and configure limitations for the package, including operating system
and architecture type requirements.
9. Click Save .

Manually Adding a Package to a Distribution Point and Jamf Pro

1. Copy the package to the Packages folder at the root of the file share on the distribution point.

2. In Jamf Pro, click Settings in the sidebar.

3. In the Computer management section, click Packages .
4. Click New.
5. Use the General pane to configure basic settings for the package, including the display name, category,
and filename.

Note: If you do not add the package to a category, Jamf Admin displays the package in blue text in
the Unknown category.

6. Click the Options tab and additional settings for the package, including the priority.
7. (Optional) Click the Limitations tab and configure limitations for the package, including operating system
and architecture type requirements.
8. Click Save.

Editing or Deleting a Package Using Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the package you want to edit or delete.
3. Do one of the following:
◦ To edit the package, double-click it and make changes as needed. Click OK. Then click File > Save.

◦ To delete the package, click Delete and then click Delete again to confirm.

337
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The edit or delete action is applied immediately on the principal distribution point. The action is applied to your
other distribution points when replication occurs.

Indexing a Package
Indexing a package creates a log of all the files contained within the package. This allows you to uninstall the
package and view the contents of the package from Jamf Pro. The time it takes to index a package depends
on the amount of data in the package.

Packages can be indexed using Jamf Admin only.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the package you want to index and click Index at the bottom of the pane.
3. If prompted, authenticate locally.
4. Save the changes by clicking File > Save.

When the indexing process is complete, Jamf Admin defaults back to the main repository.

Viewing the Contents of an Indexed Package

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Packages .
3. Click the package you want to view the contents of.
4. Click Contents.

A table that contains the package contents is displayed.

Calculating a Checksum
The checksum is calculated when a package is uploaded to Jamf Pro. The checksum ensures authenticity
when the package is downloaded.

The checksum can also be calculated manually using Jamf Admin:

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the package you want to calculate checksum for.
3. Control-click (or right-click) and select Calculate Selected Package Checksum(s).

Package Deployment
You can use a policy in Jamf Pro to deploy a package. Policies allow you to remotely install packages on
managed computers. You can automate package installation so that it runs at a specified frequency.

338
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

When you configure a policy, you can do the following for each package you add to the policy:

• Fill user templates

• Fill existing user home directories

You can choose the following actions you want computers to take when running the policy:

Action Description

Install This option enables computers to install the package when they run the policy. To install a
package on computers, the package must exist on the distribution point you plan to deploy it
from and in Jamf Pro.

Cache This option enables computers to download a cached package without installing it right away. To
cache a package on computers, the package must exist on the distribution point you plan to
deploy it from and in Jamf Pro.

Install Cached This option enables computers to install one or more of the cached packages. To install a
specific cached package, the package must exist on the distribution point you plan to deploy it
from and in Jamf Pro.

Uninstall This option enables computers to uninstall a package.

To uninstall the package from computers, you need the following:
• The package indexed in Jamf Admin
• The package configured so that it can be uninstalled

Note: If the package is an Adobe CS3/CS4 installation, it does not need to be indexed or
configured so that it can be uninstalled.

Packages must be in one of the following formats to deploy them to computers:

• DMG
• PKG
• MPKG
The MPKG format may not always work natively with policies. This is because permissions that are
embedded in the files within the MPKG may conflict with the privileges used by the distribution point read/
write user. It is recommended that you deploy the MPKG file to a test computer first. If the deployment does
not install successfully, use Composer to make a DMG package for distribution with a policy. Composer will
not convert the MPKG to DMG format, but you can use the Snapshot or the Pre-installed method to create a
DMG package. Composer can be used to convert DMG and PKG packages. For more information, see the
Composer User Guide.

339
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Related Content

• JSON Web Token for Securing In-House Content

Deploying a Package Using a Policy

To deploy a package using a policy, you must add the package to a distribution point and Jamf Pro.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Packages payload and click Configure.
6. Click Add for the package you want to install.
7. Depending on the action you want computers to take, choose an action from the Action pop-up menu.
8. Configure the settings for the package.
9. If you are installing a package on computers or caching a package, specify a distribution point for
computers to download the package from.
10. Use the Restart Options payload to configure settings for restarting computers.
11. Click the Scope tab and configure the scope of the policy.
12. (Optional) Click the Self Service tab and make the policy available in Self Service.
13. (Optional) Click the User Interaction tab and configure messaging and deferral options.
14. Click Save.

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Software Title Updates

Jamf offers multiple solutions to help administrators keep third-party macOS software titles in their
environments up to date. These third-party software titles represent software that may not be available in the
App Store. Built-in functionality in Jamf Pro removes the need for an administrator to manually identify,
research, test, deploy, and verify patches. These solutions include:

Patch Management
You can use Patch Management to update third-party macOS software titles from the Patch
Management Software Titles list in the Jamf App Catalog. This method offers the capabilities to view the
third-party macOS software titles currently installed on the computers in your environment, to notify users
when new software is available, and to distribute the new software to target computers.

340
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Important: The Patch Management workflow cannot be used to perform the initial installation of a
software title. To install an app for the first time, create a software installation policy in Computers
> Policies.

App Installers
You can use App Installers to distribute and update available third-party macOS software titles from the
App Installers Software Titles list in the Jamf App Catalog to target computers in a smart computer group.
If a target computer in your smart group has the software title installed, the App Installer distributes the
update when a new version is released. If a target computer in your smart group does not have the
software title installed, the App Installer distributes the software title to the computer once and updates it
when a new version is released.

Patch Management
Patch Sources
A patch source allows you to view the software currently installed on the computers in your environment, to
notify users when new software is available, and to distribute the new software to target computers using the
Patch Management functionality in Jamf Pro. When software titles are configured and available, they are
hosted on a patch source. This allows you to distribute the title to the computers in your environment. There
are two types of patch sources:

• Patch internal source—The patch internal source is configured for you by Jamf Pro and hosts the software
title definitions that are provided by Jamf Pro. For the list of software titles provided by Jamf Pro, see the
Patch Management Software Titles list.
• Patch external source—Jamf Pro provides a framework for integrating with a patch external source. You
can use a server application in your environment or connect to a source hosted by the community.
Integrating with a patch external source involves adding the server information (hostname or IP address for
the server application) to Jamf Pro. You can add as many patch external sources that fit your environment.
One of these patch external sources is Title Editor, a Jamf-hosted service used to provide custom software
titles, override existing patch definitions, and create custom patch definitions. For more information, see the
Title Editor Documentation.

You can use both patch sources to customize a solution for your specific environment.

Adding a Patch External Source to Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Patch management .
3. To add a patch external source, click New.

341
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

4. Configure the settings on the pane.

The following settings may be applicable:
◦ Enabled—This setting enables Jamf Pro to generate the list of software titles hosted on the patch source
and allows the title to be automatically updated.
◦ Use SSL—You must enable this setting if your environment is configured with a TLS certificate and is
sending traffic over HTTPS from your patch external source.
◦ Validate Software Title Definitions—This setting ensures that software titles are signed by a publicly
trusted certificate before they are downloaded from the server. If this setting is enabled and a software
title is not signed, Jamf Pro does not download the title.

5. Click Save .

Jamf Pro can now download and display the software titles available on the source.

Testing a Patch External Source Connection

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Patch management .
3. Click the patch external source you want to test the connection for, and then click Test.
4. Click Test again.

Jamf Pro communicates with the server hosting the external patch server to return status information about the
server and validate the connection to the server endpoints.

Patch Reporting
The patch reporting area of Jamf Pro can be used to do the following for third-party macOS software titles used
in your environment:

• Generate reports for software titles that you have configured in your environment
• Identify which software titles in your environment need to be updated
• Determine which computers have software titles that need to be updated

From the report, you can view when each computer last checked in and the version of the software title
installed on the computer.

You can use the patch reporting features alone, or combine them with the following additional searching and
reporting features in Jamf Pro based on your needs:

• Advanced computer searches—There are several benefits to using advanced computer searches to
produce a list of computers in Jamf Pro:

342
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

◦ The ability to display all application titles; the list is not limited to the third-party macOS software titles
provided in the patch reporting area.
◦ The ability to combine patch-related criteria with other criteria. Patch-related criteria includes features to
report on Apple operating systems and third-party macOS software titles. When creating an advanced
computer search and selecting Patch Reporting Software Title, you can use "greater than" and "less
than" operators, and "Latest Version" as a value to ensure the search will remain current as new versions
are released. For example, this criteria can be used to create a general compliance report that includes
encryption, or whether computers are on a specific version of an operating system, etc.
• Smart computer groups—Smart computer groups offer the same patch reporting functionality as
advanced computer searches. Additionally, you can view the status of smart groups on the Jamf Pro
Dashboard. You can also get notifications when the membership of a smart group changes.

Related Content

• Advanced Computer Searches

• Smart Groups

Viewing a Patch Report for a Software Title

1. In Jamf Pro, click Computers in the sidebar.
2. Click Patch Management in the sidebar.
3. Click on a software title to view the patch report.

4. To view a list of computers that are on the latest version of a particular software title, click Latest Version.
5. To view a list of computers that are on another version of a particular software title, click Other Version.

343
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

6. At the bottom of the report, click Export and choose "Comma-Separated Values file (.csv)" or "Tab
Delimited Text file (.txt)".

Note: The data is exported as it is filtered.

Adding a Patch Report to the Jamf Pro Dashboard

Adding a patch report to the Jamf Pro Dashboard helps you monitor the version breakdown for a software title.
For example, if you are deploying a critical sales app, you can monitor the percentage of devices that have the
current version of the app, view the total devices on the current version compared to a different version, and
view a breakdown of versions within your environment.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Patch Management in the sidebar.
3. Click the software title that has the patch report you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the Patch Management Statuses area of the Jamf Pro Dashboard and find the widget for the
patch report you added.
7. Click any item in the widget to view the details.

Patch Policy Workflow

Managing third-party macOS software updates using the patch policy workflow in Jamf Pro involves the
following steps:

1. Configuring a Patch Management software title.

2. Associating a package to a definition in the Patch Management software title.
3. Creating a patch policy to automatically update the software title to the chosen version (the definition the
package was associated to).

Important: The Patch Management workflow in Jamf Pro cannot be used to update macOS. For more
information on updating macOS, see the Deploying macOS Upgades and Updates with Jamf Pro
10.34.0 or later technical paper.

344
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Configuring a Patch Management Software Title

You can configure a third-party macOS software title in Jamf Pro to use for patch reporting, patch notifications,
and patch policies. For the list of software titles provided in Jamf Pro, see the Patch Management Software
Titles list in the Jamf App Catalog.

Consider the following:

• A Patch Management software title can only exist once for any given site or the full Jamf Pro. You cannot
configure a software title if it already exists in a site or the full Jamf Pro.
• If you have previously created an extension attribute that uses the same name as the Patch Management
software title, you must rename the existing extension attribute before you can configure the software title in
Patch Management. For example, if you have an extension attribute named "amazon-corretto-11" and want
to configure a Patch Management software title with the same name, you must first edit the name of the
previously created extension attribute.
• Some Patch Management software titles use different packages for Apple silicon and Intel-based Mac
computers. For these, Jamf recommends using Title Editor to create and manage software title versions for
Apple silicon. For more information, see the Title Editor Documentation.

Requirements
• The Jamf Pro server must have outbound access to port 443 to access the patch server and the
software title definitions which are hosted on Amazon CloudFront.
• If a software title requires an extension attribute, the Jamf Pro user account configuring the software title
must have full access.

1. Click Patch Management in the sidebar.

2. Click New.
3. Click next to the software title you want to configure.
For some software titles, the Publisher column contains the text "(Combined Definition)". This label
identifies software title versions that are combined into one patch definition. For example, Wireshark 3.2,
3.4, and 3.6 are combined into one patch definition, Wireshark 3.0.

4. Click Edit .
5. Use the Software Title Settings tab to configure basic settings for the software title, including whether to
receive an email or notification in Jamf Pro when an updated software title is available.

Note: The notification settings are applied for Jamf Pro users who have the checkboxes selected for
An updated patch reporting software title is available in Account Settings > Notifications.

345
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

6. If the software title uses an extension attribute, click the Extension Attributes tab and accept the terms.

Note: The extension attributes from Jamf's patch internal source cannot be edited or removed.

7. (Optional) Click the Definition tab to review information about the supported software title versions and
attributes about each version.
8. Click Save .

A patch report is automatically generated to identify when the computers in your environment last checked in
and the version of the software title installed.

You can now associate a package to the software title.

Associating a Package to a Patch Management Software Title

Before you can create a patch policy to distribute the desired software title version, you must associate a
package to the software title version.

Note: The patch policy does not verify the package contents before distribution; ensure that the
package contains the intended version of the software update. For more information, see Patch Policies.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Patch Management in the sidebar.
3. Click the software title you want to associate a package to.
4. Click Edit .
5. Click the Definition tab.
6. Click Add.
7. Click Add next to the desired version.
8. Click .
9. Click Save .

You can now create a patch policy to distribute software title updates.

Patch Policies
Patch policies allow you to perform updates of previously installed third-party macOS software titles. After you
have configured a Patch Management software title and associated it with a package, you can create a patch
policy to automate the distribution of software updates. You can configure the patch policy to be installed
automatically or make the policy available in Self Service for users to run on their computers.

346
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

When you create a patch policy, you specify information that enables Jamf Pro to automatically generate a list
of eligible computers that need the software update. Jamf Pro continuously keeps this list updated as
computers meet or fail to meet the specified conditions. You can also specify the following information for user
interaction:

• Whether to display notifications about the update (in Self Service, or in Self Service and Notification Center)
• Whether to send users reminders that a software update is available
• The amount of time to wait after the software title update is available before an update is automatically
performed (called "update deadline")

If a computer is in the scope of multiple patch policies for the same software title, only one policy is run for a
specific title based on the following priority:

• The policy with the latest software title version takes precedence.
• If multiple policies are associated with the same software title version, the policy with the greater ID number
will take precedence.

For example, if a computer is in scope of both of the following, only the policy with "id=3" will run: https://
JAMF_PRO_URL.jamfcloud.com/patchDeployment.html?softwareTitleId=1&id=3&o=r https://
JAMF_PRO_URL.jamfcloud.com/patchDeployment.html?softwareTitleId=1&id=2&o=r

Related Content

• Items Available to Users in Jamf Self Service for macOS

Variables for Grace Period Messages

There are several variables that you can use to populate the grace period message displayed to users before a
software title is updated.

To use a grace period variable, enter the variable into the Message field on the User Interaction tab when
creating a patch policy in Jamf Pro. When the patch policy is run on a computer, the variable is replaced with
the value of the corresponding attribute in Jamf Pro.

Variable Computer Information

$APP_NAMES Name of the app that must quit before the software title can be updated

$DELAY_MINUTES Amount of time to wait before automatically quitting the app that cannot be open when a
software title is updated

$SOFTWARE_TITLE Software title name

347
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Creating a Patch Policy

1. In Jamf Pro, click Computers in the sidebar.
2. Click Patch Management and select the software title for which you want to create a patch policy.
3. Click the Patch Policies tab.
4. Click New.
5. Use the General pane to configure basic settings for the patch policy, including the display name and
whether to distribute the policy by installing it automatically or by making it available in Self Service.

Note: While users can search Self Service for items to install on their computers, patch policies will
not be included in the search results.

The following settings enable Jamf Pro to automatically generate the list of eligible computers:
◦ Target Version—Choosing a target version of the software title allows Jamf Pro to add computers that
have an earlier version of the targeted title installed to the list of eligible computers.
◦ Allow Downgrade—This enables an earlier version of the software title to be installed on computers.
Jamf Pro adds the computers with a later version of the targeted title installed to the list of eligible
computers.
◦ Patch Unknown Versions—This enables the targeted version of the software title to be installed on
computers that have unknown versions of the title currently installed. Jamf Pro adds these computers to
the list of eligible computers.
6. Click the Scope tab and configure the scope of the patch policy.
You can view the list of computers that are eligible for the patch policy by clicking the eligible computers
link. If you add a computer that is not in the list of eligible computers, it does not receive the policy until it
meets the conditions defined on the General tab.

Note: For a computer to be eligible to receive a software title update, it must have the software title
installed and meet the conditions on the General tab.

7. (Optional) Click the User Interaction tab to configure the amount of time to wait before quitting apps
automatically, and enter messages to display to users.
Additionally, you can customize the text displayed in the description for the policy in Self Service by using
Markdown in the Description field. For information about Markdown, see the Using Markdown to Format
Text article.

8. Click Save .

The policy is distributed to computers in scope the next time they check in with Jamf Pro.

348
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

You can now view the status and logs for the policy.

Viewing the Status of a Patch Policy

For each patch policy, you can view a list that shows the number of computers for which the policy has
completed, failed, and is still remaining.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Patch Management and select the software title for which you want to see the patch policy status.
3. Click Patch Policies.

Viewing Logs for a Patch Policy

The logs for a patch policy include a list of computers in scope of the policy and the following information for
each computer:

• The date/time that the log was created or updated

• The status of the patch policy
• The actions logged for the patch policy

1. In Jamf Pro, click Computers in the sidebar.

2. Click Patch Management and select the software title for which you want to see the patch policy logs.
3. Click Patch Policies and select the policy you want to view logs for.
4. Click Logs .

Adding a Patch Policy to the Jamf Pro Dashboard

If you configure a patch policy to assist with the deployment of a specific application, you can track its
deployment progress by adding the patch policy to the Jamf Pro Dashboard. This allows you to view all
completed, pending, retrying, and failed deployment attempts for the patch policy.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Patch Management in the sidebar.
3. Click the software title you want to add to the Jamf Pro Dashboard.
4. Click Patch Policies.
5. Select the Show in Jamf Pro Dashboard checkbox.

6. Click Dashboard in the sidebar.

7. Navigate to the Patch Management Statuses area of the Jamf Pro Dashboard and find the widget for the
patch management policy you added.
8. Click any item in the widget to view the details.

349
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Resetting the Retries Value

The Patch Management Retries setting allows you to customize the number of times Jamf Pro will try to deploy
a patch policy if the initial attempt fails. The default value is "3" retries.

Note: This setting does not apply to patch policies made available in Self Service.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Patch management .
3. Click Edit .
4. Adjust the value in the Retries field to set the number of times to retry deploying the patch after a failed
status.
5. Click Save .

App Installers
With App Installers, you can distribute and update available third-party macOS software titles from the App
Installers Software Titles list in the Jamf App Catalog to target computers in a smart computer group.

Jamf sources the App Installer packages from vendors and if necessary, repackages and code-signs them to
be suitable for deployment via MDM command on both Apple silicon and Intel-based Mac computers. This
removes the need to manually monitor, package, and update apps, streamlining the application lifecycle
management process.

Jamf continuously reviews the third-party macOS software titles to make them available as App Installers. To
request a software title, navigate to https://ideas.jamf.com and submit a feature request.

You can choose to install the app automatically or make the app available in Self Service for users to install
when they are ready. If the computers in the smart group are compatible, the
InstallEnterpriseApplication command is sent to target computers through Apple Push Notification
Service (APNs) to download the software title. For more information about the deployment process, see App
Installers Deployment Status.

After installation, end users are prompted with notifications in the Notification center when an update is
available. You can manage this experience using built-in settings or customize the experience for your
environment. For more information, see End User Experience.

Best Practice: Using App Installers for previously installed software titles

350
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Best practice workflows cover common scenarios; however, the following recommendations may not
apply in your environment.
When choosing to make the app available in Self Service, the app is only distributed to end users after
they click Install in Self Service, even if the app is already installed on the computer.To use App
Installers to update an app that was previously installed using another method (e.g. a policy or patch
policy), Jamf recommends creating a smart group using the following criteria and selecting Install
automatically as the distribution method. When you select this smart group from the Target Group
pop-up menu, it ensures all future updates will be automatically distributed with App Installers.

Criteria Operator Value

Application Title "is" Title of the app

App Installers Metadata

The following table describes the metadata that is available in Jamf Pro for each App Installer. You can use
this information to help you determine if an App Installer is compatible with the target computers in your scope.

App Installer Information Description

Application name Name of the software title from the Jamf App Catalog

Publisher Name of the software publisher

Bundle ID Unique identifier for the application

Version Latest application version number

Package publish date Date Jamf made the package available as an App Installer

Architecture Architecture type of the application

The following architecture types are available:
• Universal—The application can run natively on both
Apple silicon and Intel-based Mac computers.
• Rosetta—Enables a Mac computer with Apple silicon to
run applications built for Intel-based Mac computers.
• Intel—The application can only run on Intel-based Mac
computers.
• Apple silicon—The application can only run on Mac
computers with Apple silicon.

Minimum OS Minimum version of macOS required to install and run the

application

351
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

App Installer Information Description

(Optional) Language If a vendor provides separate installers per language, this

field is populated to indicate Jamf provides the English-
specific installer.

Media source URL The unique URL used by Jamf to download the application
from the publisher's website for the Jamf App Catalog. For
some applications, the URL is temporary. Once it expires
the URL is no longer valid.

Package size Size of the installer package used to install the application

Package signing identity Code-signing identity used to sign the installer package
If the installer package is repackaged by Jamf, the identity
is shown as:
Developer ID Installer: JAMF Software

Original media hash Hash value for the original media downloaded from the
publisher's website

Original media hash type Type of hash used for the original media

Installer package hash Hash value for the installer package provided
This value differs from the original media hash if Jamf
repackaged the installer.

Installer package hash type Type of hash used for the installer package

LaunchDaemon included Yes or No

Custom notification available Yes or No

Built-in auto-updates disabled Yes or No

Distributing Software Titles with App Installers

Requirements
• Jamf Pro instance hosted in Jamf Cloud
• An enabled Cloud Services Connection
• Target computers with macOS 10.13.6 or later
• Ensure the Jamf management framework and Self Service checkbox is selected in Settings >
Computer Management > Security. This allows this App Installers service to display end user
notifications with the Self Service icon when you distribute the software title.

352
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

1. In Jamf Pro, click Computers in the sidebar.

2. Click Mac Apps in the sidebar.
3. Click New.
4. Select Jamf App Catalog.
5. Click Next.
6. Click Add for the software title you want to distribute.
7. Read and acknowledge the Terms and Conditions.

Note: Jamf Pro only displays the Terms and Conditions pop-up during the first App Installer
deployment configured by each administrator.

8. Use the Configuration settings tab to configure the basic settings for the App Installer including the
display name, site, category, the smart group containing the target computers in scope, and distribution
method.
You can choose a site, category, or target group from the pop-up menus, or type directly in the field to
narrow down your search results.
9. To allow Jamf Pro to deploy an additional configuration profile to disable the developer built-in auto-update,
select the Install supporting configuration profiles checkbox.
When selected, and if the App Installer package recommends disabling the built-in auto-update, the
configuration profile containing these settings can be viewed on an end user's computer in System
Settings > Privacy & Security > Profiles (macOS 13 or later) or System Preferences > Profiles
(macOS 12 or earlier). The profile is labeled App Installers - APP_NAME .

Important: Before enabling this option in your environment, there are many factors to consider,
including if you have deployed configuration profiles to manage App Installers settings in Jamf Pro
10.43.0 or earlier. For more information, see the Configuration Profiles for Additional App Installers
Settings article.

10. (Optional) Toggle the Deploy switch off if you aren't ready to distribute the software title.
11. If you selected Make available in Self Service as the distribution method, click the Self Service tab to
configure how the software title is displayed in Self Service.
You cannot change the icon displayed for the software title in Self Service.

Note: The Self Service tab is displayed regardless of the selected distribution method. Additionally,
to add the software title to the Compliance category, your Jamf Pro instance must be integrated with
Microsoft Intune.

353
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

12. (Optional) Click the End user experience tab to customize the push notifications to end users when a
software title has an available update and it is open on a user's computer.
When customized, the configuration profile containing these settings can be viewed on an end user's
computer in System Settings > Privacy & Security > Profiles (macOS 13 or later) or System
Preferences > Profiles (macOS 12 or earlier). The profile is labeled App Installers - Custom
values for APP_NAME .

For more information about these notifications, see End User Experience.

13. Click Save .

14. Click the Deployment status tab to monitor the App Installer deployment.

The software title is distributed to target computers in the chosen smart group.

Note: The App Installer deployment may take up to 20 minutes to begin. For more information, see App
Installers Deployment Status.

Keep the following in mind after using App Installers to distribute a software title:

• If the target computer is removed from the scoped smart group, the software title remains on the computer
but no longer receives updates.
• If a new target computer is added to the scoped smart group, the deployment process starts.
• If an end user removes the software title from the target computer the software title remains uninstalled until
one of the following occurs:
◦ The App Installer deployment is toggled off and back on.
◦ A new version of the software title is added to the Jamf App Catalog.
◦ The target computer is removed from the scoped smart group and then re-added to the smart group.

If you selected the Install supporting configuration profiles checkbox or customized notifications on the
End user experience tab, you can view the status of the management commands for the installation or
removal of the configuration profiles by navigating to the Management History category in the History tab of the
computer inventory information. Example management commands include:

• Install Configuration Profile App Installers - Custom values for Google Chrome
• Install Configuration Profile App Installers - Google Chrome

App Installers Deployment Status

When you configure and deploy an App Installer, Jamf Pro works in the background to distribute the current
version of a software title to the target computers in your chosen smart group. The following describes the
possible deployment statuses and how Jamf Pro works with App Installers to determine the status.

354
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The Deployment status tab displays the following statuses:

• In progress—The App Installer deployment is in progress. Jamf Pro makes a total of three attempts, once
every six hours, to deploy the App Installer to target computers.
• Available for install in Self Service—The end user has not yet clicked the Install button for the software
title when the selected distribution method is Make available in Self Service.
• Installed—The target computers successfully downloaded the App Installer.

Note: The status is marked as "Installed" when the update workflow commands are complete and
the software is delivered to the computer. The installation does not occur until the app is closed on
the computer.

• Unqualified—Deployment conflicts were found.

• Failed—The target computers failed to meet the compatibility criteria required (e.g., minimum macOS
version or architecture type) for the App Installer or did not successfully install the App Installer after three
attempts.

At the start of the deployment process, the target smart group recalculates to determine if there are conflicting
deployments or if computers meet the compatibility criteria. If a conflicting deployment with higher priority
exists, the deployment status is listed as "Unqualified".

Note: The deployment with an Install automatically distribution method takes precedence. Then, the
lower deployment (with a lower ID number) takes precedence.
For example, if a computer is in the scope of both of the following, only the deployment with "id=2" is
used:

• https://JAMF_PRO_URL.jamfcloud.com/view/computers/mac-apps/app-installers/deployments/2
• https://JAMF_PRO_URL.jamfcloud.com/view/computers/mac-apps/app-installers/deployments/3

If compatibility criteria are not met, the status is listed as "Failed" with the reason for the failure. If the criteria
are met, within 15 minutes Jamf Pro sends the InstalledApplicationList MDM command to computers
and waits for a response. While waiting for the response, the deployment status is listed as "In Progress". If a
computer is offline, for example, during a holiday, the deployment process will not resume until a response is
received from the InstalledApplicationList command. After a response is received, the
InstallEnterpriseApplication command is sent through Apple Push Notification service (APNs) to the
target computers.

355
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: If you selected the Install supporting configuration profiles checkbox, Jamf Pro deploys the
supporting profiles before the InstallEnterpriseApplication MDM command is sent.

The target computers download and install the App Installer software title from the Jamf App Catalog. If the
delivery is successful, the deployment status changes to "Installed". If the delivery is unsuccessful after three
attempts, the status changes to "Failed". The status for a computer is not updated immediately, as it relies on a
response from the InstalledApplicationList command, which is sent every few hours.

You can view the status of the InstallEnterpriseAppilcation and InstalledApplicationList

commands by navigating to management history for a computer in Jamf Pro. For more information, see
Computer History Information.

Viewing or Retrying a Deployment

1. In Jamf Pro, click Computers in the sidebar.
2. Click Mac Apps in the sidebar.
3. Use the table to view a summary of all App Installers deployments and their status.
4. To retry all failed deployments in your environment, click Retry all failed in the top-right corner of the table.
5. Select the software title from the Jamf App Catalog for which you want to view the deployment status.
6. Click the Deployment status tab to monitor the deployment status for each computer in your target group.
7. (Optional) If a computer failed to complete the install, click Retry in the status column to reattempt the
deployment.
8. (Optional) If multiple computers failed, click Retry all failed.

Note: Clicking Retry all failed causes Jamf Pro to retry deploying qualified App Installers with a
failed status. Jamf Pro does not retry deploying App Installers that fail due to an unsupported
architecture type or those that are in progress.

End User Experience

You can customize the end user experience in Jamf Pro to notify users when an update is available for a
software title deployed using App Installers but the software title is open on the user's computer. The
notifications are displayed in the Notification Center.

Important: Although this feature is available in Jamf Pro 10.44.0 or later, notifications may not display
correctly until a new version of the software title is available.

356
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

You can customize the following settings:

• Custom notification frequency—Choose how often the notification message is displayed.

• Custom notification message—Create a message to display as the push notification (up to 150
characters) when an app update is available.
• Enable update deadline—Choose how long the user can defer the update before the app is forced to quit
and complete the update. When enabled, and if the system language is one of the six languages available
in Jamf Pro, the notification message includes "Days Remaining" and the value.
• Custom force quit message—Create a message to display as the push notification (up to 150 characters)
when the app is forced to quit to complete the update.
• Enable force quit grace period—Choose how many minutes the user has to save work and close the app
before the app force quits to complete the update.
• Custom update complete message—Create a message to display as the push notification (up to 150
characters) to indicate when the app update is complete and the user can reopen the app.
• Automatically open app after update—When selected, the app will automatically relaunch after the
update is complete. This does not apply if the app was closed before the update started.

If you prefer to allow App Installers to manage the notification settings, the default values are as follows:

• Notification frequency—One daily notification

• Notification message—"An update is available. Quit this application to allow the
update to complete."
• Update deadline—None
• Force quit message—"This application will quit to complete the update."
• Update complete message—"Update complete."

Beginning with Jamf Pro 10.47.0, new versions of apps distributed with App Installers will use a generic Self
Service icon, regardless of the chosen distribution method. The following is an example of the notifications an
end user will see in the Notification Center using the default messaging and a force quit grace period enabled:

357
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Settings and Security Management for

Computers
Computer Configuration Profiles
Configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and
restrictions for devices, computers, and users.

You can use Jamf Pro to create a configuration profile or you can upload a configuration profile that was
created using third-party software, for example, Apple's Profile Manager or Apple Configurator.

Before creating a configuration profile, you should have basic knowledge of configuration profile payloads and
settings. For more information, see the following Apple documentation:

• Apple Platform Deployment

• Profile-Specific Payload Keys

358
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Some configuration profile payloads and settings available in Jamf Pro may differ from their implementation in
Apple’s tools. For more information on these settings, see the Configuration Profile Payload Settings Specific
to Jamf Pro article.

When you create a computer configuration profile, you must specify the level at which to apply the profile—
computer level or user level. Each level has a unique set of payloads and a few that are common to both.

There are two different ways to distribute a configuration profile: install it automatically (requires no interaction
from the user) or make it available in Self Service. You can also specify the computers and users to which the
profile should be applied (called “scope”).

Note: Removing a computer from the scope of a computer-level profile prompts Jamf Pro to send an
MDM command to remove the profile. Removing a computer from the scope of a user-level profile
prompts Jamf Pro to remove the settings applied by the profile for the MDM enabled user the next time
the computer sends a userLoginNotification message via the Jamf management framework. This
happens at a login to the system.

Related Content

• Computer Management Information

• Items Available to Users in Jamf Self Service for macOS

• Deploying Custom Configuration Profiles Using Jamf Pro

Payload Variables for Configuration Profiles

You can use payload variables to populate configuration profile settings with attribute values stored in Jamf
Pro. This allows you to create payloads containing information about each devices and users to which you are
distributing the profile. To use a payload variable, enter the $VARIABLE into any text field when creating a
configuration profile in Jamf Pro. When the profile is installed, the $VARIABLE is replaced with the value of the
corresponding attribute in Jamf Pro.

Note: Payload variables are case-sensitive.

Variable Inventory Information

$MANAGEMENTID Device management ID assigned by Jamf Pro

$COMPUTERNAME Computer Name

359
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Variable Inventory Information

$SITENAME Site Name

$SITEID Site ID

$UDID UDID

$SERIALNUMBER Serial Number

$USERNAME Username associated with the computer in Jamf Pro (computer-level profiles only)
Username of the user logging in to the computer (user-level profiles only)

$FULLNAME or $REALNAME Full Name

$EMAIL Email Address

$PHONE Phone Number

$POSITION Position

$DEPARTMENTNAME Department Name

$DEPARTMENTID Department ID

$BUILDINGNAME Building Name

$BUILDINGID Building ID

$ROOM Room

$MACADDRESS MAC Address

$JSSID Jamf Pro ID

$PROFILEJSSID Jamf Pro ID of the Configuration Profile

$EXTENSIONATTRIBUTE_# Extension Attribute ID Number

Note: The ID number is found in the extension attribute URL. In the example
URL below, "id=2" indicates the extension attribute ID number:

https://JAMF_PRO_URL.jamfcloud.com/computerExtensionA
ttributes.html?id=2&o=r

For more information, see Computer Extension Attributes.

360
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

General Requirements
To install a configuration profile on a computer, you need:

• A push certificate in Jamf Pro. For more information, see Push Certificates.
• The Enable certificate-based authentication and Enable Push Notifications settings configured in
Jamf Pro. For more information, see Security Settings.
• (User-level profiles only) Computers that are bound to a directory service or local user accounts that have
been MDM-enabled. For information, see Directory Bindings and MDM-Enabled Local User Accounts.

Creating a Computer Configuration Profile in Jamf Pro

When creating an distributing computer configuration profiles directly in Jamf Pro, keep the following in mind:

• In the summary view, only the included or configured settings are displayed in the Jamf Pro interface.
• Some enforced settings that do not change default values will not be visible on the computer. For more
information on the default settings, see Profile-Specific Payload Keys from the Apple Developer website.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings, including the level at which to apply the profile and the
distribution method.
Only payloads and settings that apply to the selected level are displayed for the profile.
To distribute the profile during enrollment using a computer PreStage enrollment, ensure you create a
computer-level configuration profile.
5. Use the rest of the payloads to configure the settings.
6. Click the Scope tab and configure the scope of the profile.
To distribute the profile during enrollment using a computer PreStage enrollment, ensure the scope of the
profile contains the computers that are in the scope of the PreStage enrollment.
7. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure
Self Service settings for the profile.
8. Click Save .

The profile is distributed to the deployment targets in the scope the next time they contact Jamf Pro.

Uploading a Configuration Profile

You can create a configuration profile by uploading a profile that was built using Apple's software, for example,
Profile Manager or Apple Configurator.

361
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: Some payloads and settings configured with third-party software are not displayed in Jamf Pro.
Although you cannot view or edit these payloads, they are still applied to the deployment targets.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click Upload and upload the configuration profile (.mobileconfig).
4. Use the General payload to change or configure basic settings for the profile, including a distribution
method.
5. Use the rest of the payloads to configure or edit settings as needed.
6. Click the Scope tab and configure the scope of the profile.
7. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self
Service settings for the profile.
8. Click Save .

Downloading a Configuration Profile

If you want to view the contents of a configuration profile for troubleshooting purposes, you can download the
profile (.mobileconfig) from Jamf Pro.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click the configuration profile you want to download.
4. Click Download .

The profile downloads immediately.

Viewing the Status of a Configuration Profile

For each configuration profile, you can view the number of the deployment targets with a status of Complete,
Remaining, or Failed for the profile installation.

Note: Depending on your system configuration, status data may not be available for profiles installed
using Jamf Pro 9.63 or earlier.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.

362
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

3. To view a list of deployment targets with a status of Complete, Remaining, or Failed for the profile
installation, click the number displayed in the corresponding column. Then click Back in the top-left
corner of the pane.

Note: If a device becomes unmanaged after a profile is successfully distributed to it, the profile will
continue to be displayed in the Completed column.

4. To view logs for a configuration profile, click View in the corresponding row. For a different date range,
specify the starting and ending dates using the Date Range pop-up calendars.
5. Click Back in the top-left corner of the pane.

Troubleshooting a Failed Status of a Configuration Profile

If a profile fails to install on a compatible computer, Jamf Pro will automatically retry the deployment every six
hours. To manually force the attempt, use the “Send blank push” management command. To access this
feature, navigate to the Management tab in the inventory of a computer and click Management Commands.

If a profile fails to install on an incompatible computer (e.g., when the profile includes settings that require User
Approved MDM), the computer must first meet the profile requirements for the retry attempt to happen.

Adding a Computer Configuration Profile to the Jamf Pro

Dashboard
Adding a computer configuration profile to the Jamf Pro Dashboard helps you monitor its status and progress.
For example, you can determine which computers have received restrictions or settings, which computers are
pending receiving the configuration profile, and if any profiles have failed to deploy and require
troubleshooting.

If you have configured a restriction or system setting configuration profile, you can track its deployment
progress by adding it to the Jamf Pro Dashboard. This would allow you to view all Completed, Pending, and
Failed statuses for the configuration profile.

1. In Jamf Pro, click Computers at the top of the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click the computer configuration profile you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the macOS Configuration Profile Distribution Statuses area of the Jamf Pro Dashboard
and find the widget for the computer configuration profile you added.
7. Click any item in the widget to view the details.

363
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Computers that have been scoped to the configuration profile have their progress tracked in both the circular
percentage graph and below the graph by status category. Use this information to troubleshoot any computers
that have Failed or Pending statuses by clicking the status hyperlinks and reviewing the computers presented.

Best Practices for Computer Configuration Profiles

In many environments, best practices for payload management include creating unique configuration profiles
to achieve separate goals. This approach reduces complexity in terms of configuring the scope of profiles and
identifying issues when troubleshooting.

For example, you may want to create one configuration profile for Restrictions, one for Wi-Fi, and one for VPN.
Each profile could contain one or multiple payloads—whatever combination of payloads and settings is needed
to accomplish the goal you're trying to achieve with the profile.

For more information on optimizing payload planning and management, see Plan your configuration profiles for
Apple devices in Apple Platform Deployment.

Configuring Wi-Fi for Computers

You can create a configuration profile to deploy Wi-Fi settings to computers.

Note: These instructions are for environments that use a network with a personal security type
encryption, such as WPA2 Personal. If your environment requires an enterprise security type with an
802.1x RADIUS server, see the Implementing 802.1X Authentication Using Jamf Pro technical paper for
instructions instead.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New .
4. Click the Network payload.
5. Click Configure.
6. In the Network Interface menu, select Wi-Fi.
7. In the Service Set Identifier (SSID) field, enter your SSID.
8. Select the Auto Join checkbox.
9. In the Security Type menu, select the wireless network encryption to use when connecting.
10. Click the Scope tab, and then configure the target computers or computer groups.
11. Click Save .

The profile is distributed to computers in the scope.

364
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Setting Wallpaper on Computers

You can set the wallpaper image on enrolled computers by using a combination of Composer and Jamf Pro.

Requirements
• A computer with Composer. See Composer User Guide.
• An image in JPEG, PICT, TIFF, PNG, or HEIC format

1. Open Composer and authenticate locally.

2. Click Cancel in the Composer window that appears.
3. Package the image file by doing the following:
a. On the computer running Composer, move the image file to the location it should be deployed to on the
target computers.
For example, if you want the image file to be deployed to /Users/Shared/Wallpaper/ on the
target computers, move the image file to that directory on the computer running Composer.

Note: You can obtain the path to the image file by dragging the image file into a Terminal
window.

b. Drag the image file to the sidebar in Composer.

The image file appears under the Sources heading.

c. In the toolbar, click Build as PKG .

d. Select a location to save the package, and then click Save.
The package will appear in the sidebar under the Packages heading.
4. If your principal distribution point is cloud-hosted, upload the package using Jamf Pro.
For more information, see Package Management.

5. In Jamf Pro, click Computers in the sidebar.

6. Click Policies in the sidebar.
7. Click New.
8. Configure the General payload by doing the following:
a. Enter a name for the policy in the Display Name field.
b. Under Trigger, select a policy trigger (e.g., Recurring Check-In).
c. In the Execution Frequency pop-up menu, select an execution frequency (e.g., "Once per computer").
9. Configure the Packages payload by doing the following:
a. Click Packages.
b. Click Configure.

365
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

c. Click Add next to the wallpaper package you uploaded earlier.

d. Configure distribution point and action options for the wallpaper package. For more information, see
Package Deployment.
10. Click the Scope tab, and then configure the target computers or computer groups.
11. Click Save .
12. Click Configuration Profiles in the sidebar.
13. Click New.
14. Use the General payload to specify a name for the configuration profile and configure basic settings.
Ensure the Level is set to "Computer Level" and the Distribution Method is set to "Install Automatically".
15. Configure the Restrictions payload by doing the following:
a. Click Restrictions.
b. Click Configure.
c. Click the Functionality tab.
d. Select Lock desktop picture.
e. In the Desktop Picture Path field, enter the file path to the image file.
16. Click the Scope tab, and then configure the target computers or computer groups.
17. Click Save .

On computers that have successfully run the policy, the desktop wallpaper is set to the packaged image and
cannot be changed by the end user.

Remote Commands for Computers

The remote commands available in Jamf Pro allow you to remotely perform tasks on computers.

You can send a remote command to a single computer. Some commands can also be sent to multiple
computers at once using mass actions. For more information, see Mass Actions for Computers.

The following table describes the remote commands that you can send from Jamf Pro. Commands that can be
sent as mass actions are indicated with an asterisk (*).

Remote Command Description Requirements

Lock Computer* Logs the user out of the computer,

restarts the computer, and then locks
the computer
(Optional) Displays a message on the
computer when it locks
To unlock the computer, the user must
enter the passcode that you specified

366
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

when you sent the Lock Computer

command.

Note: On computers with

Apple silicon (i.e., M1 chip)
with macOS 11.4 or earlier, the
passcode configured in the
"Lock computer" command is
not set. The computer reboots
to the Activation screen in
macOS Recovery with the
options to restart, shutdown,
activate, or erase the
computer. To activate the
computer, the user must
authenticate with an
administrator account that has
a secure token. If there are no
administrators with a secure
token, activation cannot
complete and the computer
must be erased. This activation
step requires an internet
connection.

Remove MDM Profile Removes the MDM profile from the

computer, along with any configuration
profiles that were distributed with Jamf
Pro
If the MDM profile is removed, you can
no longer send remote commands or
distribute configuration profiles to the
computer.

Note: Removing the MDM

profile from a computer does
not remove the computer from
Jamf Pro, change its inventory
information, or remove the jamf
binary. For more information
about how to remove the jamf

367
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

binary after using the Remove

MDM Profile command, see
Unmanaging Computers.

Renew MDM Profile* Renews the MDM profile on the

computer, along with the device
identity certificate. The device identity
certificate has a default expiration
period of two years.

Note: The Renew MDM Profile

remote command is
automatically issued when the
built-in CA is renewed. The
MDM profile will be renewed
during the next computer
check-in. For more information,
see "Renewing the Built-in CA"
in PKI Certificates.

Wipe Computer Permanently and immediately erases

the computer by sending a macOS
EraseDevice command to the
computer. Wipe Computer also sets
a passcode when required by the
computer hardware type.

Note:
• When the Wipe Computer
command is sent to a
computer with macOS
10.15 or later with an Apple
T2 Security Chip, or a
computer with Apple silicon
(i.e., M1 chip), the computer
will be erased and no
passcode will be set.
• Wiping a computer does not
remove the computer from
Jamf Pro or change its

368
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

inventory information. After

the command is
acknowledged by the
computer, the computer will
report as unmanaged in
Jamf Pro's inventory.

Important: Supported
computers with macOS 12.0.1
or later installed will attempt to
Erase All Content and Settings
by default when the Wipe
Computer command is sent.
Your computer will
automatically go through an
Erase All Content and Settings
preflight check to determine if
your device can perform the
command. If the preflight
check fails, your chosen
fallback behavior will be
performed. By default, the
fallback behavior erases the
devices.For more information
about requirements and
methods for remotely wiping
computers, see Erase Apple
devices in Apple Platform
Deployment.

For information about returning a

computer to service and reinstalling
macOS, see Returning an MDM-
Erased Computer to Service.
An Obliteration Behavior option is also
available in the Jamf Pro API. You can
use obliterationBehavior as a
fallback method to erase a computer
that is not in a state that allows Erase
All Content and Settings to run. For
more information, see the Erase

369
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

Device Command Options in the Jamf

Pro API technical article.

Send Blank Push Sends a blank push notification,

prompting the computer to check in
with Apple Push Notification service
(APNs) and the declarative status
channel

Download/Download and Install Updates the OS version and built-in macOS 10.11 or later
Updates* apps on the computer Supervised or enrolled via a PreStage
You can update the OS version for enrollment
macOS using the following options:
• Target Version—You can choose
Note: To have the update for
to update the OS version to the
computers with Apple silicon
latest version based on device
(i.e., M1 chip) installed
eligibility or you can update to a
automatically without user
specific version. When choosing to
interaction, a Bootstrap Token
update the OS version to the latest
for target computers must be
version, you can select the Include
escrowed with Jamf Pro.For
major updates, if available
more information about how
checkbox to download and install
Jamf Pro manages software
the latest major update. To
updates, see Managing
download and install the latest
software updates for Apple
patch version, keep the checkbox
devices in Apple Platform
deselected.
Deployment.

Note: Updating to a specific

macOS version requires
computers with macOS
10.15 or later.

• Install Action—You can choose to

download the update for users to
install, download and allow macOS
to install later, or to download and
install the update and restart
computers after installation. When
choosing the Download and allow
macOS to install later action, you
can configure the number of times
a user can defer the update on
computers with macOS 12.3 or

370
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

later. The default deferral is 7

times, but can be changed to any
integer between 0–99.

Note:
• When sending the
command via a mass
action, the Update OS
version and built-in apps
option must be selected.
• On computers with Apple
silicon (i.e., M1 chip), users
may be prompted to
authenticate before an
update can be installed.
• An alert is displayed in Jamf
Pro prior to issuing the
command indicating the
computer may immediately
restart without warning.

Unlock User Unlocks a local user account that has macOS 10.13 or later
been locked due to too many failed Supervised or enrolled via a PreStage
password attempts enrollment

Remove User Removes a user that has an active macOS 10.13 or later
account on the computer Supervised or enrolled via a PreStage
enrollment

Note: The Remove User

command cannot remove a
user if they are the last user
with a secure token granted.

Enable/Disable Bluetooth* Enables/disables Bluetooth on the macOS 10.13.4 or later

computer

Note: When sending the

command via a mass action,

371
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Remote Command Description Requirements

the Set Bluetooth option must

be selected.

Enable/Disable Remote Enables/disables Remote Desktop on macOS 10.14.4 or later

Desktop* the computer

Note: When sending the

command via a mass action,
the Set Remote Desktop
option must be selected.

Set Activation Lock* Allow user to enable Activation Lock Supervised computers with the Apple
directly on the computer T2 Security Chip or Apple silicon (i.e.,
Disable and prevent Activation Lock M1 chip)
For more information, see the For more information on macOS
Leveraging Apple's Activation Lock compatibility, see Activation Lock for
Feature with Jamf Pro article. Mac from Apple's support website.

Sending a Remote Command to a Computer

Requirements
• A push certificate in Jamf Pro. For more information, see Push Certificates.
• The Enable certificate-based authentication and Enable push notifications settings configured.

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
3. Click the computer you want to send the remote command to.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the Management tab, and then click the button for the remote command that you want to send.

372
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: To send the Unlock User or Remove User remote command, navigate to the Local User
Accounts category in inventory information for the computer and click Manage for a user.

Depending on the command selected, additional options may be available.

The remote command runs on the computer the next time the computer checks in with Jamf Pro.

After the command is sent, you can do the following on the History tab:

• To view the status of a remote command, use the Management History pane to view completed, pending, or
failed commands.
• To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click
Cancel.

Troubleshooting a Failed Status of a Remote Command

If a remote command reported a failed status, Jamf Pro will automatically resend the command every six hours
for the compatible computers. To manually force the attempt, use the “Send blank push” management
command. To access this feature, navigate to the Management tab in the inventory of a computer and click
Management Commands.

Returning an MDM-Erased Computer to Service

After sending the Wipe Computer remote command to a computer, you may need to reinstall macOS to
return the computer to service.

If an Erase All Content and Settings action occurred, the computer will need to be reactivated with Apple. This
requires an internet connection with access to Apple's activation servers. For more information, see Use Apple
products on enterprise networks on the Apple Support website.

If a full macOS erase action occurred, the method for reinstalling the OS will vary depending on the hardware
type. If a passcode was specified with the Wipe Computer command, the end user must enter it before
macOS can be reinstalled. The passcode is saved in the computer's Management Command history.

For more information about reinstalling macOS, see the following Apple documentation:

• About macOS Recovery on Intel-based Mac computers on the Apple Support website
• Use macOS Recovery on a Mac with Apple silicon in the macOS User Guide
• Revive or restore a Mac with Apple silicon using Apple Configurator in the Apple Configurator User Guide

373
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

For more information about requirements and methods for remotely wiping computers, see Wipe Apple
devices remotely in Apple Platform Deployment.

Scripts
You can manage and run scripts in your environment by using Jamf Pro or Jamf Admin.

When you add a script to Jamf Pro or Jamf Admin, you can configure the following script settings:

• Add the script to a category. For more information, see Categories.

• Enter parameter labels.
• Specify operating system requirements for running the script.

When you add, edit, or delete a script in Jamf Admin, the changes are reflected in Jamf Pro and vice versa.

Related Content

• Policy Management

Script Storage
Before you can run a script, the script must exist in the Jamf Pro database. Scripts are automatically added to
the database after they are added to Jamf Pro or Jamf Admin.

Adding a Script to Jamf Pro

If your environment is one in which scripts are stored in the Jamf Pro database, you can add a script to Jamf
Pro using the script editor.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Scripts .
3. Click New.
4. Use the General pane to configure basic settings for the script, including the display name and category.

Note: If you do not add the script to a category, Jamf Admin displays the script in blue text in the
Unknown category.

5. Click the Script tab and enter the script contents in the script editor. You can use the settings on the tab to
configure syntax highlighting and theme colors in the script editor.
6. Click the Options tab and configure additional settings for the script, including the priority and parameter
labels.

374
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

7. (Optional) Click the Limitations tab and configure operating system requirements for the script.
8. Click Save .

Adding a Script to Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

Adding a script to Jamf Admin adds the script to the Jamf Pro database and to Jamf Pro.

Requirements
To add a script to Jamf Admin, the script file must be non-compiled and in one of the following formats:

• Perl (.pl)1
• Bash (.sh)
• Shell (.sh)
• Non-compiled AppleScript (.applescript)
• C Shell (.csh)
• Zsh (.zsh)
• Korn Shell (.ksh)
• Tool Command Language (.tcl)

• Hypertext Preprocessor (.php)3

• Ruby (.rb)1

• Python (.py)12

1These scripting runtimes are deprecated as of macOS 10.15. They may be removed in a future version of
macOS. To avoid issues, we recommended either using alternative scripting runtimes or deploying and
managing your own runtimes on managed computers.

2 macOS 12 automatically installs Python 2.7 for compatibility purposes. However, when using Jamf Pro to
execute scripts that call on Python on computers running macOS 12, users may be presented with an alert
stating that Jamf needs to be updated.

375
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

3 Hypertext Preprocessor (.php) is not installed by default on computers with macOS 12 or later.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. Drag the script to the main repository in Jamf Admin.
The script is displayed in blue text in the Unknown category until you add it to a category.
3. Double-click the script in the main repository.
4. Click the General tab and configure basic settings for the script, including the display name and category.

5. Click the Options tab and configure additional settings for the script, including the priority and parameter
labels.

376
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

6. Click OK.

The script is now added to Jamf Pro and the Jamf Pro database.

Editing or Deleting a Script Using Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the script you want to edit or delete.
3. Do one of the following:
◦ To edit the script, double-click it and make changes as needed. Then click OK.

◦ To delete the script, click Delete , and then click Delete again to confirm.

The edit or delete action is applied immediately.

377
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Running Scripts Using a Policy

When you run a script, you can choose a priority for running the script. You can also enter parameter values for
the script.

Note: When running a script that contains HTML tags in the output, the tags are not rendered in policy
logs.

Requirements
To run a script on computers, the script must be stored on the distribution point you plan to deploy it from
and in Jamf Pro, or in the Jamf Pro database.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Scripts payload and click Configure.
6. Click Add for the script you want to run.
7. Configure the settings for the script.
8. Use the Restart Options payload to configure settings for restarting computers.
9. Click the Scope tab and configure the scope of the policy.
10. (Optional) Click the Self Service tab and make the policy available in Self Service.
11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
12. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Printers
You can manage printers in your environment by adding them to Jamf Pro or Jamf Admin.

When adding a printer, you can configure the following settings:

• Add the printer to a category.

• Specify an operating system requirement for mapping the printer.

378
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Keep the following in mind:

• When you add a printer to Jamf Pro, you manually specify information about the printer, such as the CUPS
name, device URI, and PPD file.
• When you add a printer to Jamf Admin, you choose from a list of printers that are on the computer running
Jamf Admin.
• When you add, edit, or delete a printer in Jamf Admin, the changes are reflected in Jamf Pro and vice versa.

Related Content

• Policy Management

Adding a Printer to Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer Management section, click Printers .
3. Click New.
4. Use the General pane to configure basic settings for the printer, including the display name and category.
5. Click the Definition tab and specify information about the printer, including the CUPS name, device URI,
and PPD file.
To find the CUPS name of your printer, do the following:
a. Open Terminal and enter cupsctl WebInterface=yes .
b. In a web browser, navigate to http://localhost:631/printers.
The CUPS names of printers installed on your system are listed under Queue Name.
You can use the included generic postscript printer description (PPD) file in Jamf Pro, or upload your own
PPD file. Most printer configurations can use the generic PPD file. To upload your own PPD file, do the
following:
a. Deselect the Use generic PPD file checkbox.
b. Click Upload PPD.
c. Click Choose File and select your PPD file, then click Upload.
6. (Optional) Click the Limitations tab and specify an operating system requirement.
7. Click Save .

Adding a Printer to Jamf Admin

Disclaimer:

379
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

Requirements
To add a printer to Jamf Admin, the printer must be installed on the computer using Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. Click Add Printers .
3. If prompted, authenticate locally.
4. Select the checkbox next to each printer you want to add.

5. (Optional) Choose a category to add printers to.

6. Click Add.
7. Select the printer in the main repository and double-click it.
8. Click the General tab and configure basic settings for the printer, including the display name and category.

380
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

9. Click OK.

Editing or Deleting a Printer in Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the printer you want to edit or delete.
3. Do one of the following:
◦ To edit the printer, double-click it and make changes as needed. Then click OK.

◦ To delete the printer, click Delete , and then click Delete again to confirm.

Mapping or Unmapping a Printer Using a Policy

Requirements
To map or unmap a printer, the printer must be added to Jamf Admin or Jamf Pro.

381
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Printers payload and click Configure.
6. Click Add across from the printer you want to map or unmap.
7. Choose "Map" or "Unmap" from the Action pop-up menu.
8. (Optional) If you are mapping the printer, make it the default printer by selecting the Set as Default
checkbox.
9. Use the Restart Options payload to configure settings for restarting computers.
10. Click the Scope tab and configure the scope of the policy.
11. (Optional) Click the Self Service tab and make the policy available in Self Service.
12. (Optional) Click the User Interaction tab and configure messaging and deferral options.
13. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Dock Items
You can manage Dock items on computers by adding them to Jamf Pro or Jamf Admin.

Keep the following in mind:

• When you add a Dock item to Jamf Admin, you choose from a list of Dock items that are on the computer
running Jamf Admin.
• When you add a Dock item to Jamf Pro, you manually specify information about the Dock item.
• When you add, edit, or delete a Dock item in Jamf Admin, the changes are reflected in Jamf Pro and vice
versa.

Related Content

• Policy Management

Adding a Dock Item to Jamf Pro

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer Management section, click Dock Items .
3. Click New.
4. Configure the Dock item using the settings on the pane.

382
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

5. Click Save .

Adding a Dock Item to Jamf Admin

Disclaimer:

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

Requirements
To add a Dock item to Jamf Admin, the Dock item must exist on the computer using Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. Click Add Dock Items .
3. Select the checkbox next to each Dock item you want to add.

4. Click Add.

Deleting a Dock Item in Jamf Admin

Disclaimer:

383
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Jamf Admin is deprecated and will be removed in a future release of Jamf Pro (estimated removal date:
19 March 2024). Jamf is committed to finding alternative solutions for key workflows from Jamf Admin.

1. Open Jamf Admin and authenticate to the Jamf Pro server.

2. In the main repository, select the Dock item you want to delete.
3. Click Delete , and then click Delete again to confirm.

Adding or Removing a Dock Item from Computers Using a Policy

You can add or remove Dock items on computers by using a policy.

When you add a Dock item on computers, you can choose whether to add it to the beginning or the end of the
Dock.

Requirements
To add or remove a Dock item on computers, the Dock item must be added to Jamf Admin or Jamf Pro.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Dock Items payload and click Configure.
6. Click Add for the Dock item you want to add or remove.
7. Choose "Add to Beginning of Dock", "Add to End of Dock", or "Remove from Dock" from the Action pop-up
menu.
8. Use the Restart Options payload to configure settings for restarting computers.
9. Click the Scope tab and configure the scope of the policy.
10. (Optional) Click the Self Service tab and make the policy available in Self Service.
11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
12. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Local Accounts
You can use a policy to perform the following local account management tasks:

384
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• Create a new account.

• Delete an existing account.
• Reset the password for an existing account.
• Disable an existing account for FileVault.

When you create a new account, you can also do the following:

• Specify the password and password hint.

• Specify a location for the home directory.
• Configure the account picture.
• Give the user administrator privileges to the computer.
• Enable the account for FileVault.

When you delete an existing account, you can permanently delete the home directory or specify an archive
location.

Related Content

• Policy Management

Administering Local Accounts Using a Policy

Requirements
(macOS 10.14 or later only) To reset an existing account password, the secure token for the account must
be disabled.

(macOS 10.13 or later only) To enable the account for FileVault, a valid management account with a secure
token is required to add the new user.

For more information on secure token, see Use secure token, bootstrap token, and volume ownership in
deployments in Apple Platform Deployment.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Local Accounts payload and click Configure.
6. Choose an action from the Action pop-up menu.

385
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

7. Configure the action using the options on the pane.

8. Use the Restart Options payload to configure settings for restarting computers.
9. Click the Scope tab and configure the scope of the policy.
10. (Optional) Click the Self Service tab and make the policy available in Self Service.
11. (Optional) Click the User Interaction tab and configure messaging and deferral options.
12. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

MDM-Enabled Local User Accounts

MDM-enabled local user accounts allow you to manage the following user-specific settings on computers:

• Deploy user-level configuration profiles.

• Receive the EDU profile via the user channel for managed classes.
For more information, see Classes.

In most Jamf Pro enrollment scenarios, the primary local user account is MDM-enabled when an MDM profile
is installed during enrollment. In a computer's General inventory record, the MDM Capability attribute
determines if a computer has an MDM-enabled local user.

When the primary user on the computer is not MDM-enabled, you can change which user is MDM-enabled
after computer enrollment using the jamf agent. The jamf agent can interact with the profiles binary to re-
enroll the MDM profile to enable the primary user. This modification method is not possible in the following
scenarios:

• The MDM profile was set to be non-removable by deselecting the Allow MDM Profile Removal checkbox
in the computer PreStage Enrollment settings.
• The computer has macOS 11 or later. Computers with macOS 11 or later cannot silently install or reinstall
MDM profiles using the profiles binary.

To enable a different user account for MDM on computers enrolled using these methods, a full unenroll and re-
enroll with Jamf Pro is required.

Enrollment Methods that Enable MDM for Users

The following table explains several methods that enable a user for MDM in Jamf Pro:

386
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Method OS Requirement Description

Computer PreStage enrollment N/A When enrolling a computer via a PreStage

enrollment using Automated Device
Enrollment (formerly DEP), users created
during the Setup Assistant will be MDM-
enabled.
The local user account will not be MDM-
enabled if at least one of the following is
true:
• The Skip Account Creation checkbox
is selected in the PreStage enrollment
and the local user account was created
via a policy or Jamf Connect Login.
• (Jamf Pro 10.24.0 or later, macOS 11 or
later) The Make the local administrator
account MDM-enabled checkbox is
selected in the Account Settings payload
of the PreStage enrollment.

User-initiated enrollment N/A By default, the logged-in user on the

computer will be MDM-enabled after
enrollment.

Agent-based enrollment with a macOS 10.15.7 or earlier The logged-in user will be MDM-enabled.
QuickAdd.pkg or the Jamf management
framework

User-level configuration profile installation macOS 10.15.7 or earlier Self Service will attempt to enable the
through Self Service for macOS logged-in user for MDM if the user is not
already MDM-enabled and the computer
has a removable MDM profile.

Note:

• Network and mobile user accounts are MDM-enabled by default in Jamf Pro, no matter the
enrollment method that was used.
• For computers with macOS 10.12 or later, only one local user account can be MDM-enabled on a
computer at a time. If a second local user account becomes MDM-enabled on the computer, the first
local user account will no longer be MDM-enabled.

387
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

MDM-Enabled User Modification

If you want to enable a different local user account for MDM, you can execute the following command to enable
MDM for the currently logged-in user on computers with macOS 10.15.7 or earlier and a removable MDM
profile:

sudo jamf mdm -userLevelMdm

Note: For computers with macOS 10.13.2–10.15.7, this command will set the User Approved MDM
status to “No” in the Jamf Pro inventory record. To re-enable User Approved MDM status, see the
Managing User Approved MDM with Jamf Pro article. If you use this command as a part of existing
workflows, you should evaluate the impact of these changes.

To change the MDM-enabled user on a computer with macOS 11 or later, you must completely unenroll and
then re-enroll the computer in Jamf Pro by doing one of the following:

• Computers with a removable MDM profile—Execute the sudo jamf removeframework command.
After the computer is unenrolled, you can re-enroll it using a PreStage enrollment or user-initiated
enrollment.
• Computers with an unremovable MDM profile— Use Jamf Pro to send the Remove MDM Profile remote
command, and then execute the sudo jamf removeframework command. After the computer is
unenrolled, you can re-enroll it using a PreStage enrollment or user-initiated enrollment.

Management Accounts
When you enroll a computer with Jamf Pro, you must specify a local administrator account called the
"management account". However, choosing to create the management account on computers is optional and
is only required for some workflows. The management account only needs to be created if you want to log in to
a specific computer to perform management tasks.

To create the management account, you must enable user-initiated enrollment, and then configure the
management account username.

Warning: Do not use the same username for the management account created in User-Initiated
Enrollment settings and a managed local administrator account created in a PreStage enrollment. If the
same username is used for both, those accounts may not be created correctly during Automated Device
Enrollment, and unexpected errors may occur. In addition, the password for the local administrator
password solution (LAPS) will not be retrievable in the Jamf Pro API.

388
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Important: The management account must be created to allow use of local administrator password
solution (LAPS) functionality, which you can use to manage the management account password. For
more information, see the Local Administrator Password Solution for Jamf Pro technical paper.

You can identify if a computer is managed by viewing the Managed attribute field in computer inventory
information. For more information, see Computer Inventory and Criteria Reference.

Related Content

• Local Accounts
• Automated Device Enrollment for Computers

• Policy Management
• Automated Device Enrollment for Computers
• Device Enrollment for Computers

Administering the Management Account Using a Policy

You can use a policy to administer the management account, allowing you to rotate the account password.
When enabled, the Rotate the account password option rotates the management account password with 29
characters using the LAPS configuration in the Jamf Pro API. For more information, see the Local
Administrator Password Solution for Jamf Pro technical paper.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Management Account payload, and then select the Rotate the account password
checkbox.
6. Click the Scope tab and configure the scope of the policy.
7. (Optional) Click the Self Service tab and make the policy available in Self Service.
8. (Optional) Click the User Interaction tab and configure messaging and deferral options.
9. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

389
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Directory Bindings
You can add and manage the following types of directory bindings using Jamf Pro:

• Microsoft's Active Directory

• Apple's Open Directory
• PowerBroker Identity Services (formerly called “Likewise”)
• ADmitMac
• Centrify

Related Content

• Policy Management

Adding a Directory Binding

1. In Jamf Pro, click Settings in the sidebar.
2. In the Computer management section, click Directory bindings .
3. Click New.
4. Choose the type of directory binding you want to add and click Next.
5. Configure the directory binding using the tabs and options provided.
The tabs and options provided match the ones in the third-party directory service software.
6. (Active Directory and ADmitMac only) To create an account for users to log into their computer when it is
connected to another network, select the Create mobile account at login checkbox.

Note: An account synchronization tool such as Jamf Connect, NoMAD Pro, or Apple’s Enterprise
Connect can be used to sync computers with the directory. For more information about Jamf
Connect, see the Jamf Connect Documentation.

7. Click Save .

Binding Computers to a Directory Service Using a Policy

You can bind computers to a directory service using a policy or a PreStage enrollment. For more information
about how to bind a computer to a directory service using a PreStage enrollment, see Automated Device
Enrollment for Computers.

390
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Requirements
To bind computers to a directory service, you need a directory binding in Jamf Pro.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.
5. Select the Directory Bindings payload and click Configure.
6. Click Add for the directory service you want to bind to.
7. Use the Restart Options payload to configure settings for restarting computers.
8. Click the Scope tab and configure the scope of the policy.
9. (Optional) Click the Self Service tab and make the policy available in Self Service.
10. (Optional) Click the User Interaction tab and configure messaging and deferral options.
11. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

FileVault Encryption
You can enable FileVault encryption on computers in your environment using the built-in functionality in Jamf
Pro. FileVault is the native encryption capability built into Mac computers. Enabling it with Jamf Pro makes
computers require a user's credentials to complete the boot process, ensuring that data in your environment is
secure. Additionally, after a computer activates FileVault and escrows its recovery key with Jamf Pro, you can
use that key to reset user passwords and access macOS recovery.

Enabling FileVault with an MDM is a process Apple calls "deferred enablement", which consists of the
following steps when done with Jamf Pro:

1. Jamf Pro deploys FileVault settings to the computer.

2. macOS prompts the user to enter their credentials at either login or logout.
3. FileVault is activated, and, if using a personal recovery key, the key is escrowed with Jamf Pro.

You can enable FileVault using the following methods available in Jamf Pro:

391
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Deploy a configuration profile with FileVault settings

With this method, the settings install immediately, prompting the end user to enable FileVault either at
login or logout. If configured to use a personal recovery key, the computer escrows the key with Jamf Pro
at the time of the next inventory update. Jamf recommends this method for most environments.
Deploy a disk encryption configuration with a policy
With this method, the settings install at the time the policy is configured to be run, prompting the end user
to enable FileVault either at login or logout. If configured to use a personal recovery key, the Jamf
management framework on the computer escrows the key with Jamf Pro immediately upon running the
policy. Jamf recommends this method for environments where advanced user experience customizations
or custom triggers are required.

Note: Choose only one method to enable FileVault. Using more than one method per target computer
can result in unexpected behaviors.

After FileVault has been activated on target computers, you can use Jamf Pro to view the recovery key and
issue a new one.
Related Content

• Intro to FileVault (Apple Platform Deployment Guide)

Preparation for FileVault Enablement

Preparing for FileVault enablement involves understanding the basics of how FileVault works with macOS user
accounts and deciding on a recovery key type to use in your environment. If you choose to use an institutional
recovery key, you will need to create and export it before deploying FileVault settings to target computers. If
you choose to use a personal recovery key (also known as an "individual recovery key"), each computer will
create its own unique key to be automatically escrowed by Jamf Pro during the enablement process.

When planning out a workflow to automate FileVault enablement, make sure to consider the following:

• Once a computer volume has completed the encryption process, it requires a FileVault enabled user to
complete the boot process and be decrypted.
• The first user account to authenticate to macOS after FileVault is enabled will become the first FileVault
enabled user for that computer.
• Only FileVault enabled user accounts can grant the FileVault enabled status to other user accounts.

Therefore, any provisioning workflow that creates a macOS user account to be used temporarily and then
deleted may run the risk of deleting the only FileVault enabled user account on the computer. If this happens,
the computer's encrypted disk cannot be unlocked either remotely or manually. Computers in this state must
be wiped and reprovisioned.

392
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

In addition, Jamf does not recommend using the Jamf Pro management account as the first FileVault enabled
user account on computers. In most cases, the end user's macOS account should be designated as the first
FileVault enabled user account instead.

Related Content

• FileVault Enablement with Jamf Connect

Recovery Key Types

Before enabling FileVault disk encryption, choose the type of recovery key that you want to use to recover
encrypted data. There are two types of recovery keys:

Personal (also known as "Individual")

Uses a unique alphanumeric recovery key for each computer. The personal recovery key is generated on
the computer and sent back to Jamf Pro for storage when the encryption takes place. Personal recovery
keys can function as a passphrase and unlock or decrypt the encrypted disk.
Institutional

Uses a shared recovery key containing a private and public key pair. If used, you must create the
recovery key with Keychain Access and upload only the public key to Jamf Pro for storage. Institutional
recovery keys can be used across multiple computers to unlock or decrypt the encrypted disk, so Jamf
recommends keeping the institutional recovery key in a highly secure location.

Warning: Institutional recovery keys present a greater inherent security concern because they
can be used for multiple computers. They also have more limited functionality on Macs with Apple
silicon, and Apple no longer recommends them for institutional management in general. For most
environments, Jamf recommends using personal recovery keys.

You can also choose to use both recovery keys (personal and institutional) together.

Related Content

• Manage FileVault with mobile device management (Apple Platform Deployment Guide)

Creating and Exporting an Institutional Recovery Key

Note: If you plan to use only a personal recovery key in your environment, you do not need to perform
this workflow.

To use an institutional recovery key, you must first create and export a recovery key using Keychain Access.

393
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

You can export the recovery key with or without the private key. Exporting with the private key allows you to
store it in Jamf Pro. If you export without the private key, you must store it in a secure location so you can
access it when needed.

Note: You cannot use an institutional recovery key with a private key to activate FileVault Disk
Encryption using a configuration profile in Jamf Pro. You must create and deploy the disk encryption
configuration using a policy in Jamf Pro.

Creating and Exporting an Institutional Recovery Key with the

Private Key

Requirements
You need an administrator computer with macOS 10.11 or later to create and export an institutional
recovery key.

1. On an administrator computer, open Terminal and execute the following command:

sudo security create-filevaultmaster-keychain /Library/Keychains/
FileVaultMaster.keychain

2. When prompted, enter a password for the new keychain.

3. To unlock the keychain, open Terminal and execute the following command:
security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

4. Perform a backup of the keychain and save it in a secure location.

5. Open Keychain Access.
6. From the menu bar, choose Add Keychain from the File pop-up menu, and then add the
FileVaultMaster.keychain file located in /Library/Keychains/.
7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select All Items under the
Category heading.
8. Verify that a private key is associated with the certificate.

394
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

9. Select the certificate and the private key.

10. From the menu bar, choose Export Items from the File pop-up menu. Then save the items as a .p12 file.
The .p12 file is a bundle that contains both the Recovery Key and the private key.
11. Create and verify a password to secure the file, and then click OK.
You will be prompted to enter this password when uploading the recovery key to Jamf Pro.
12. Quit Keychain Access.
13. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access
encrypted data at a later time.
Without the keychain, you will not be able to decrypt the computer.

The Recovery Key and the private key are saved as a .p12 file in the location you specified.

Creating and Exporting an Institutional Recovery Key without the

Private Key

Requirements
You need an administrator computer with macOS 10.11 or later to create and export an institutional
recovery key.

1. On an administrator computer, open Terminal and execute the following command:

sudo security create-filevaultmaster-keychain /Library/Keychains/
FileVaultMaster.keychain

395
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

2. When prompted, enter a password for the new keychain.

3. A keychain (FileVaultMaster.keychain) is created in the following location:
/Library/Keychains/
4. Unlock the keychain by opening Terminal and executing the following command:
security unlock-keychain /Library/Keychains/FileVaultMaster.keychain

5. Open Keychain Access.

6. From the menu bar, choose "Add Keychain" from the File pop-up menu. Then, add the
FileVaultMaster.keychain file located in /Library/Keychains/.
7. Select FileVaultMaster under the Keychains heading in the sidebar, and then select "All Items" under the
Category heading.
8. Select the certificate.

Important: Do not select the private key associated with the certificate.

9. From the menu bar, choose "Export Items" from the File pop-up menu. Then, save the recovery key as
a .pem file or .cer file.
You will need to upload this file to Jamf Pro when creating the disk encryption configuration.
10. Quit Keychain Access.
11. Store the keychain (FileVaultMaster.keychain) in a secure location so you can use it to access encrypted
data at a later time.

The Recovery Key is saved as a .cer file or a .pem file in the location you specified.

396
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

FileVault Enablement
You can use Jamf Pro to enable FileVault on managed computers using either a configuration profile or a disk
encryption configuration and policy.

Note: Choose only one method to enable FileVault. Using more than one method per target computer
can result in unexpected behaviors.

Enabling FileVault Disk Encryption Using a Configuration Profile

You can activate FileVault disk encryption on managed computers using a configuration profile. Disk
encryption configuration will deploy at the next user logout.

Note: You cannot use an institutional recovery key with a private key to activate FileVault Disk
Encryption using a configuration profile in Jamf Pro. You must create and deploy the disk encryption
configuration using a policy in Jamf Pro.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings, which includes the distribution method.

Note: This configuration profile payload can only be applied at the Computer Level. Only payloads
and settings that apply to the selected level are displayed for the profile.

5. Use the Security & Privacy payload to configure FileVault settings.

Important: Configuration profiles configured with the Force Enable In Setup Assistant setting
enabled must be deployed as part of a PreStage enrollment in order to activate FileVault on
managed computers. In addition, target computers must have macOS 14.0 or later. If the Account
Settings payload in the PreStage enrollment is configured to create an additional local user
account, the Local User Account Type must be set to Administrator Account. For more information
on how to include a configuration profile in a PreStage Enrollment, see "Installing Configuration
Profiles during Automated Device Enrollment" in Automated Device Enrollment for Computers.

a. Click FileVault.

397
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

b. Use the toggle to include the Enable FileVault setting.

c. In the Event to prompt FileVault enablement setting, select At Logout.
d. Choose Personal recovery key, Institutional recovery key, or both.
e. If you are using an institutional key, select the certificate that contains the public key from institutional
recovery keychain. You can use the Certificate payload to upload an institutional recovery key to Jamf
Pro.
f. Click Escrow Personal Recovery Key to enable the device to encrypt the personal recovery key with
the provided certificate and report it to Jamf Pro.
6. (Optional) Use the rest of the payloads to configure the settings you want to apply.
7. Click the Scope tab and configure the scope of the profile.
8. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self
Service settings for the profile.
9. Click Save .

The FileVault settings are deployed immediately to computers in the scope. Volumes are encrypted after users
authenticate to macOS upon logging out.

Enabling FileVault Disk Encryption Using a Policy

Enabling FileVault disk encryption using a policy involves the following steps:

1. Creating a disk encryption configuration

2. Deploying the disk encryption configuration to target computers using a policy

Creating a Disk Encryption Configuration

Creating a disk encryption configuration in Jamf Pro is the first step to activating FileVault on computers using
a policy. Disk encryption configurations allow you to configure the type of recovery key to use for recovering
encrypted data, as well as the user for which to enable FileVault.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Disk encryption configuration .
3. Click New.
4. Enter a name for the disk encryption configuration in the Display Name field.
5. Choose a type of recovery key from the Recovery Key Type pop-up menu.
If you chose "Institutional" or "Individual and Institutional" recovery key, click Upload Institutional
Recovery Key and upload the recovery key to Jamf Pro. The recovery key must be a .p12 or .cer file. If
you upload a .p12 file, you are prompted to enter the password that you created when exporting the key
from Keychain Access.
6. Choose "Current or Next User" or "Management Account" from the Enabled FileVault 2 User pop-up
menu.

398
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Current or Next User

Makes the user that is logged in to the computer when the encryption takes place the enabled
FileVault user. If no user is logged in, the next user to log in becomes the enabled FileVault user.
Management Account
Makes the management account on the computer the enabled FileVault user.

Important:
◦ Computers with macOS 10.13.2 or later cannot use the management account as the
enabled FileVault user due to the lack of a secure token.
◦ Jamf does not recommend using the Jamf Pro management account as the first FileVault
enabled user account on computers. This way you can avoid any potential confusion with
randomized management account passwords.

7. Click Save .

The disk encryption settings are saved and ready to deploy to target computers using a policy.

Deploying a Disk Encryption Configuration Using a Policy

The event that activates FileVault depends on the enabled FileVault user specified in the disk encryption
configuration and whether the computer is Apple File System (APFS) enabled. If the enabled user is a
management account and the computer is APFS enabled, FileVault is activated on a computer at the next
login without needing to reboot. If the computer is HFS+ formatted with the "Management Account" enabled
user, FileVault is activated on a computer the next time the computer restarts. If the enabled user is "Current or
Next User", you can modify when FileVault is activated on a computer. Options include the following:

• The next time the computer restarts

• The next time the current user logs out
• The next login or after multiple user logins (ranging from two to six logins)

Note: If the restart is done using a built-in policy, FileVault will not be activated.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. In the General payload, enter a display name for the policy (e.g., "FileVault Disk Encryption").
5. Select a trigger.
6. Choose "Ongoing" from the Execution Frequency pop-up menu.
7. Select the Disk Encryption payload and click Configure.

399
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

8. Choose "Apply Disk Encryption Configuration" from the Action pop-up menu.
9. Choose the disk encryption configuration from the Disk Encryption Configuration pop-up menu.
10. Choose an event from the Require FileVault 2 pop-up menu to specify when users must enable disk
encryption.
11. (Optional) If Management Account is selected as the enabled FileVault user in the disk encryption
configuration, do the following:
a. Select the Restart Options payload and configure restart settings for the computer.

Note: Select Restart from the appropriate pop-up menu to include a restart prompt. Select
Restart immediately to restart without prompting. The Restart option does not work if configured
to encrypt at logout.

b. You can select Perform authenticated restart on computers with FileVault 2 enabled to allow
computers with macOS 10.8.2 or later that are FileVault enabled to be restarted without requiring an
unlock the next time the computer starts. This affects future reboots, but does not apply to the setup of
the original encryption policy.
c. Click the User Interaction tab and customize the restart message displayed to users.
12. Click the Scope tab and configure the scope of the policy.
13. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and match the selected
trigger in the General payload.
Related Content

• Creating a Policy

FileVault Management
After FileVault has been activated on target computers and encryption has completed, you can use Jamf Pro to
view the recovery key and issue a new one.

Viewing the FileVault Recovery Key for a Computer

You can use view the recovery key for a FileVault-encrypted computer and use it to unlock the computer's disk.

1. In Jamf Pro, navigate to the computer you want to view the recovery key for, and then click the Inventory
tab.
2. Select Disk Encryption in the list of categories, and then click Show Key.
If the recovery key is a personal recovery key (also known as an individual recovery key), it is displayed in
Jamf Pro. If the recovery key is an institutional recovery key, click Download to download it.

400
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: Jamf Pro records each time a computer's recovery key is viewed in the computer's inventory
record under History > Audit Logs. Jamf recommends issuing a new key after the current one is
viewed and used.

Issuing a New FileVault Recovery Key

You can use a policy to issue a new FileVault recovery key to computers with macOS 10.14 or later that have
FileVault activated. This allows you to do the following:

• Replace a personal (also known as "individual") recovery key that has been reported as invalid and does
not match the recovery key stored in Jamf Pro.
• Update the recovery key on computers on a regular schedule, without needing to decrypt and then re-
encrypt the computers.

Requirements
To issue a new personal recovery key to a computer, the computer must have:

• FileVault activated
• One of the following two conditions met:
◦ An existing, valid personal recovery key that matches the key stored in Jamf Pro
◦ A FileVault enabled user account with a secure token

To issue a new institutional recovery key to a computer, the computer must have:

• FileVault enabled
• A FileVault enabled user account with a secure token

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. In the General payload, enter a display name for the policy (e.g., "FileVault New Personal Recovery Key").
5. Select a trigger and execution frequency.
6. Select the Disk Encryption payload and click Configure.
7. Choose "Issue New Recovery Key" from the Action pop-up menu.
8. Choose the type of recovery key you want to issue from the Recovery Key Type pop-up menu:

401
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Individual
A new personal (also known as "individual") recovery key is generated on each computer and then
submitted to Jamf Pro for storage.
Institutional
A new institutional recovery key is deployed to computers and stored in Jamf Pro.
Individual and Institutional
Issues both types of recovery keys to computers.

If you chose "Institutional" or "Individual and Institutional", choose the disk encryption configuration to use
to issue the new recovery key from the Disk Encryption Configuration for Institutional Key pop-up
menu.
9. Click the Scope tab and configure the scope of the policy.
10. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro, prompting FileVault
enabled users to enter their password to repair the encryption key.
Related Content

• Use secure token, bootstrap token, and volume ownership in deployments (Apple Platform Deployment
Guide)

Setting or Removing an EFI Password

To ensure the security of managed computers, you can use a policy to set or remove an Open Firmware/EFI
password.

Requirements
Target computers with an Intel processor.

Note: On Mac computers with Apple silicon, enable FileVault to require users to enter a password
on start up from macOS recovery or a different startup disk.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Policies in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the policy, including the trigger and execution
frequency.

402
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

5. Select the EFI Password payload and click Configure.

6. Do one of the following:
◦ To set an Open Firmware/EFI password, select Set Password, and then enter and verify the password.
◦ To remove an Open Firmware/EFI password, select Remove Password, and then enter and verify the
current password.
7. Use the Restart Options payload to configure settings for restarting computers.
8. Click the Scope tab and configure the scope of the policy.
9. (Optional) Click the Self Service tab and make the policy available in Self Service.
10. (Optional) Click the User Interaction tab and configure messaging and deferral options.
11. Click Save .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Related Content

• Policy Management

• Set a firmware password on your Mac (Apple)

Remote Administration
Jamf Remote Assist

Correction–Updated 28 November 2023

The Jamf Remote Assist macOS requirements have been corrected to list macOS 11 or later.

Jamf Remote Assist, available for both on-premise and cloud-hosted environments, allows you to securely
initiate a remote session to manage computers and help users troubleshoot issues. Using the Jamf Pro
interface, Jamf Remote Assist sessions allow you to connect to a computer even when the user is not
connected to the internal network.

Note: Jamf Remote Assist is not currently available for Jamf Premium Cloud Plus customers.

Jamf Remote Assist sessions allow administrators to do the following:

• Send commands in the Command pop-up menu:

403
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

◦ Open Settings—Opens System Settings on the user's computer

◦ Open Terminal—Opens the Terminal application on the user's computer
◦ Reboot—Reboots the user's computer
• Download applications and files
• View the user's computer display name and the screen share session duration

In addition, Jamf Remote Assist includes multi-monitor support and the ability to expand the screen share to
full screen.

Enabling Jamf Remote Assist

To start a Jamf Remote Assist session with an end user, Jamf Remote Assist must be enabled in Jamf Pro.

Requirements
• Cloud Services connection configured in Jamf Pro
• A Jamf Pro user account with administrator privileges

1. In Jamf Pro, click Settings in the sidebar.

2. In the Computer management section, click Security.
3. Click Edit .
4. Select the Jamf Remote Assist checkbox.
5. If your environment is hosted on-premise, use the Jamf Remote Assist Data Storage Location pop-up
menu to specify the location where Jamf Remote Assist cloud service will store data.
6. Click Save .

Starting a Jamf Remote Assist Session

Jamf Remote Assist sessions can be started as an attended or unattended session. If the user is logged in to
their computer, the remote session starts as an attended screen sharing session. The user is notified that a
screen sharing session is about to begin and that they can Accept or Decline. The Jamf Remote Assist
session cannot start if the user declines or ignores the prompt. The session opens in a new browser tab with a
spinning wait cursor shown. The admin is prompted for a set of local account credentials. If the user is not
logged in to their computer, the remote session starts as an unattended session. No action is needed from the
user.

Requirements
• Jamf Remote Assist enabled in Jamf Pro

404
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

• macOS 11 or later
• Web browser pop-ups are enabled
• End user computer must allow screenshots and screen recording

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches in the Jamf Pro
Documentation.
3. Select the computer you want to start a remote session with.
If you performed a simple search for an item other than computers, you must click Expand next to an item
to view the computers related to that item.
4. Click the Management tab, and then click the Management Commands category.
5. Click Start Session under Remote Assist.

Note: A Jamf Remote Assist session will not start If the end user's computer is locked.

The Jamf Remote Assist session window opens in a new web browser tab. After the administrator ends the
Jamf Remote Assist session by closing the web browser, a summary window displays on the end user's screen
stating that the session is over and providing the session duration time.

TeamViewer
TeamViewer Integration
Integrating Jamf Pro with TeamViewer, a fast and secure all-in-one solution for gaining access to computers
and networks remotely, allows you to establish a remote screen-sharing connection between a Jamf Pro
administrator and an end user's computer. For information on establishing a remote administration session
using Jamf Pro and TeamViewer, see Screen Sharing Using TeamViewer.

Note: TeamViewer integration supports all three of TeamViewer's applications: TeamViewer,

TeamViewer Host, and TeamViewer QuickSupport.

For information about the network ports required for connections, see Ports used by TeamViewer from the
TeamViewer Knowledge Hub.

405
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

TeamViewer integration is site specific. This means Jamf Pro allows you to add one configuration per site. If
there are no sites in your environment, you can add a TeamViewer configuration in the full context of your Jamf
Pro instance.

Related Content

• How to Use TeamViewer (TeamViewer)

Adding a New TeamViewer Configuration

Requirements
• This integration is only for Jamf Pro hosted instances.
• TeamViewer account with administrative privileges
• A Jamf Pro user account with Remote Administration privileges
• A script token for Jamf Pro configured in TeamViewer
• To send Self Service notifications, you must configure them in the Interaction section of the Self Service
settings in Jamf Pro. For more information, see Jamf Self Service for macOS Notifications.

1. Log in to the TeamViewer Management Console with your management account and do one of the
following:
◦ To retrieve a script token, navigate to Edit profile > Apps. Your token must include the "Create, view,
and edit all sessions" session management privilege.
◦ To create a token, do the following:
a. In the top-right corner of the TeamViewer Management Console, open your profile settings.
b. Click Apps.
c. Click Create script token.
d. Add the name and description for the token.
e. From the Session management pop-up menu, choose Create, view and edit all sessions.
f. Click Save.

Note: To avoid potential issues with an inaccessible account, it is recommended to create the script
token using a general TeamViewer account (e.g., [email protected]). Do not link the
script token to a specific administrator.

2. In a separate web browser window, log in to Jamf Pro.

3. In Jamf Pro, click Settings in the sidebar.

406
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

4. In the Global section, click Remote administration .

5. Click New.
6. Follow the onscreen instructions to add a TeamViewer configuration. Consider the following:
◦ The configuration is site specific. If your environment includes sites and you are logged in as a Jamf Pro
Site full administrator, you must select a site for your configuration or add a configuration in the full
context of your Jamf Pro instance. For site administrators, the site is automatically assigned.
◦ The Maximum Session Time setting allows you to control the session duration. It defaults to 15 minutes
with a minimum value of 1 minute and a maximum value of 1440 minutes. It is recommended to use the
minimum value greater than 5 minutes. Meetings started during a session are not terminated when the
session times out.
7. Click Complete.

Saving the configuration triggers automatic connection verification. The verification process must succeed
before you can use the configuration.

Privacy Permissions Requirements for Remote Computers

To conduct a TeamViewer session, the TeamViewer application requires the following Privacy permissions on
a remote computer:

• Accessibility—This is required to run scripts and system commands.

• Full Disk Access—This is required for File Transfer and certain administrative settings for all users on a
computer.
• Screen Recording—This allows the session supporter to see the end user's screen.

End users with administrator privileges can grant the privacy permissions manually. However, Jamf
recommends deploying a Privacy Preferences Policy Control (PPPC) configuration profile to grant the
necessary privileges on behalf of the end users.

Note: Permissions granted by an administrator are granted to all users on the computer. For more
information, see Change Privacy preferences on Mac in Apple's macOS User Guide.

Uploading a .mobileconfig File to Grant Privacy Permissions for TeamViewer

To grant the necessary privacy permissions for TeamViewer, Jamf Pro administrators can choose to upload
one of the following mobile configuration files or manually create the necessary PPPC configuration profile. To
upload one of the mobileconfig files below, see Computer Configuration Profiles.

TeamViewer Unsigned.mobileconfig

407
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/Proper
tyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>d0adae37-56d9-47d4-9907-920fa564b45c</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>d0adae37-56d9-47d4-9907-920fa564b45c</string>
<key>PayloadDisplayName</key>
<string>TeamViewer</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>E48F876C-0EE8-45D0-BBDA-6312D03484C4</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>
<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>154416B2-3FA9-4CD8-9708-61FC5A1AF02C</string>
<key>PayloadDisplayName</key>
<string>TeamViewer</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>

408
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>Services</key>
<dict>
<key>ScreenCapture</key>
<array>
<dict>
<key>Authorization</key>
<string>AllowStandardUserToSetSystemService</string>
<key>Identifier</key>
<string>com.teamviewer.TeamViewer</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewer" and
(certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2
.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13
] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>Accessibility</key>
<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewer</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewer" and
(certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2
.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13
] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>
<key>SystemPolicyAllFiles</key>

409
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewer</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewer" a
nd (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1
.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.
13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>

TeamViewer Host Unsigned.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/Proper
tyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>47FC645A-AF41-46A3-81D7-11D03C37D592</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>47FC645A-AF41-46A3-81D7-11D03C37D592</string>
<key>PayloadDisplayName</key>
<string>TeamViewer Host</string>
<key>PayloadDescription</key>

410
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>5B08D6F0-2C2C-4473-8125-FB5BE08C69E3</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>
<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>5B08D6F0-2C2C-4473-8125-FB5BE08C69E3</string>
<key>PayloadDisplayName</key>
<string>TeamViewer</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>Services</key>
<dict>
<key>ScreenCapture</key>
<array>
<dict>
<key>Authorization</key>
<string>AllowStandardUserToSetSystemService</string>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerHost</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerHos
t" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[fie
ld.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.
6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>

411
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>Accessibility</key>
<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerHost</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerHos
t" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[fie
ld.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.
6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerHost</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerHos
t" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[fie
ld.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.
6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>

412
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

</dict>
</dict>
</array>
</dict>
</plist>

TeamViewer QuickSupport Unsigned.mobileconfig

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/Proper
tyList-1.0.dtd">
<plist version="1">
<dict>
<key>PayloadUUID</key>
<string>3F7A9A1D-1CA8-474C-A82F-AB3EB1C8C30E</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadOrganization</key>
<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>3F7A9A1D-1CA8-474C-A82F-AB3EB1C8C30E</string>
<key>PayloadDisplayName</key>
<string>TeamViewer QuickSupport</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadUUID</key>
<string>0452EAAE-18FB-403F-B938-CBCFD0BF4BC1</string>
<key>PayloadType</key>
<string>com.apple.TCC.configuration-profile-policy</string>
<key>PayloadOrganization</key>

413
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<string>Jamf</string>
<key>PayloadIdentifier</key>
<string>0452EAAE-18FB-403F-B938-CBCFD0BF4BC1</string>
<key>PayloadDisplayName</key>
<string>TeamViewer</string>
<key>PayloadDescription</key>
<string/>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadEnabled</key>
<true/>
<key>Services</key>
<dict>
<key>ScreenCapture</key>
<array>
<dict>
<key>Authorization</key>
<string>AllowStandardUserToSetSystemService</string>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerQS</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerQS"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field
.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.
1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
</dict>
</array>
<key>Accessibility</key>
<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerQS</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerQS"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field
.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.
1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>

414
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>
<key>SystemPolicyAllFiles</key>
<array>
<dict>
<key>Identifier</key>
<string>com.teamviewer.TeamViewerQS</string>
<key>CodeRequirement</key>
<string>anchor apple generic and identifier "com.teamviewer.TeamViewerQS"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field
.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.
1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)</string>
<key>IdentifierType</key>
<string>bundleID</string>
<key>StaticCode</key>
<integer>0</integer>
<key>Allowed</key>
<integer>1</integer>
</dict>
</array>
</dict>
</dict>
</array>
</dict>
</plist>

Manually Creating a Configuration Profile to Grant Privacy Permissions for TeamViewer

1. In Jamf Pro, click Computers in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings.
5. Configure the Privacy Preferences Policy Control payload:
a. In the Identifier field, enter com.teamviewer.TeamViewerQS.
b. From the Identifier type pop-up menu, choose Bundle ID.

415
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

The procedure includes TeamViewer QuickSupport as the application for remote administration. Use
the following identifiers and code requirements for the respective TeamViewer applications:

TeamViewer QuickSupport
Identifier: com.teamviewer.TeamViewerQS

anchor apple generic and identifier "com.teamviewer.TeamViewerQS" and (certif

icate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field
.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.11
3635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

TeamViewer Full normal/TeamViewer Full start as service

Identifier: com.teamviewer.TeamViewer

anchor apple generic and identifier "com.teamviewer.TeamViewer" and (certific

ate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1
.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.1136
35.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV6)

TeamViewer Host
Identifier: com.teamviewer.TeamViewerHost

anchor apple generic and identifier "com.teamviewer.TeamViewerHost" and (cer

tificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[fie
ld.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.
113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = H7UGFBUGV
6)

c. In the App or Service table, add the following:

▪ Accessibility with the value Allow—This will grant the Accessibility permission.
▪ SystemPolicyAllFiles with the value Allow—This will grant the Full Disk Access permission.
▪ (Optional, computers with macOS 11 or later only) ScreenCapture with the value Allow Standard
Users to Allow Access—This will grant the Screen Recording permission. Users without
administrator privileges must decide if TeamViewer can share the screen.

Important: Attempting to deploy the configuration profile with the ScreenCapture setting to
computers with macOS 10.15.7 or earlier will cause the profile installation to fail.

6. Click the Scope tab and configure the scope of the profile.

416
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

7. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure
Self Service settings for the profile.
8. Click Save .

The profile is distributed to the deployment targets in the scope the next time they contact Jamf Pro.

Deploying the TeamViewer Application Using Jamf Pro

Jamf recommends the client Mac download the TeamViewer QuickSupport application during the remote
support session. This requires no prior software installation. However, you can pre-install either the
TeamViewer or TeamViewer Host application using the following procedure.

Note: TeamViewer applications installed on end user Mac computers do not require licensing. The
TeamViewer scripts avoid using Composer to repackage.

Requirements
• Install "TeamViewer.pkg" or "Install TeamViewerHost.pkg" installer
• Install "TeamViewer with Choices" script or "Install TeamViewer Host with Choices" script

1. Download the TeamViewer or TeamViewer Host from the TeamViewer for macOS page.
2. Open the DMG file.
3. Right-click the "Install TeamViewer.app" or "Install TeamViewer Host.app" and choose Show Package
Contents.
4. Open Contents > Resources. Upload the "Install TeamViewer.pkg" or "Install TeamViewerHost.pkg"
package to Jamf Pro > Settings > Computer Management > Packages.
5. Choose a desired script below and add the script to Jamf Pro > Settings > Computer Management >
Scripts.
◦ Install TeamViewer with Choices

#!/bin/zsh
function logmessage() {
if [ $? = 0 ] ; then
echo "$1"
else
echo "$2"
echo "Aborting script"
cleanup
exit 1

417
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

fi
}

function cleanup() {
/bin/rm -Rf "$tempDirectory"
logmessage "Removed temporary items." "Failed removing temporary items."
/bin/rm -f "/Library/Application Support/JAMF/Waiting Room/Install TeamViewe
r.pkg" && /bin/rm -Rf "/Library/Application Support/JAMF/Waiting Room/Install Te
amViewer.pkg.cache.xml"
logmessage "Removed TeamViewer package and supporting files from Jamf Waiting
Room." "Failed Removing TeamViewer package and supporting files from Jamf Waitin
g Room."
}

choicesXML='<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/
PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>com.teamviewer.teamviewerPriviledgedHelper</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>com.teamviewer.teamviewerSilentInstaller</string>
</dict>
</array>
</plist>'

# create temporary working directory

workDirectory=$( /usr/bin/basename $0 )

418
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )

logmessage "Created working directory '$tempDirectory'." "Failed to create worki
ng directory '$tempDirectory'."

# change directory to temporary working directory

cd "$tempDirectory"
logmessage "Changed directory to working directory '$tempDirectory'." "Failed to
change directory to working directory '$tempDirectory'."

echo "$choicesXML" > "$tempDirectory/choices.xml"

logmessage "Created choices.xml file in '$tempDirectory'." "Created choices.xml fi
le in '$tempDirectory'."

/usr/sbin/installer -pkg "/Library/Application Support/JAMF/Waiting Room/Install

TeamViewer.pkg" -applyChoiceChangesXML "$tempDirectory/choices.xml" -target /
logmessage "Installed TeamViewer package with choices." "Failed to install TeamV
iewer package with choices."

cleanup

exit 0

◦ Install TeamViewer Host with Choices

#!/bin/zsh
function logmessage() {
if [ $? = 0 ] ; then
echo "$1"
else
echo "$2"
echo "Aborting script"
cleanup
exit 1
fi
}

function cleanup() {
/bin/rm -Rf "$tempDirectory"
logmessage "Removed temporary items." "Failed removing temporary items."
/bin/rm -f "/Library/Application Support/JAMF/Waiting Room/Install TeamViewe
rHost.pkg" && /bin/rm -Rf "/Library/Application Support/JAMF/Waiting Room/Instal
l TeamViewerHost.pkg.cache.xml"

419
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

logmessage "Removed TeamViewer Host package and supporting files from Jamf Wa
iting Room." "Failed Removing TeamViewer Host package and supporting files from J
amf Waiting Room."
}

choicesXML='<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/
PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>com.teamviewer.teamviewerPriviledgedHelper</string>
</dict>
<dict>
<key>attributeSetting</key>
<integer>1</integer>
<key>choiceAttribute</key>
<string>selected</string>
<key>choiceIdentifier</key>
<string>com.teamviewer.teamviewerhostSilentInstaller</string>
</dict>
</array>
</plist>'

# create temporary working directory

workDirectory=$( /usr/bin/basename $0 )
tempDirectory=$( /usr/bin/mktemp -d "/private/tmp/$workDirectory.XXXXXX" )
logmessage "Created working directory '$tempDirectory'." "Failed to create worki
ng directory '$tempDirectory'."

# change directory to temporary working directory

cd "$tempDirectory"
logmessage "Changed directory to working directory '$tempDirectory'." "Failed to
change directory to working directory '$tempDirectory'."

420
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

echo "$choicesXML" > "$tempDirectory/choices.xml"

logmessage "Created choices.xml file in '$tempDirectory'." "Created choices.xml fi
le in '$tempDirectory'."

/usr/sbin/installer -pkg "/Library/Application Support/JAMF/Waiting Room/Install

TeamViewerHost.pkg" -applyChoiceChangesXML "$tempDirectory/choices.xml" -target
/
logmessage "Installed TeamViewerHost package with choices." "Failed to install T
eamViewerHost package with choices."

cleanup

exit 0

6. Create a policy to install TeamViewer using the DMG from step 4 and the installer script. Ensure the
following:
◦ TeamViewer package is set to Cache, not Install.
◦ TeamViewer script priority is set to After.
For instructions on creating a policy, see Policy Management.

The policy will run on computers in the scope the next time they check in with Jamf Pro and meet the criteria in
the General payload.

Screen Sharing Using TeamViewer

The TeamViewer screen sharing session is initialized from the computer inventory in Jamf Pro and an optional
Self Service invitation to join the session displays on the remote computer. After the session is started, you can
re-send the Self Service invitation. Alternatively, copy the session URL and send it to the end user via your
preferred communication method.

Note: For Self Service notifications to work, you must configure them in the Interaction section of the
Self Service settings in Jamf Pro. In addition, before the remote session is initialized, Self Service must
run on the remote computer at least once.

Joining a session by the remote computer is an end user workflow with TeamViewer QuickSupport used as the
remote management tool with granted necessary Privacy permissions. To establish a connection using other
TeamViewer applications (e.g., TeamViewer Host), they must be installed on the end user computers. For
related information, see the macOS mass deployment documentation resources from TeamViewer.

Consider your TeamViewer subscription limitations when initializing a session.

421
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Initiating and Closing a Remote Session

Requirements
A TeamViewer configuration must be added to Jamf Pro. For information, see TeamViewer Integration.

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
3. Click the computer you want to connect with for remote management.
4. Click the Management tab, and then click Remote Administration.
5. (Optional) Enter the reason for the session. It will be listed in the TeamViewer management console. If you
do not add the reason, it defaults to "Jamf Remote Administration".
6. Click Start Session. After the session is initialized, you can re-send a Self Service notification to join the
session. Alternatively, you can copy the session URL and send it to the end user via your preferred
communication method.
7. Click the administrator's remote session URL. This opens in a separate browser window. Follow the
onscreen instructions to join the session.
8. To manually close a session, click Close Session. It is recommended to close sessions to avoid issues
with your TeamViewer subscription quota.

Note: Sessions are automatically closed after the maximum session time set in the Remote
Administration configuration in Global Management. This does not influence ongoing meetings and they
remain open.

Note: Once the TeamViewer session starts, Jamf Pro will send a notification to the end user to connect
to the administrator's session. If the user does not receive the notification, click the Administrator URL at
the bottom of the Remote Administration page and click the browser button to launch the installed
TeamViewer Application.

Connecting to the Administrator's TeamViewer Session

The end user will receive a notification from Jamf Pro to connect to the administrator's session.

1. The user must click the notification received from Jamf Pro to open Self Service.
2. The user navigates to the Bookmarks list under the Home tab. The user locates the Remote Session
button and clicks Open.
3. The user downloads the Single-Use TeamViewer (QuickSupport) application.

422
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

4. The user double-clicks the TeamViewer QuickSupport application. (If the administrator has already
installed TeamViewer or TeamViewer Host, the user must click the browser button to launch the installed
TeamViewer application).
5. If necessary, the user must grant TeamViewer Screen Recording privileges and restart the application
when prompted.
6. The user must click Allow when prompted to join the remote access session.

License Management
Licensed software allows you to store and track licenses for the software in your environment so you can easily
access license and purchasing information and monitor license compliance.

For each software product that you want to track licenses for, you must create a licensed software record in
Jamf Pro. These records allow you to store information about the licenses owned and the software titles that
count toward each license (called “software definitions”).

Each time a computer submits inventory to Jamf Pro, the software on the computer is compared to the
software definitions in the licensed software records. If they match, the computer counts toward the number of
licenses in use.

After creating licensed software records, you can use Jamf Pro to evaluate and monitor license compliance,
view and report on the licenses in use, and view Application Usage information for the software you’re tracking
licenses for.

Licensed Software Records

For each software application you want to track licenses for, you must create a licensed software record in
Jamf Pro. These records allow you to store the number of licenses owned and the software titles that count
toward each license (called “software definitions”). They also allow you to store detailed license and
purchasing information in Jamf Pro and determine whether a license supersedes or is superseded by another
license in Jamf Pro.

Each time a computer submits inventory to Jamf Pro, the software titles on the computer are compared to the
software definitions in each record. If they match, the computer counts toward the number of licenses in use.

There are several ways to create a licensed software record in Jamf Pro. You can manually create the record,
use a licensed software template available in Jamf Pro, or upload a licensed software template. All licensed
software templates have predefined software definitions.

Software definitions can be based on one of two items: the name and version number of each application, font,
and plug-in, or the software identification (SWID) tags associated with each software title. For more information

423
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

on SWID tags and how they are useful for tracking licensed software with Jamf Pro, see the Software
Identification Tags and Tracking Licensed Software article.

General Requirements
To create a licensed software record based on SWID tags, the software you want to track must have a SWID
tag associated with it and the SWID tag must be in the Jamf Pro database.

Note: Jamf Pro collects SWID tags from a computer each time the computer submits inventory. SWID
tags are not listed in a computer’s inventory information in Jamf Pro, but they are stored in the Jamf Pro
database for use with licensed software.

To monitor license compliance on an ongoing basis, you can enable email notifications for a licensed software
record. This allows email notifications to be sent to Jamf Pro users when the number of licenses in use
exceeds the number of licenses owned. To enable email notifications, you need:

• An SMTP server set up in Jamf Pro (For more information, see SMTP Server Integration.)
• Email notifications enabled in Jamf Pro (For more information, see Email Notifications.)

Manually Creating a Licensed Software Record

1. In Jamf Pro, click Computers in the sidebar.
2. Click Licensed Software in the sidebar.
3. Click New.
4. Use the General pane to configure basic settings for the licensed software record.
To enable email notifications, select the Send email notification on violation checkbox.
5. Click the Licenses tab and add license and purchasing information:
a. Click Add.
b. Specify information about the license, including the license type and license count.
c. (Optional) Click the Purchasing Information tab and enter purchasing information.
d. (Optional) Click the Attachments tab and click Upload Attachment to upload an attachment.
e. Click Save .
f. Repeat steps a through e to add more license and purchasing information as needed.
6. Click the Software Definitions tab.
7. To specify software definitions based on applications, fonts, and plug-ins, do the following:
a. Choose “Applications, Fonts, and Plug-ins” from the Software Definitions pop-up menu.
b. Click Add for the item you want to add.
c. Specify a name, connector (“is” or “like”), and version number using the fields and pop-up menu
provided.

424
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

d. Click Save .
e. Repeat steps a through d to specify additional software definitions as needed.
The items you added are displayed in a list.
8. To specify software definitions based on SWID tags, do the following:
a. Choose "Software ID Tags" from the Software Definitions pop-up menu.
b. Browse for and choose a reg ID.
c. Add a SWID tag by clicking Add. Then browse for and choose the SWID tag you want to add.
d. Select the activation statuses you want to include in the software definitions.
9. Click Save .

Creating a Licensed Software Record From a Template

1. In Jamf Pro, click Computers in the sidebar.
2. Click Licensed Software in the sidebar.
3. Click New From Template.
4. Click the licensed software template you want to use.
5. Use the General pane to change or configure basic settings for the licensed software record.
To enable email notifications, select the Send email notification on violation checkbox.
6. Click the Licenses tab and add license and purchasing information:
a. Click Add.
b. Enter information about the license, including the license type and license count.
c. (Optional) Click the Purchasing Information tab and enter purchasing information.
d. (Optional) Click the Attachments tab and click Upload Attachment to upload an attachment.
e. Click Save.
f. Repeat steps a through e to add more license and purchasing information as needed.
7. To view or edit software definitions, click the Software Definitions tab and make changes as needed.
8. Click Save .

Uploading a Licensed Software Template

You can create a licensed software record by uploading a licensed software template.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Licensed Software in the sidebar.
3. Click Upload and upload the licensed software template.
4. Use the General pane to change or configure basic settings for the licensed software record.
To enable email notifications, select the Send email notification on violation checkbox.
5. Click the Licenses tab and add license and purchasing information:
a. Click Add.

425
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

b. Enter information about the license, including the license type and license count.
c. (Optional) Click the Purchasing Information tab and enter purchasing information.
d. (Optional) Click the Attachments tab and click Upload Attachment to upload an attachment.
e. Click Save.
f. Repeat steps a through e to add more license and purchasing information as needed.
6. To view or edit software definitions, click the Software Definitions tab and make changes as needed.
7. Click Save .

Adding Licensed Software to the Jamf Pro Dashboard

Adding licensed software to the Jamf Pro Dashboard helps you monitor actively used and pending licenses.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Licensed Software in the sidebar.
3. Click the licensed software title you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the Licenses area of the Jamf Pro Dashboard and find the widget for the licensed software
you added.
7. Click any item in the widget to view the details.

License Compliance
You can evaluate license compliance by viewing the licensed software records in Jamf Pro and comparing the
number of licenses in use to the number of licenses owned.

You can also monitor software compliance by allowing email notifications to be sent to Jamf Pro users each
time a license limit is exceeded. For more information see, Licensed Software Records.

Evaluating License Compliance

1. In Jamf Pro, click Computers in the sidebar.
2. Click Licensed Software in the sidebar.

A list of licensed software records is displayed along with the number of licenses in use and the number of
licenses owned for each record.

426
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Viewing License Usage Matches

If you are using licensed software records to track software licenses, you can view a list of computers with the
licenses in use (called "license usage matches").

1. In Jamf Pro, click Computers in the sidebar.

2. Click Licensed Software in the sidebar.
3. Click the licensed software record you want to view license usage matches for.
4. Click View Matches.

Note: This button is only displayed if the licenses associated with the record are in use on managed
computers.

A list of license usage matches is displayed.

You can export the data in the list of license usage matches to different file formats or perform actions on the
list of matches. For more information, see Computer Reports or Mass Actions for Computers.

Application Usage for Licensed Software

You can find out how frequently licensed software is being used by viewing the Application Usage logs for a
licensed software record. This allows you to view the amount of time that the software was open in the
foreground on computers.

Viewing Application Usage Logs for a Licensed Software Record

The Application Usage logs for a licensed software record allow you to view the amount of time that the
software was open in the foreground on computers.

Requirements
Computer Inventory Collection settings must be configured to collect Application Usage information. For
more information, see Computer Inventory Collection Settings.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Licensed Software in the sidebar.
3. Click the licensed software record you want to view Application Usage logs for.
4. Click View Logs .

427
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: This button is only displayed if the licenses associated with the record are in use on managed
computers.

Application Usage logs for the record are displayed.

Usage Management
Application Usage
Application Usage logs allow you to monitor how frequently applications are used on computers and track
usage behaviors. You can view the Application Usage logs for a computer or licensed software record.

Computers submit Application Usage information to Jamf Pro each time they submit inventory.

Related Content

• Log Flushing

General Requirements
To view Application Usage logs, the Computer Inventory Collection settings must be configured to collect
Application Usage information. For more information, see Computer Inventory Collection Settings.

Viewing Application Usage Logs for a Computer

The Application Usage logs for a computer consist of a pie chart that shows the amount of time each
application was in the foreground on the computer during a specified date range.

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches.
3. Click the computer you want to view Application Usage logs for.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the History tab.
Application Usage logs for the computer are displayed.
5. To view Application Usage logs for a different date range, specify the starting and ending dates using the
Date Range pop-up menus. Then click Update.

428
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Viewing Application Usage Logs for a Licensed Software Record

The Application Usage logs for a licensed software record allow you to view the amount of time that the
software was open in the foreground on computers.

Requirements
Computer Inventory Collection settings must be configured to collect Application Usage information. For
more information, see Computer Inventory Collection Settings.

1. In Jamf Pro, click Computers in the sidebar.

2. Click Licensed Software in the sidebar.
3. Click the licensed software record you want to view Application Usage logs for.
4. Click View Logs .

Note: This button is only displayed if the licenses associated with the record are in use on managed
computers.

Application Usage logs for the record are displayed.

Computer Usage
Computer Usage logs allow you to monitor how frequently each computer is used and track usage behaviors.
The following information is included in Computer Usage logs:

• Startup dates/times
• Login dates/times
• Usernames used to log in and out of the computer

Related Content

• Log Flushing

429
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Viewing Computer Usage Logs for a Computer

Requirements
To view Computer Usage logs, a startup script or login events must be configured to log Computer Usage
information. For more information, see Startup Script and Login Events.

1. In Jamf Pro, click Computers in the sidebar.

2. Perform a simple or advanced computer search.
For more information, see Simple Computer Searches or Advanced Computer Searches.
3. Click the computer you want to view Computer Usage logs for.

If you performed a simple search for an item other than computers, you must click Expand next to an
item to view the computers related to that item.
4. Click the History tab, and then click the Computer Usage Logs category.
Computer Usage logs for the computer are displayed.

Restricted Software
Restricted software allows you to prevent users or groups of users from accessing certain applications. For
instance, you might want to prevent all users from accessing a peer-to-peer file sharing application, restrict
everyone except the IT staff from accessing common administrative utilities, or restrict users from installing a
software beta version.

For each application that you want to restrict, you must create a restricted software record. This allows you to
specify the users to which the restriction applies and control what happens when the application is opened by
those users. For instance, you can kill the restricted process, delete the application, and even display a
message to the user.

If there is an SMTP server set up in Jamf Pro, you can enable email notifications for the restricted software
record. This allows email notifications to be sent to Jamf Pro users each time a violation occurs. For
information on setting up an SMTP server and enabling email notifications for Jamf Pro user accounts, see
SMTP Server Integration and Email Notifications.

Related Content

• Finding the Name of Processes When Configuring Restricted Software

430
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Creating a Restricted Software Record

1. In Jamf Pro, click Computers in the sidebar.
2. Click Restricted Software in the sidebar.
3. Click New.
4. Enter a display name in the Display Name field.
5. In the Process Name field, enter the exact name of the file you want to restrict.

Note: It is recommended that you restrict the name of the application bundle when restricting a
process in an application bundle. For example: "Chess.app".

6. Configure the restricted software record using the fields and options on the pane. To enable email
notifications, select the Send email notification on violation checkbox.

Note: For most environments, Jamf recommends selecting the Kill Process checkbox to ensure the
process is terminated when it is found.

7. Click the Scope tab and configure the scope of the restricted software record.
8. Click Save .

The restriction is applied to computers in the scope the next time they check in with Jamf Pro. To remove a
restriction from computers, either remove the computers from the scope of the restricted software application
or delete it. For more information, see Jamf Pro Objects.

Unmanaging Computers
You can unmanage a computer to remove all components installed by Jamf Pro, stopping Jamf Pro's
communication and management capabilities for that computer. Unmanaging a computer does not remove the
inventory record from Jamf Pro.

Note: Jamf recommends fully unenrolling the computer that you want to unmanage. Unenrolling
removes the MDM profile and jamf binary from the computer, completely removing all traces of Jamf
Pro.

431
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Requirements
Physical or remote access to the target computer

1. Access Terminal on the target computer, either locally or via SSH.

2. Remove all components installed by Jamf by executing the following command:
sudo jamf removeFramework

3. If you enrolled the computer with a non-removable MDM profile, then you must remove the MDM profile via
Jamf Pro by doing the following:
a. In Jamf Pro, click Computers.
b. Search for the target computer.
c. Click the Management tab.
d. Click Remove MDM Profile.
The MDM Profile is removed from the computer.

All components installed by Jamf are removed. Jamf Pro will no longer communicate with or perform
management tasks on the computer.

After unmanaging a computer, you can delete its inventory record from Jamf Pro. For more information, see
Deleting a Computer from Jamf Pro.

Wiping and Unmanaging Computers

The following workflow can be used to both wipe and unmanage a computer from Jamf Pro. The scope can be
set to target individual computers or a group of computers.

Wiping a computer removes the MDM profile, the jamf binary, and all other components installed by Jamf. This
also erases all other data from the computer and reinstalls macOS. This does not automatically delete
computer inventory records from Jamf Pro.

Requirements
A computer with Composer, running the same version of macOS as the target computers.

Note: Target computers must be running macOS 10.13 or later to use this workflow.

1. On a computer with Composer, download the latest macOS Installer compatible with the target computers.

432
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Computers

Note: For more information on downloading a macOS installer, see: How to download macOS from
the Apple Support website.

2. To package the macOS Installer, do the following:

a. Open Composer and authenticate locally.
b. Drag the macOS Installer from the Applications folder to the sidebar in Composer. The installer
appears under the Packages heading.
c. In the toolbar, click Build as PKG.
d. Select a location to save the package, and then click Save.
3. Upload the package to your distribution point.
For more information on uploading packages, see Package Management.

4. In Jamf Pro, click Computers in the sidebar.

5. Click Policies in the sidebar.
6. Click New.
7. To configure the General payload, do the following:
a. Enter a name for the policy in the Display Name field.
b. Under Trigger, select a policy trigger (e.g., Recurring Check-in).
c. In the Execution Frequency pop-up menu, select an execution frequency (e.g., Once per computer).
8. To configure the Packages payload, do the following:
a. Click Packages in the sidebar.
b. Click Configure.
c. Locate the macOS Installer package created in step 2 and click Add.
9. To configure the Files and Processes payload, do the following:
a. Click Files and Processes in the sidebar.
b. Enter a command in the Execute Command field similar to the following:
c. "/Applications/Install macOS Ventura.app/Contents/Resources/startosinstall" --
eraseinstall --newvolumename "Macintosh HD" --agreetolicense &

Note: You must replace the path to the startosinstall binary in the above command with the path
of the package source created in step 2.

10. Click the Scope tab, and then configure the target computers or computer groups.
11. Click Save .

The target computers are wiped and macOS is reinstalled when they meet the conditions specified by the
policy trigger.

433
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Managing Mobile Devices

Inventory for Mobile Devices
Mobile Device Inventory Information
Jamf Pro stores detailed inventory information for each managed device. You can view and edit this
information in Jamf Pro. Basic inventory information—such as hardware, OS version, storage, and apps—is
generally available for all devices while the availability of other information depends on the device ownership
type, device type, and OS version.

Note: Extension attributes are displayed in mobile device inventory information in the category in which
they are configured to display.

Related Content

• Mobile Device Inventory Collection Settings

• Deleting a Mobile Device from Jamf Pro

Viewing and Editing Inventory Information

1. In Jamf Pro, click Devices in the sidebar.
2. Perform a simple or advanced mobile device search.
For more information, see Simple Mobile Device Searches or Advanced Mobile Device Searches.

Note: You can quickly search for all device records in Jamf Pro without entering a query by clicking
Search.

3. Click the device you want to view information for.

If you performed a simple search for an item other than mobile devices, you must click Expand next to
an item to view the mobile devices related to that item.
The device's inventory information is displayed.
4. To make changes to an editable inventory field, select the category that contains the information you want
to edit, click Edit, and make changes as needed.

434
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

If you are editing user and location information, the changes are applied in the Users tab. This specified
information is also applied in the inventory information for mobile devices and other computers that the
user is assigned to. For information on assigning a user to a computer or removing a user assignment, see
User Assignments.
5. (Optional) To populate computer purchasing information from Apple’s Global Service Exchange (GSX),
click Search to look up and populate information from GSX.

Note: The Search button is only displayed if you have a GSX connection set up in Jamf Pro.

6. Click Save .

Mobile Device Inventory and Criteria Reference

This section lists the inventory information you can view for a mobile device. These attributes can be used as
criteria for your smart mobile device groups and advanced mobile device searches. Attribute labels are the
same in inventory information and in criteria lists unless otherwise noted.

When viewing attributes listed in this section, consider the following:

• Attributes that are also reported via the declarative status channel are identified in this section. For more
information, see Declarative Device Management.
• Some attributes are editable.

The following categories of inventory information are only displayed if the Mobile Device Inventory Collection
settings are configured to collect them:

• Unmanaged apps
• User and location information from an external directory service, such as an LDAP server or Cloud Identity
Provider.

Note: This is only available if an external directory service is configured in Jamf Pro. User and
location data from Inventory Preload may also populate this category.

• iBeacon regions

General Category
The following table lists the General category inventory attributes that you can view for each device.

435
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Inventory Attribute/ Declarative Status Collected for BYOD

Notes
Criteria Supported User Enrollment

Mobile Device Name Editable for supervised devices only when ✔

Enforce Mobile Device Name is configured.
When Enforce Mobile Device Name is
configured, Jamf Pro enforces the name in one
of two ways:
• If the enforced device name differs from the
device name in the most recent inventory
record for the device, Jamf Pro sends an
MDM command that renames the device.
• If the end user changes the device name to
something different than what Jamf Pro is
set to enforce, the next time the device
submits its inventory, Jamf Pro sends an
MDM command to rename the device.

Jamf Pro Mobile ✔

Device ID (Device ID
criteria)

Jamf Pro ✔
Management ID

Asset Tag

Site ✔

Last Inventory Update ✔

iOS Version For Apple TV devices with tvOS 10.2 or later, ✔ ✔

the tvOS version is displayed.

iOS Rapid Security Indicates whether Rapid Security Response ✔

Response updates are installed on devices with iOS 16.2
or iPadOS 16.2 or later.

iOS Build ✔ ✔

iOS Supplemental Indicates build version of a Rapid Security ✔

Build Version Response update installed on devices with iOS
16.2 or iPadOS 16.2 or later.

Software Update
Device ID

IP Address ✔

436
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Inventory Attribute/ Declarative Status Collected for BYOD

Notes
Criteria Supported User Enrollment

Managed ✔

Supervised

Shared iPad Displays whether Shared iPad has been

enabled on supervised iPads.

Diagnostics and Shared iPad only

Usage Reporting

App Analytics Shared iPad only

Number of Users Displays the number of user accounts cached

on the device
Shared iPad only

Storage Quota Size Shared iPad only

(Quota Size criteria)

Temporary Session Shared iPad only

Only

Temporary Session
Timeout

User Session Timeout

Maximum Shared Displays the maximum number of user

iPad Users Stored accounts that can be stored with Shared iPad

Device Ownership ✔
Type

Enrollment Method ✔

Enrollment Session Displays whether the Account-Driven User ✔

Token Enrollment authentication session has expired

Last Enrollment ✔

MDM Profile ✔
Expiration Date

Device Locator Displays whether Find my iPhone/iPad has

Service been enabled on the mobile device

Do Not Disturb

437
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Inventory Attribute/ Declarative Status Collected for BYOD

Notes
Criteria Supported User Enrollment

iCloud Backup (Last

Backup criteria)

Last iCloud Backup

Bluetooth Low Energy To detect Bluetooth Low Energy capability, the ✔

Capability mobile device must have Jamf Self Service for
iOS installed. If Self Service has never been
launched on the device, this value will be
reported as “Not Capable/Unknown”.

Location Services For Displays whether Location Services has been ✔

Self Service enabled on the mobile device for the Jamf Self
Service app
To detect if Location Services has been
enabled for Self Service, the device must have
Jamf Self Service for iOS installed. If Self
Service has never been launched on the
device, or if Self Service has not been
launched since the initial iBeacon region was
added to Jamf Pro, this value will be reported
as “Not Enabled/Unknown”.

Logged in to the App

Store

Exchange Device ID ✔

Tethered Status ✔

Time Zone

Declarative Device ✔ ✔
Management

AirPlay Password Apple TV only

Locales Apple TV only

Languages Apple TV only

You can use the following general criteria in your smart groups and advanced searches:

• App Analytics Enabled

• Enrollment Method: Enrollment profile

438
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

• Enrollment Method: PreStage enrollment

• Enrollment Method: User-initiated - invitation
• Enrollment Method: User-initiated - no invitation
• MDM Profile Removal Allowed
• MDM Profile Renewal Needed - CA Renewed

Hardware Category
The Hardware category allows you to view the following information for a mobile device.

Note: Personally owned mobile devices enrolled using User Enrollment do not report any persistent
device identifiers, such as Serial Number, UDID, Wi-Fi MAC Address, or Bluetooth MAC Address.

Inventory Attribute/Criteria Collected for BYOD User Enrollment

Capacity ✔

Available Space ✔

Used Space ✔

Internal Capacity

Internal Available Space

Internal Used Space

External Capacity

External Available Space

External Used Space

Battery Level ✔

Serial Number

UDID

Wi-Fi MAC Address

Bluetooth MAC Address

Modem Firmware Version

439
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Inventory Attribute/Criteria Collected for BYOD User Enrollment

Model ✔

Model Identifier ✔

Model Number ✔

Manufacturer

User and Location Category

You can assign a user to a mobile device and populate user information from the Users tab. For more
information, see User Assignments.

Note: To assign a user to a device, the Jamf Pro user account must have the "Assign Users to Mobile
Devices" privilege.

The User and Location category allows you to view the following information for a mobile device.

Collected for BYOD User

Inventory Attribute/Criteria Notes
Enrollment

Username ✔

Managed Apple ID The Managed Apple ID only displays ✔

for devices enrolled using User
Enrollment.

Full Name

Email Address

Phone Number (User Phone Number

criteria)

Position

Department

Building

Room

440
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: If the device is re-enrolled via a PreStage enrollment, there are settings that can affect the user
and location information for that computer. For more information, see Automated Device Enrollment.

Shared iPad Users Category

The Shared iPad Users category displays a list of the Managed Apple IDs of the users that logged in to the
iPad, along with each user's logged in status. This category is only displayed for institutionally owned iPads
that have Shared iPad enabled. For more information, see Automated Device Enrollment.

You can remove individual users or all users from the iPad. The status of user removal is displayed in the list of
pending management commands. For more information, see Viewing the Pending Management Commands
for a Mobile Device. Users must be logged out of the device to remove them. You can use the "Log Out User"
remote command to log out a currently logged in user. For more information about the Log Out User remote
command, see Remote Commands for Mobile Devices.

If a user is logged out of the device but has a pending sync, you can use a force remove option. This action
immediately removes the user from the device.

A timestamp of when the information was last refreshed is displayed above the list of users. You can refresh
this information by clicking the Refresh button next to the Last Status Check timestamp.

Purchasing Category
You can look up and populate purchasing information from Apple’s Global Service Exchange (GSX) if you
have a GSX connection set up in Jamf Pro. For more information, see GSX Connection. The Purchasing
category allows you to view the following information for a device:

• Purchased or Leased
• PO Number (PO criteria)
• PO Date
• Vendor
• Warranty Expiration
• AppleCare ID
• Lease Expiration
• Purchase Price
• Life Expectancy
• Purchasing Account
• Purchasing Contact

441
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

You can choose "Purchased or Leased" as criteria in your smart groups and advanced searches.

Extension Attributes Category

This category displays a list of custom data fields collected using extension attributes.

Note: Extension attributes are displayed in device inventory information in the category in which they
are configured to display.

Security Category
The following table lists the Security category inventory attributes you can view for a mobile device.

Inventory Attribute/ Declarative Status Collected for BYOD

Notes
Criteria Supported User Enrollment

Data Protection

Hardware Encryption ✔

Passcode Status

Block Encryption ✔
Capability

File Encryption ✔
Capability

Passcode Compliance ✔ ✔

Passcode Compliance
with Config Profile

Activation Lock ✔

Jailbreak Detected To detect jailbreak status, the mobile ✔

device must have Jamf Self Service for
iOS installed. Jamf Pro will receive an
updated Jailbreak Detected value each
time Self Service is launched. If Self
Service has never been launched on the
device, this value will be reported as “Not
Reported”.

442
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Inventory Attribute/ Declarative Status Collected for BYOD

Notes
Criteria Supported User Enrollment

Lost Mode (supervised You can play a sound on the device when
only) (Lost Mode Lost Mode is enabled by clicking the Play
Enabled criteria) Sound button.

Always enforce Lost

Mode

Lost Mode Message

Lost Mode Phone

Number

Lost Mode Footnote

Last Location Update Displays the last time Global Positioning

System (GPS) data was collected for the
device when Lost Mode is enabled

Approximate Location Displays coordinates for the approximate

location of the device when Lost Mode is
enabled. To collect GPS data for a device,
the device must have a network
connection.

Horizontal Accuracy

Vertical Accuracy

Altitude

Speed

Course

Timestamp

Personal Device Profile Displays whether the most up-to-date ✔

Status profile has been installed on the mobile
device.

You can use the following security criteria in your smart groups and advanced searches:

• Activation Lock Enabled

• Date Lost Mode Enabled
• Passcode Lock Grace Period Enforced (seconds)

443
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

• Compliance Status

Apps Category
The Apps category displays a list of apps installed on a device. This information is collected for personally
owned mobile devices (BYOD User Enrollment) as well as institutionally owned mobile devices.

Note: Jamf Pro only collects information on managed apps unless configured to collect information on
unmanaged apps as well. For more information, see Mobile Device Inventory Collection Settings.

You can use the following Apps criteria in your smart groups and advanced searches:

• App Identifier
• App Name
• App Short Version
• App Validation Status
• App Version
• Apps Installed Match the App Catalog Exactly
• Apps Not In the App Catalog Are Installed
• iTunes Store Account
• Jamf Parent Pairings

Note: You can use the App Short Version, App Validation Status, and App Version criteria in tandem
with the App Identifier and App Name criteria to include mobile devices based on more specific
information for an installed app.

Managed eBooks Category

The Managed eBooks category displays a list of managed books installed on a device. This information is not
collected for personally owned mobile devices (BYOD User Enrollment).

You can use the following Managed eBooks criteria in your smart groups and advanced searches:

• eBook Title
• eBook Version—You can use this in tandem with the eBook Title criteria to include mobile devices based on
a specific version of a book.

444
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Network Category
The Network category allows you to view the following information for a mobile device:

• Home Carrier Network

• Current Carrier Network
• Carrier Settings Version
• Cellular Technology
• Phone Number (Device Phone Number criteria)
• IMEI
• MEID
• ICCID
• Current Mobile Country Code
• Current Mobile Network Code
• Home Mobile Country Code
• Home Mobile Network Code
• Voice Roaming
• Data Roaming Status
• Roaming Status
• Personal Hotspot Status

You can use the following Network criteria in your smart groups and advanced searches:

• Data Roaming Enabled

• Roaming

iBeacon Regions Category

The iBeacon Regions category displays a list of iBeacon regions that the mobile device is currently in.

Note: This category is only displayed if the Mobile Device Inventory Collection settings are configured
to monitor iBeacon regions. For more information, see Mobile Device Inventory Collection Settings.

Certificates Category
The Certificates category displays a list of certificates installed on a mobile device. This information is collected
for personally owned mobile devices (BYOD User Enrollment) as well as institutionally owned mobile devices.

445
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

You can use the following Apps criteria in your smart groups and advanced searches:

• Certificate Issuer
• Certificate Name
• Certificates Expiring

Profiles Category
This category includes information about the configuration profiles installed on a mobile device. Inventory
information for the Profiles category is collected by the ProfileList MDM command.

You can use the following profiles criteria in your smart groups and advanced searches:

• Profile Name
• Profile Identifier

Provisioning Profiles Category

The Provisioning Profiles category displays a list of provisioning profiles installed on the mobile device. This
information is collected for personally owned mobile devices (BYOD User Enrollment) as well as institutionally
owned mobile devices.

Attachments Category
You can upload and delete attachments to the inventory record using this category. To upload an attachment,
click Upload. To delete an attachment, click Delete.

Mobile Device Inventory Collection Settings

The Mobile Device Inventory Collection settings allow you to do the following:

• Configure the frequency at which inventory is collected from mobile devices.

• Collect unmanaged apps (does not apply to personally owned devices).
• Prevent Jamf Pro from collecting unmanaged certificates.
• Collect user and location from an LDAP directory service (only available if an LDAP server is set up in Jamf
Pro).
• Monitor iBeacon regions so that mobile devices with Jamf Self Service for iOS installed submit information
to Jamf Pro when they enter or exit a region.

By default, mobile devices submit inventory to Jamf Pro once every day.

446
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Configuring the Mobile Device Inventory Collection Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Device management section, click Inventory collection .
3. Click Edit .
4. Configure the settings on the pane.
5. Click Save .

Mobile Device Extension Attributes

Extension attributes allow you to collect extra inventory information. Extension attribute values are populated
by using an input type, which can be any of the following:

• Text field
• Pop-up menu
• LDAP attribute mapping

In Jamf Pro, you can create extension attributes manually. You can also create extension attributes
programmatically via the Jamf Pro API. For more information, see Extension Attributes in the Jamf Pro
Developer Portal.

Example:

• A pop-up menu can collect the role selected by a user in the Jamf Setup app.
• A text field input can collect the retire date of a mobile device.

Extension attributes can also be used as criteria in a smart group or as a variable in a configuration profile,
which allows you to administer dynamic management workflows and tasks based on the data collected with
extension attributes.

Note:

• Mobile device extension attributes do not apply to personally owned mobile devices.
• Depending on the input type and data type (string, integer, date (YYYY-MM-DD hh:mm:ss)),
extension attributes may add time and network traffic to the inventory collection process.

447
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Extension Attribute Input Types

Extension attributes collect inventory data by using an input type. You can configure the following input types:

Text Fields

You can display a text field in inventory information. You can enter a value in the field anytime using Jamf
Pro.

Pop-up Menus

You can display a pop-up menu in inventory information. You can choose a value from the pop-up menu
anytime using Jamf Pro.

Directory Service Attribute Mapping

You can use a Directory Service attribute mapping to populate an extension attribute. Extension
attributes can be populated by multiple-value attributes from an LDAP server, such as "memberOf". The
multiple values can later be used when creating smart groups and advanced searches with the extension
attribute criteria and the "has" or "does not have" operators.

Keep the following limitations in mind when using Directory Service multiple-value extension attributes:

• When creating smart groups and advanced searches, the criteria value must accurately reflect the
value returned in inventory. To ensure you use the correct value, copy the extension attribute
inventory value, and paste it in the criteria value field.
• Multiple-value attribute mapping will not work with nested groups. Only the groups directly listed on
the User record will be displayed in the mapped LDAP extension attribute.
• For the extension attributes to work correctly, values returned from the LDAP server cannot contain
the sequence of repeating vertical-bar characters (ASCII code 124, HTML entity = &vert;).

Extension Attribute IDs and Variables

Creating a computer extension attribute generates a variable that can be used to populate configuration profile
settings. The variable is $EXTENSIONATTRIBUTE_# , where # is the extension attribute ID.

For information about using payload variables for configuration profiles, see Computer Configuration Profiles.

For extension attributes that use a text field, pop-up menu, or script input type, the ID number is found in the
extension attribute URL. In the example URL below, "id=2" indicates the extension attribute ID number:

Example: https://JAMF_PRO_URL.jamfcloud.com/computerExtensionAttributes.html?id=2&o=r

448
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

For extension attributes with the Directory Service attribute mapping input type, the ID number is displayed in
the Directory Service Attribute Variable field after you save the extension attribute.

Creating a Mobile Device Extension Attribute

Requirements
If you are creating an extension attribute with the “Directory Service Attribute Mapping” input type, you need
the following:

• An LDAP server set up in Jamf Pro (For more information, see LDAP Directory Service Integration.)
• The Mobile Device Inventory Collection settings configured to collect user and location information from
LDAP (For more information, see Mobile Device Inventory Collection Settings.)

1. In Jamf Pro, click Settings in the sidebar.

2. In the Device management section, click Extension attributes .

3. Click New.
4. Configure the following settings:
a. Name your extension attribute.
b. (Optional) Enter a description.
c. Choose the type of data being collected from the Data Type pop-up menu.
d. Choose a category in which to display the extension attribute in Jamf Pro from the Inventory Display
pop-up menu.
e. Choose an input type to populate your extension attribute from the Input Type pop-up menu.
5. Click Save .

Mobile Device Inventory Display Settings

The Mobile Device Inventory Display settings allow each Jamf Pro user to choose which attribute fields to
display in the results of a simple mobile device search.

Configuring the Mobile Device Inventory Display Settings

1. In Jamf Pro, click Settings in the sidebar.
2. In the Device management section, click Inventory display .
3. On each pane, select the checkbox for each attribute field you want to display.
4. Click Save .

449
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Simple Mobile Device Searches

A simple mobile device search functions like a search engine, allowing you to quickly search the items in your
inventory for a general range of results.

The following table shows the items that you can search by and the attributes on which you can base each
search:

Inventory Item Searchable Attributes

Mobile devices Mobile device name

Wi-Fi MAC address
Bluetooth MAC address
UDID
Serial number
Username
Full name
Email address
Phone number
Position
Department
Building
Room

Mobile device apps Application name

You can also create an advanced search using detailed search criteria. These types of searches give you
more control over your search. For more information, see Advanced Mobile Device Searches.

Related Content

• Mobile Device Inventory Display Settings

Search Syntax
This section explains the syntax to use for search functions. In general, searches are not case-sensitive.

Note: The default search preference is “Exact Match”. For most items, the option can be changed to
either “Starts with” or “Contains”. For more information about configuring account preferences, see Jamf
Pro User Accounts and Groups.

450
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

The following table explains the syntax you can use for search functions:

Search Function Usage Example

Return all Results Use an asterisk (*) without any other Perform a search for “*” or leave the
characters or terms, or perform a search field empty to return all results.
blank search.

Perform Wildcard Searches Use an asterisk after a search term to Perform a search for “key*” to return
return all results with attributes that all results with names that begin with
begin with that term. “key”.

Use an asterisk before a search term Perform a search for “*note” to return
to return all results with attributes that all results with names that end with
end with that term. “note”.

Use an asterisk before and after a Perform a search for “*ABC*” to return
search term to return all results that all results that includes “ABC”.
include that term.

Include Multiple Search Terms Use multiple search terms separated Perform a search for “key*, *note” to
by a comma (,) to return all results that return all results that begins with “key”
include those search terms. and ends with “note”.

Exclude a Search Term Use a hyphen (-) before a search term Perform a search for “ABC*, -*note” to
to exclude results that include the return all results with names that begin
term. with “ABC” except for those that end
with “note”.

Performing a Simple Mobile Device Search

1. In Jamf Pro, click Devices in the sidebar.
2. Click Search Inventory in the sidebar.
3. Choose an item from the Search pop-up menu.
4. Enter one or more search terms in the fields provided.
5. Press the Enter key.

The list of search results is displayed.

If you searched for an item other than mobile devices, you can view the devices associated with a result by
clicking Expand next to the result. You can also change the item on which the results are based by
choosing an item from the pop-up menu at the top of the page.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see Mobile Device Reports or Mass Actions for Mobile Devices.

451
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Advanced Mobile Device Searches

Advanced mobile device searches allow you to use detailed search criteria to search for devices in Jamf Pro.
These types of searches give you more control over your search by allowing you to do the following:

• Generate specific search results.

• Specify which attribute fields to display in the search results.
• Save the search.

Criteria Operators
The following table lists operators and examples of how they might be used to qualify values:

Operator Definition Example

is Matches the specified string exactly The criteria "'Computer Name' is 'Test Computer
6'" includes computers with the name "Test
Computer 6". By contrast, a computer with the
name "Test Computer 7" is not included.

is not Matches values that do not match the specified The criteria "'Display Name' is not 'CEO iPad'"
string exactly includes all devices except those with the exact
display name "CEO iPad". By contrast, a device
with the display name "'CEO iPad Old'" is not
included.

like Matches value that contain the specified string The criteria "'Computer Name' like 'AP Science
Mac'" includes computers with names such as
"AP Science Mac 1", "AP Science Mac 2", and
"AP Science Mac 3".

not like Matches values that do not contain the specified The criteria "'Display Name' not like 'Staff'"
string includes devices with display names such as
"Student A", "Student B", and "Smith Personal
iPhone".

matches regex Matches values that match the specified regular The criteria "'Computer Name' matches regex
expression (regex). For more information on '^LAB-.*$s'" includes computers with names
regex, see the Using Regex with Smart Groups such as "LAB-ART-101", "LAB-CS-101", and
and Advanced Searches article. "LAB-CS-102".

does not match Matches values that do not match the specified The criteria "'Display Name' does not match
regex regular expression (regex). For more information regex '^HS'" includes devices with display

452
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Operator Definition Example

on regex, see the Using Regex with Smart names such as "iPad HS loaner" and "11 HS
Groups and Advanced Searches article. iPad".

And/Or Groupings
If you have multiple criteria, you can use "and/or" groupings to define the relationships between them and
create logic that includes the devices you want in your advanced search. The following groupings are available
when multiple criteria are used:

• and—Only devices that fulfill all related criteria will be included in membership.
• or—Devices that fulfill any of the related criteria will be included in membership.

If more complex logic is necessary to define the relationships between your criteria, you can use the
parenthesis pop-ups to group criteria together.

Creating an Advanced Mobile Device Search

1. In Jamf Pro, click Devices in the sidebar.
2. Click Search Inventory in the sidebar.
3. Click New.
4. Use the Search pane to configure basic settings for the search. To save the search, select the Save this
Search checkbox.
5. Click the Criteria tab and add criteria for the search:
a. Click Add.
b. Click Choose for the criteria you want to add.
Only your 30 most frequently used criteria are listed. To display additional criteria, click Show
Advanced Criteria.

Best Practice: To search for all personally owned devices enrolled in Jamf Pro, select Device
Ownership Type from the advanced criteria, and then choose one or more of the Personal
value options.

c. Choose an operator from the Operator pop-up menu.

d. Enter a value in the Value field or browse for a value by clicking Browse .
e. Repeat steps a through d to add criteria as needed.
6. Choose an operator from the And/Or pop-up menus to specify relationships between criteria.

453
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

7. To group criteria and join multiple operations, choose parentheses from the pop-up menus around the
criteria you want to group.

Operations in the search take place in the order they are listed (top to bottom).
8. Click the Display tab and select the attribute fields you want to display in your search results.
9. Click Save .

10. To view search results, click View .

The results of a saved search are updated each time mobile devices contact Jamf Pro and meet or fail to meet
the specified search criteria.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see Mobile Device Reports or Mobile Device Mass Actions.

Mobile Device Reports

The data displayed in smart and static groups or mobile device search results can be downloaded from Jamf
Pro. You can also email reports for advanced mobile device searches.

The following file formats are available for downloading or email reporting:

• Comma-separated values file (.csv)

• Tab-Separated Values (.tsv)
• XML file

Note: Importing exported reports that contain long number strings in .csv format (e.g. IMEIs, serial
numbers) into Excel will cause the number strings to appear incorrectly.

You can organize the data by basing the report on any of the following inventory items:

• Mobile devices

454
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

• Device groups
• Apps
• Configuration profiles
• Certificates
• Provisioning profiles

The data is displayed in alphanumeric order by the selected inventory item.

Creating Reports for Smart and Static Groups or Simple Mobile

Device Searches
Reports for smart and static groups or simple mobile device searches can be exported.

1. In Jamf Pro, click Devices in the sidebar.

2. Do one of the following:
◦ View mobile device group memberships. For more information, see Smart Groups or Static Groups.
◦ View simple mobile device search results. For more information, see Simple Mobile Device Searches.

Note: You can only create a report from a simple mobile device search if you searched by devices.

3. At the bottom of the list, click Export.

4. Follow the onscreen instructions to export the data. The report downloads immediately.

Creating Reports for Advanced Mobile Device Searches

You can download unsaved and saved advanced mobile device search reports. Advanced mobile device
search reports can also be emailed instantly or on a defined schedule.

Downloading an Advanced Mobile Device Search Report

1. In Jamf Pro, click Devices in the sidebar.

2. Do one of the following:
◦ Select the saved advanced mobile device search for which you want to create a report and view the
results.
◦ Click New, and then use the Criteria and Display panes to configure your search.
3. Click the Reports tab.
4. Select a file format for the report.
5. Select the inventory item on which to base the report results.
6. Click Download Report. The report downloads immediately.

455
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Emailing an Advanced Mobile Device Search Report

Note: To email reports from newly created advanced searches, you must select Save this search and
complete the Display Name field in the Search pane.

Requirements
To email a saved advanced computer search report, an SMTP server must be set up in Jamf Pro.

For more information, see SMTP Server Integration.

1. In Jamf Pro, click Devices in the sidebar.

2. Do one of the following:
◦ Select the advanced mobile device search for which you want to create a report and view the results.
◦ Click New, and then use the Search, Criteria, and Display panes to configure your search.
3. Click the Reports tab.
4. Select a file format.
5. Select the inventory item on which to base the report results.
6. In the Email Reporting section, enter email addresses, a subject for the email, and the body text for the
email.
7. Click Send Email Report. The report is sent immediately.
8. To set up another email report, click the button and repeat the process.

Scheduling Email Reports for Saved Advanced Mobile Device Searches

You can email saved advanced mobile device search reports according to a schedule that you define.

Requirements
To email a saved advanced computer search report, an SMTP server must be set up in Jamf Pro.

For more information, see SMTP Server Integration.

1. In Jamf Pro, click Devices in the sidebar.

2. Select the advanced mobile device search for which you want to create a report, and view the results.
3. Click the Reports tab.
4. Select a file format for the report.

456
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

5. Select the inventory item on which to base the report results.

6. In the Email Reporting section, enter email addresses, a subject for the email, and the body text for the
email.
7. Click Schedule automatic email reports.
8. Set the frequency and interval schedule that you want to email the report.
9. Click Save .

Reports will be emailed on the specified schedule.

To set up another email report, click the button and repeat the process.

Mass Actions for Mobile Devices

The following table explains the mass actions you can perform using Jamf Pro:

Mass Action Description

Edit the building or Mass editing the building or department for mobile devices allows you to add the mobile devices
department to a building or department or change the building or department they belong to. This option is
only displayed if there are one or more buildings or departments in Jamf Pro. For more
information, see Buildings and Departments.

Edit the site Mass editing the site for mobile devices allows you to add the devices to a site or change the
site they belong to. When mobile devices are added to a site, any users assigned to those
mobile devices are also added to that site. This option is only displayed if there are one or more
sites in Jamf Pro. For more information, see Sites.

Look up and populate You can mass look up purchasing information from Apple’s Global Service Exchange (GSX) and
purchasing populate the information in Jamf Pro if desired. This requires a GSX connection set up in Jamf
information from Pro. For more information, see GSX Connection.
Apple's Global
Service Exchange
(GSX) Note: GSX may not always return complete purchasing information. Only the
information found in GSX is returned.

Send a mass email to You can send a mass email to users associated with the mobile devices in Jamf Pro. The email
users is sent to the email address associated with each device. This requires an SMTP server set up
in Jamf Pro. For more information, see SMTP Server Integration.

Send a mass You can send a mass notification to mobile devices.

notification to mobile This requires mobile devices with Jamf Self Service for iOS installed. For more information, see
devices with Jamf Self Jamf Self Service for iOS.

457
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Mass Action Description

Service for iOS

installed

Delete the mobile You can mass delete mobile devices from Jamf Pro.
devices from Jamf Pro

Send remote You can mass send remote commands to mobile devices from Jamf Pro. The remote
commands commands available for a particular device vary depending on the device ownership type,
device type, and OS version. For more information, see Remote Commands for Mobile Devices.

Cancel management You can mass cancel all pending or all failed management commands on mobile devices from
commands Jamf Pro.

Remove restrictions After enabling Jamf Parent to manage a group of student devices, you can remove app
set by Jamf Parent restrictions set by Jamf Parent on that group of devices. This option is only displayed if Jamf
Parent is enabled on the devices in the search or group.
To remove restrictions, you need a Jamf Pro user account with the "Remove restrictions set by
Jamf Parent" privilege.

Remove Jamf Parent After enabling Jamf Parent to manage a group of student devices, you can remove Jamf Parent
management management capabilities and student device restrictions set by Jamf Parent on that group of
capabilities devices. If management capabilities are removed, parents must rescan the QR code in Self
Service to add the student device back to Jamf Parent.
To remove management capabilities, you need a Jamf Pro user account with the "Remove Jamf
Parent management capabilities" privilege.

Remove restrictions After enabling Jamf Teacher to manage a group of student devices, you can remove restrictions
set by Jamf Teacher set by Jamf Teacher on students' school-issued devices. This option is only displayed if Jamf
Teacher is enabled in the Jamf Teacher settings. To remove Jamf Teacher restrictions on
student devices, you need a Jamf Pro user account with the "Remove restrictions set by Jamf
Teacher" privilege.
For more information about how to enable Jamf Teacher, see Jamf Teacher Integration with
Jamf Pro.

Performing Mass Actions for Mobile Devices

Mass actions can be performed on static or smart group membership lists or mobile device search results. If
you want to send the command to many devices, Jamf recommends sending the mass action to static or smart
group membership lists.

Important: Jamf recommends limiting actions for certain commands. For MDM profile renewal, a batch
of 100 or less is recommended. All other commands should be batched into groups of less than 1000.

458
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

1. Do one of the following:

a. View a smart or static computer group membership list. For more information, see Viewing Smart
Group Memberships or Viewing Static Group Memberships.
b. Perform a simple or advanced mobile device search. For more information, see Performing a Simple
Mobile Device Search or Creating an Advanced Mobile Device Search.

Note: You can only perform mass actions from a simple mobile device search if you searched
by devices.

2. At the bottom of the list, click Action.

3. Click the radio button for the mass action you want to perform.
4. Follow the onscreen instructions.

Mobile Device Management Information

Jamf Pro allows you to view management information for each mobile device, including group memberships,
Jamf Pro objects that have the mobile device in scope, and more. The following table lists what management
information you can view for a mobile device:

Category Notes

Management • To cancel a pending management command, click Cancel next to the command.
Commands • If your environment uses the Healthcare Listener, "Healthcare Listener" is displayed as the
value in the Username column for the remote command that is automatically sent to the
mobile device. For more information about the Healthcare Listener, see Healthcare Listener.

Configuration Profiles If your environment uses Shared iPad, you can view a list of configuration profiles for a specific
user on that device.

Activation Lock • To display the Activation Lock bypass code on the screen, click Get Activation Lock
Bypass Bypass Code.
• For information about what the Activation Lock bypass code can be used for, see the
Leveraging Apple’s Activation Lock Feature with Jamf Pro article.

Operating System This category displays the results of OSUpdateStatus queries when a managed software
update workflow is initiated using MDM command-based workflows in Jamf Pro. The information
displayed can include:
• Product key value of a scheduled update
• The status of the update or completion percentage of the download
• The install action occurring

459
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Category Notes

When the workflow is presumed complete the update progress data is no longer displayed in
this category. To view completed software updates, click the History tab, and then click
Operating System History. For more information, see Mobile Device History Information.

Apps --

eBooks --

Mobile Device Groups --

Note: The management information available for a particular device varies depending on the device
ownership type, device type, and iOS version. For more information, see Managing Mobile Devices.

Viewing Management Information for a Mobile Device

1. In Jamf Pro, click Devices in the sidebar.
2. Perform a simple or advanced mobile device search.
3. Click the device you want to view management information for.

If you performed a simple search for an item other than mobile devices, you must click Expand next to
an item to view the devices related to that item.
4. Click the Management tab, and then click the category you want to view management information for.
A list of results is displayed.

Mobile Device History Information

Jamf Pro allows you to view history information for each mobile device, such as logs of deployment and
management actions. The following table lists what history information you can view for a mobile device:

Category Notes

Management History To cancel a pending management command, click Cancel next to the command.

Audit Logs If your environment uses the Healthcare Listener, "Healthcare Listener" is displayed as
the value in the Username column for the remote command that is automatically sent to
the mobile device. For more information, see Healthcare Listener.

460
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Category Notes

Operating System History When the OSUpdateStatus query is presumed complete for managed software
updates using MDM command-based workflows, this category displays the historical
information for the updates.

Note: Updates are marked as "Installed" when the update workflow commands
have completed, and the OS no longer reports an update in progress. Devices will
display the installed OS version upon the next inventory update or declarative
status report, depending on which event occurs sooner.

User and Location History A record of the current information is added to the list whenever changes are made to the
User and Location category in the mobile device’s inventory information.

Apps To cancel a pending app installation, click Cancel next to the app.

Managed eBooks To cancel a pending installation, clicking Cancel next to the book.
To cancel a failed installation, click Cancel next to the book.

Note: The management history available for a particular device varies depending on the device
ownership type, device type, and iOS version. For more information, see Managing Mobile Devices.

Related Content

• Log Flushing

Viewing History Information for a Mobile Device

1. In Jamf Pro, click Devices in the sidebar.
2. Perform a simple or advanced mobile device search.
3. Click the mobile device you want to view history for.

If you performed a simple search for an item other than mobile devices, you must click Expand next to
an item to view the mobile devices related to that item.
4. Click the History tab, and then click the category for the type of history information you want to view.

Deleting a Mobile Device from Jamf Pro

You can remove a mobile device from your inventory by deleting it from Jamf Pro.

461
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: The components installed during enrollment are not removed from the mobile device when it is
deleted from Jamf Pro. It is recommended that you unmanage the device before deleting it.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Search Inventory in the sidebar.
3. Perform a simple or advanced mobile device search.
For more information, see Simple Mobile Device Searches or Advanced Mobile Device Searches .
4. Click the mobile device you want to delete.
If you performed a simple search for mobile device applications, you must click Expand next to an item
name to view the mobile devices related to that item.
5. Click Delete , and then click Delete again to confirm.

Related Content

• Mass Actions for Mobile Devices

Settings and Security Management for Mobile

Devices
Mobile Device Configuration Profiles
Configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and
restrictions for devices, computers, and users.

You can use Jamf Pro to create a configuration profile or you can upload a configuration profile that was
created using third-party software, for example, Apple's Profile Manager or Apple Configurator.

Before creating a configuration profile, you should have basic knowledge of configuration profile payloads and
settings. For more information, see the following Apple documentation:

• Apple Platform Deployment

• Profile-Specific Payload Keys

Some configuration profile payloads and settings available in Jamf Pro may differ from their implementation in
Apple’s tools. For more information on these settings, see the Configuration Profile Payload Settings Specific
to Jamf Pro article.

462
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

When you create a mobile device configuration profile, you must specify the level at which to apply the profile—
device level or user level. Each level has a unique set of payloads and a few that are common to both.

Note: User-level profiles apply to iPads enabled as Shared iPad only.

There are two different ways to distribute a configuration profile to an iOS device—install it automatically
(requires no interaction from the user) or make it available in Jamf Self Service. For tvOS devices,
configuration profiles must be distributed by installing automatically. You can also specify the mobile devices
and users to which the profile should be applied (called “scope”).

Note: Removing a device from the scope of the profile also removes the settings applied by the profile
the next time the device checks in with Jamf Pro. For user-level profiles, you can remove the profile
from the iPad for each user by removing the device from the scope of the profile or deleting the profile
from Jamf Pro. Each user must log in to the iPad for the profile to be removed from the device for that
user.

A configuration profile will deploy containing both the iOS and tvOS selected options to all devices in scope.
Devices will ignore the options that do not pertain to their device type.

Note: Mobile device configuration profiles cannot be distributed to personally owned mobile devices
enrolled using a Personal Device Profile.

Related Content

• Mobile Device Management Information

User-Level Profiles for Shared iPad

You can apply mobile device configuration profiles at the user level for iPads enrolled with Jamf Pro with
Shared iPad enabled. This feature enhances Shared iPad workflows in your environment by enabling you to
distribute configuration profiles directly to a user that logs in to the iPad.

iPads must be enrolled with Jamf Pro and have Shared iPad enabled. You can use a Mobile Device PreStage
enrollment to enable Shared iPad during enrollment. For more information, see Automated Device Enrollment.

463
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: Single Sign-On Extension payloads are available to apply at the user level as of Jamf Pro
10.24.1.

After the profile is installed on the iPad, you can view the Managed Apple ID for each user that the profile was
installed for. This information is available in the Profile category in the mobile device inventory information. For
more information, see Mobile Device Inventory and Criteria Reference.

Note: When you redistribute a user-level profile to a user that is currently logged in to their device, the
user must log out and log back in to the iPad to have the profile re-installed on their device. For profiles
that were created using Jamf Pro 10.24.1-10.25.0, you must edit and re-save the profile to redistribute it
to users.

Payload Variables for Configuration Profiles

You can use payload variables to populate configuration profile settings with attribute values stored in Jamf
Pro. This allows you to create payloads containing information about each devices and users to which you are
distributing the profile. To use a payload variable, enter the $VARIABLE into any text field when creating a
configuration profile in Jamf Pro. When the profile is installed, the $VARIABLE is replaced with the value of the
corresponding attribute in Jamf Pro.

Note: Payload variables are case-sensitive.

Variable Inventory Information

$MANAGEMENTID Device management ID assigned by Jamf Pro

$DEVICENAME Mobile Device Name

$ASSET_TAG Asset Tag

$SITENAME Site Name

$SITEID Site ID

$SERIALNUMBER Serial Number

$UDID UDID

$USERNAME Username

464
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Variable Inventory Information

$FULLNAME or Full Name

$REALNAME

$EMAIL Email Address

$PHONE Phone Number

$ROOM Room

$POSITION Position

$DEPARTMENTNAME Department Name

$DEPARTMENTID Department ID

$BUILDINGNAME Building Name

$BUILDINGID Building ID

$MACADDRESS MAC Address

$JSSID Jamf Pro ID

$PROFILEJSSID Jamf Pro ID of the Configuration Profile

$EXTENSIONATTRIBUTE_ Extension Attribute ID Number

#

Note: The ID number is found in the extension attribute URL. In the example URL
below, "id=2" indicates the extension attribute ID number:

https://JAMF_PRO_URL.jamfcloud.com/mobileDeviceExtension
Attributes.html?id=2&o=r

For more information, see Mobile Device Extension Attributes.

General Requirements
To install a configuration profile on a device, you need a push certificate in Jamf Pro. For more information, see
Push Certificates.

Creating a Mobile Device Configuration Profile in Jamf Pro

When creating an distributing mobile device configuration profiles directly in Jamf Pro, keep the following in
mind:

465
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

• In the summary view, only the included or configured settings are displayed in the Jamf Pro interface.
• Some enforced settings that do not change default values will not be visible on the device. For more
information on the default settings, see Profile-Specific Payload Keys from the Apple Developer website.
• You cannot apply profiles that require supervision to devices enrolled using User Enrollment. For more
information on the payloads that can be configured for devices enrolled using User Enrollment, see User
Enrollment MDM information in Apple Platform Deployment.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the profile, including the level at which to apply the
profile and the distribution method. If you chose to make the profile available in Jamf Self Service, choose
a Security setting.
Only payloads and settings that apply to the selected level are displayed for the profile.
5. Use the rest of the payloads to configure the settings.

Note: Some payloads and restrictions are only configurable for supervised devices. For more
information, see the MDM restrictions for supervised Apple devices in Apple Platform Deployment.

6. Click the Scope tab and configure the scope of the profile.
To distribute user-level profiles, ensure you add iPads to the scope that have Shared iPad enabled. This
allows the profile to be installed on the device for each potential user of that device. When each user logs
in, the profile is then installed on the device.

Note:
◦ If a user is logged in to an iPad prior to a profile being saved in Jamf Pro, the user must log out
and log back in to the iPad for the profile to be installed on the device.
◦ For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username
field must be populated in the mobile device's inventory.

7. (Optional) If you chose to make the profile available in Self Service, click the Self Service tab to configure
Self Service settings for the profile.
8. Click Save .

The profile is distributed to deployment targets in the scope the next time they contact Jamf Pro.

466
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Uploading a Configuration Profile

You can create a configuration profile by uploading a profile that was built using Apple's software, for example,
Profile Manager or Apple Configurator.

Note: Some payloads and settings configured with third-party software are not displayed in Jamf Pro.
Although you cannot view or edit these payloads, they are still applied to the deployment targets.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click Upload and upload the configuration profile (.mobileconfig).
4. Use the General payload to configure basic settings for the profile, including a distribution method. If you
chose to make the profile available in Jamf Self Service, choose a Security setting.
5. Use the rest of the payloads to configure or edit settings as needed.
6. Click the Scope tab and configure the scope of the profile.

Note: For limitations or exclusions to be based on LDAP users or LDAP user groups, the Username
field must be populated in the mobile device's inventory.

7. (Optional) If you chose to distribute the profile in Self Service, click the Self Service tab to configure Self
Service settings for the profile.
8. Click Save .

The profile is distributed to deployment targets in the scope the next time they contact Jamf Pro.

Downloading a Configuration Profile

If you want to view the contents of a configuration profile for troubleshooting purposes, you can download the
profile (.mobileconfig) from Jamf Pro.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click the configuration profile you want to download.
4. Click Download .

The profile downloads immediately.

467
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Viewing the Status of a Configuration Profile

For each configuration profile, you can view the number of the deployment targets with a status of Complete,
Remaining, or Failed for the profile installation.

Note: Depending on your system configuration, status data may not be available for profiles installed
using Jamf Pro 9.63 or earlier.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. To view a list of deployment targets with a status of Complete, Remaining, or Failed for the profile
installation, click the number displayed in the corresponding column. Then click Back in the top-left
corner of the pane.

Note: If a device becomes unmanaged after a profile is successfully distributed to it, the profile will
continue to be displayed in the Completed column.

4. To view logs for a configuration profile, click View in the corresponding row. For a different date range,
specify the starting and ending dates using the Date Range pop-up calendars.
5. Click Back in the top-left corner of the pane.

Adding a Mobile Device Configuration Profile to the Jamf Pro

Dashboard
Adding a mobile device configuration profile to the Jamf Pro Dashboard helps you monitor its status and
progress.

If you have configured a restriction or system setting configuration profile, you can track its deployment
progress by adding it to the Jamf Pro Dashboard. This allows you to view all Completed, Pending, and Failed
statuses for the configuration profile.

1. In Jamf Pro, click Devices at the top of the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click the mobile device configuration profile you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the Mobile Device Configuration Profile Distribution Statuses area of the Jamf Pro
Dashboard and find the widget for the mobile device configuration profile you added.

468
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

7. Click any item in the widget to view the details.

Mobile devices that have been scoped to the profile have their progress tracked in both the pie chart and below
the chart by status category. Use this information to troubleshoot any mobile devices that have Failed or
Pending statuses by selecting the status hyperlinks and reviewing the mobile devices presented.

Best Practices for Mobile Device Configuration Profiles

In many environments, best practices for payload management include creating unique configuration profiles
to achieve separate goals. This approach reduces complexity in terms of configuring the scope of profiles and
identifying issues when troubleshooting.

For example, you may want to create one configuration profile for Restrictions, one for Wi-Fi, and one for VPN.
Each profile could contain one or multiple payloads—whatever combination of payloads and settings is needed
to accomplish the goal you're trying to achieve with the profile.

For more information on optimizing payload planning and management, see Plan your configuration profiles for
Apple devices in Apple Platform Deployment.

Configuring Wi-Fi for Mobile Devices

You can create a configuration profile to deploy Wi-Fi settings to iOS, iPadOS, and tvOS devices.

Note: These instructions are for environments that use a network with a personal security type
encryption, such as WPA2 Personal. If your environment requires an enterprise security type with an
802.1x RADIUS server, see the Implementing 802.1X Authentication Using Jamf Pro technical paper for
instructions instead.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New .
4. In the General payload, enter a name for the profile and configure other settings on the pane as needed.
5. Click the Wi-Fi payload.
6. Click Configure.
7. In the Service Set Identifier (SSID) field, enter your SSID.
8. Select the Auto Join checkbox.
9. In the Security Type menu, select the wireless network encryption to use when connecting.
10. Click the Scope tab, and then configure the target devices or device groups.
11. Click Save .

469
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

The profile is distributed to the devices in the scope.

Configuring Exchange ActiveSync for iOS and iPadOS Devices

You can create a configuration profile to configure Microsoft Exchange ActiveSync accounts on iOS and
iPadOS devices.

Requirements
• If you plan on routing traffic through a VPN, you must configure and add a VPN payload to the
configuration profile before adding the Exchange ActiveSync payload.
• If you plan on using certificate-based authentication, you must configure and add a Certificate payload
to the configuration profile before adding the Exchange ActiveSync payload.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New .
4. Use the General payload to configure basic settings for the profile, including the level at which to apply the
profile and the distribution method.
5. Click the Exchange ActiveSync payload.
6. Click Configure.
7. Enter your Microsoft Exchange ActiveSync account name in the Account Name field.
8. Enter your Microsoft Exchange server URL in the Exchange ActiveSync Host field.

Example: outlook.office.365.com

9. (Optional) Select the Use SSL checkbox.

10. (Optional) Choose a VPN connection from the VPN Connection pop-up menu.

Note: Eligible VPN connections will appear in this pop-up menu. The VPN payload must be
configured in the configuration profile before adding the Exchange ActiveSync payload.

11. (Optional) Enter the domain for the account in the Domain field.
12. (Optional) Enter the user for the account in the User field.

470
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: To prompt the user for their username and password on the device, you must leave both the
Domain and User fields blank.

13. Enter the email address for the account in the Email Address field.
14. (Optional) Select the Use OAuth for authentication checkbox.

Note: Keep the following in mind when using OAuth for authentication:
◦ If you select the Use OAuth for authentication checkbox, you will need to fill in both the OAuth
Sign In URL and the OAuth Token Request URL fields. You will not be required to enter the
password mentioned in step 15.
◦ The format for the OAuth Sign In URL is https://login.microsoftonline.com/tenant_ID/oauth2/
v2.0/authorize.
◦ The format for the OAuth Token Request URL is https://login.microsoftonline.com/tenant_ID/
oauth2/v2.0/token.
◦ You will need your Microsoft Entra tenant ID in order to accurately complete these fields. To find
your tenant ID, navigate to portal.azure.com > Microsoft Entra ID > Properties.

15. Enter the password for the account in both the Password and Verify Password fields.
16. (Optional) Select the Override Current Password checkbox if you want to replace the user's current
password with the password specified in the fields mentioned in step 15.
17. Choose the number of past days of mail to synchronize from the Past Days Of Mail to Sync pop-up
menu.
18. (Optional) Choose a credential for authenticating the ActiveSync account from the Authentication
Credential pop-up menu.

Note: If using certificate-based authentication, eligible certificates will appear in this pop-up menu.
The Certificate payload must be configured in the configuration profile before adding the
Exchange ActiveSync payload.

19. Configure the mail settings as necessary.

20. Configure the options under the Enable Services section.

21. Note: At least one service must be enabled.

Configure the options under the User Override section.

22. (Optional) Configure the Communication Service Rules section.

471
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

23. Click the Scope tab, and then configure the target devices or device groups.
24. Click Save .

The profile is distributed to the devices in the scope. After the profile is installed, the user is prompted for their
Exchange password. If you are using certificate-based authentication, the user will not be prompted for a
password.

Restricting Apps for Mobile Devices

You can use Jamf Pro to create a mobile device configuration profile that restricts end user access to certain
iOS, iPadOS, and tvOS apps.

Requirements
• Supervised mobile devices
• Supervised Apple TV devices

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New .
4. In the General payload, enter a name for the profile and configure other settings on the pane as needed.
5. Under the Restrictions payload, click Apps.
6. To allow usage of the App Store on managed iOS, iPadOS, and tvOS devices and control which apps are
allowed, do the following:

Note: You may want to restrict the App Store app from tvOS devices entirely to prevent end users
from installing apps.

a. Select iOS,tvOS, and Supervised in the filter.

b. Choose "Some apps not allowed" or "Only some apps allowed" from the App Usage pop-up menu.
c. Enter the name of the first app you want to restrict in the App Name field.
d. Click Add to add additional apps as needed.
e. Repeat steps c through d as needed.
7. (iOS only) To restrict users from manually installing apps that are signed with an Apple Enterprise
Developer certificate, do the following:
a. Under the Restrictions payload, click Functionality.
b. Select iOS in the filter.
c. Restrict the Trusting new enterprise app authors setting.

472
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

8. (Optional) (iOS only) To restrict users from accessing the App Store and only allow users to install or
update apps from MDM, do the following:
a. Under the Restrictions payload, click Apps.
b. Select iOS in the filter.
c. Restrict the Installing apps using Apple Configurator and iTunes setting.
9. Click the Scope tab, and then configure the target devices or device groups.

Note: If deploying restrictions for tvOS, depending on your organization's approach to setting up
smart groups, you may want to create a separate profile for the tvOS app restrictions.

10. Click Save .

The profile is distributed to the devices in the scope. If a device has two or more configuration profiles with
restrictions, it will accept the most restrictive settings.

Remote Commands for Mobile Devices

You can send a remote command to a single mobile device. Some commands can also be sent to multiple
devices at once using mass actions. For more information, see Mass Actions for Mobile Devices.

Note: The remote commands available for a particular device vary depending on the device ownership
type, device platform, device type, and OS version.

Sending Remote Commands to a Mobile Device

The remote commands available in Jamf Pro allow you to remotely perform tasks on a single mobile device.
For more information about mobile device remote commands, see Remote Commands for Mobile Devices in
the Jamf Pro Documentation.

1. In Jamf Pro, click Devices in the sidebar.

2. Perform a simple or advanced mobile device search.
3. Click the mobile device you want to send the remote command to.

If you performed a simple search for an item other than mobile devices, you must click Expand next to
an item to view the devices related to that item.
4. Click the Management tab, and then click the button for the remote command that you want to send.
Depending on the command selected, additional options may be available.

The remote command runs on the mobile device the next time the device contacts Jamf Pro.

473
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

After the command is sent, you can do the following on the History tab:

• To view the status of a remote command, use the Management history pane to view completed, pending, or
failed commands.
• To cancel a remote command, click Pending Commands. Find the command you want to cancel, and click
Cancel across from it.

Mobile Device Remote Commands Support Reference

The following table describes the remote commands that you can send from Jamf Pro. All commands can be
sent as mass actions unless otherwise noted. Commands that can only be sent as mass actions are indicated
with an asterisk (*).

Remote Command Requirements BYOD User Enrollment Supported

Update Inventory • iOS ✔

• iPadOS
• tvOS

Lock Device • iOS ✔

• iPadOS

Clear Passcode • iOS --

• iPadOS

Clear Screen Time Passcode • iOS (Supervised) ✔

(Not available as mass action) • iPadOS (Supervised)

Update Passcode Lock Grace • iPadOS (Shared iPad only) --

Period*

Unmanage Device • iOS ✔

• iPadOS
• tvOS

Wipe Device • iOS --

• iPadOS
• tvOS

Adjust Shared iPad Settings* • iPadOS (Shared iPad only) --

Restart Device • iOS (Supervised) --

• iPadOS (Supervised)
• tvOS (Supervised)

474
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Remote Command Requirements BYOD User Enrollment Supported

Send Blank Push • iOS ✔

(Not available as mass action) • iPadOS
• tvOS

Set Wallpaper • iOS (Supervised) --

• iPadOS (Supervised)

Enable/Disable Voice Roaming • iOS --

Enable/Disable Data Roaming • iPadOS
• Cellular capability

Update OS Version* • iOS (Supervised) --

• iPadOS (Supervised)
• tvOS (Supervised)

Log Out User • iPadOS (Shared iPad only) --

Enable/Disable Lost Mode • iOS (Supervised) --

(Not available as mass action) • iPadOS (Supervised)

Update Device Location • iOS (Supervised) --

• iPadOS (Supervised)
• Lost Mode enabled

Enable/Disable Diagnostic and • iPadOS (Shared iPad only) --

Usage Reporting*
Enable/Disable App Analytics*

Shut Down Device • iOS (Supervised) --

• iPadOS (Shared iPad only)

Enable/Disable Bluetooth • iOS (Supervised) --

• iPadOS (Supervised)

Set Activation Lock* • iOS (Supervised) --

• iPadOS (Supervised)
• In Apple School Manager or Apple
Business Manager

Enable/Disable Personal • iOS --

Hotspot* • iPadOS

Manage Jamf Parent • iOS (Supervised) --

• iPadOS (Supervised)

475
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Remote Command Requirements BYOD User Enrollment Supported

Remove restrictions set by • iOS (Supervised) --

Jamf Teacher • iPadOS (Supervised)

Refresh Cellular Plans* • iOS 14 or later --

• iPadOS 14 or later

Renew MDM Profile • iOS ✔

• iPadOS
• tvOS

Set Time Zone • iOS 14 or later (Supervised) --

• iPadOS 14 or later (Supervised)
• tvOS 14 or later (Supervised)

Recommend Software Update • iOS 14.5 or later (Supervised) --

Version • iPadOS 14.5 or later (Supervised)

Mobile Device Remote Command Options

Update Inventory

Prompts the mobile device to contact Jamf Pro and update its inventory

Lock Device

Locks the mobile device

If the mobile device has a passcode, the user must enter it to unlock the device.

(Optional) Displays a message on the mobile device when it locks. This message is only sent if the
mobile device has a passcode.

(Optional) Displays a phone number on the mobile device when it locks. The phone number is only
displayed if the mobile device has a passcode.

Clear Passcode

Removes the passcode from the mobile device

If a configuration profile with a Passcode payload is installed on the device, the user is prompted to
create a new passcode.

476
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Clear Screen Time Passcode

Removes the Screen Time passcode from a device

Update Passcode Lock Grace Period

Sets the amount of time that a device's screen can be locked before requiring a passcode to unlock it

Unmanage Device

Stops communication between the mobile device and the Jamf Pro server, which means you can no
longer perform management tasks on the device

When you unmanage a device, the following items are removed from the device:

• MDM profile
• Device certificate
• Self Service
• Any configuration profiles that were distributed with Jamf Pro
• Any managed apps that were distributed with the Remove app when MDM profile is removed
checkbox selected

Note: Although an unmanaged device will no longer submit inventory, its inventory record remains
in Jamf Pro.

Wipe Device

Permanently erases all data on the device and deactivates the device.

Optionally, you can:

• Clear Activation Lock on the device

• Retain cellular data plans (iOS 11 or later; iPadOS)
• Suppress Proximity Setup on the device (iOS 11.3 or later; iPadOS)

Note: Wiping a device does not remove the device from Jamf Pro or change its inventory
information.

To restore the device to the original factory settings, you must manually reactivate the device.

A Return to Service option is also available in the Jamf Pro API. You can use returnToService to
instruct iOS or iPadOS devices to automatically reconnect to Wi-Fi and re-enroll with Jamf Pro after

477
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

erasure. For more information, see the Erase Device Command Options in the Jamf Pro API technical
article.

Adjust Shared iPad Settings

Configures Shared iPad settings. You can set the following:

• Temporary Session Only— You can enforce temporary sessions so users can log in only as guests
(iPadOS 14.5 or later). To allow typical user sessions, users must log in with their Managed Apple IDs.
• Temporary Session Timeout— You can specify the period of inactivity on a device before the
session is automatically closed.
• Storage space type— You can specify how storage is allocated on a device:
◦ Number of Users—The maximum number of users that can be stored with the iPad. You can
specify up to 99 users. This limits the number of user accounts that can be stored locally on the
iPad.
◦ Storage Quota Size—The maximum amount of storage (MB) allocated for each user on a device.
This overrides the maximum number of users. If devices are upgraded to iPadOS 13.4 or later, it is
recommended that the device is wiped before setting the storage quota size.

Note: Quota size is dependent on the device's storage capacity and must meet the following
limitations:
▪ Devices with a storage capacity of 64 GB or greater must have 2048 MB or greater
entered for storage space.
▪ Devices with a storage capacity of 32 GB or greater must have 1024 MB or greater
entered for storage space.

All users must be logged out and removed from the device before the storage space type can be set.

Restart Device

Restarts a device

(Optional) Clears the passcode on the device. If this option is chosen, the Clear Passcode command is
sent to the device before the device is restarted.

Send Blank Push

Sends a blank push notification, prompting the device to check in with Apple Push Notification service
(APNs) and the declarative status channel

Set Wallpaper

Sets an image as wallpaper for the Lock screen, Home screen, or both screens on a supervised device

478
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

For more information, see Setting Wallpaper on Mobile Devices.

Enable/Disable Voice Roaming

Enables/disables voice or data roaming on the device

Note: Disabling voice roaming automatically disables data roaming.

Update OS Version

• Target Version—You can choose to update the OS version to the latest version based on device
eligibility or you can update to a specific version.
For more information, see Updating iOS, iPadOS, and tvOS Using a Mass Action Command.
• iOS Install Action—You can choose to download the update for users to install, or to download and
install the update and restart devices after installation.
For more information, see Updating iOS, iPadOS, and tvOS Using a Mass Action Command.

Log Out User

Logs out the currently logged in user

Enable/Disable Lost Mode

Enables/disables Lost Mode on the device

Lost Mode locks a device, displays a custom message on the device's Lock Screen, and tracks its
location.

For more information, see Enabling Lost Mode.

Update Location

Updates the GPS coordinates collected for a mobile device in Lost Mode

Enable/Disable Diagnostic and Usage Reporting

Enables/disables the sending of diagnostic and usage data to Apple

Note: Disabling diagnostic and usage reporting automatically disables app analytics.

479
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Enable/Disable App Analytics

Enables/disables the sending of app analytics data to Apple

Shut Down Device

Shuts down the device

(Optional) Clears the passcode on the device. If this option is chosen, the Clear Passcode command is
sent to the device before the device is shutdown.

Enable/Disable Bluetooth

Enables/disables Bluetooth on the device

Set Activation Lock

Enables Activation Lock directly on a device

Allows a user to enable Activation Lock on the device

Note: If Activation Lock is enabled on the device when this command is sent, Jamf Pro
automatically clears the Activation Lock before allowing the user to re-enable it.

Disables and prevents Activation Lock

For more information, see the Leveraging Apple's Activation Lock Feature with Jamf Pro article.

Enable/Disable Personal Hotspot

Enables/disables the Personal Hotspot on the device

Manage Jamf Parent

Allows you to remove app restrictions set by Jamf Parent on students' school-issued devices or remove
Jamf Parent management capabilities. Removing Jamf Parent management capabilities prevents Jamf
Parent from managing the student device until the parent scans the QR code again. To remove Jamf
Parent restrictions on student devices, you need a Jamf Pro user account with the "Remove restrictions
set by Jamf Parent" privilege.

For more information, see Jamf Parent Integration with Jamf Pro.

Note: This remote command is available as the following separate mass actions:

480
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

• Remove restrictions set by Jamf Parent

• Remove Jamf Parent management capabilities

Remove restrictions set by Jamf Teacher

Allows you to remove restrictions set by Jamf Teacher on students' school-issued devices. This option is
only displayed if Jamf Teacher is enabled in the Jamf Teacher settings. To remove Jamf Teacher
restrictions on student devices, you need a Jamf Pro user account with the "Remove restrictions set by
Jamf Teacher" privilege.

For more information about how to enable Jamf Teacher, see Jamf Teacher Integration with Jamf Pro.

Refresh Cellular Plans

Refreshes a device’s cellular plan by querying a carrier URL for active eSIM cellular plan profiles

Note: The device and carrier must support eSIM. For more information, see Find wireless carriers
and worldwide service providers that offer eSIM service from Apple's support website.

Renew MDM Profile

Renews the MDM profile on the mobile device, along with the device identity certificate. The device
identity certificate has a default expiration period of two years.

Note: The Renew MDM Profile remote command is automatically issued when the built-in CA is
renewed. The MDM profile will be renewed during the next mobile device check-in. For more
information, see "Renewing the Built-in CA" in PKI Certificates.

Set Time Zone

Sets a time zone on a device

Recommend Software Update Version

Allows you to recommend a software version in the Software Update settings that users are allowed to
install. You can recommend the following:

• Latest major version only

• Latest minor version only
• Any available version

481
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

The default setting is to recommend any available version. If this is selected, then both updates for the
latest major version and the latest minor version or displayed simultaneously, if available.

For more information about software updates, see About software updates for Apple devices in Apple
Platform Deployment.

Disclaimer:

The Wipe Institutional Data remote command is deprecated and only applies to legacy Personal
Device Profiles. User Enrollment is the Apple-preferred method for enrolling personally owned devices
in a Bring Your Own Device (BYOD) program.

Best Practices for Mobile Device Remote Commands

Enabling Lost Mode

Lost Mode can help you recover a lost or stolen mobile device with iOS or iPadOS. Lost Mode disables the
ability to use the device and allows you to display a custom message on its Lock Screen. Lost Mode also
reports the device's GPS coordinates from the point where it receives the Lost Mode command. Ongoing,
additional MDM commands can query the device's location.

For more information on using Lost Mode, see Lock and locate Apple devices in Apple Platform Deployment.

Requirements
Supervised mobile devices with iOS or iPadOS

1. In Jamf Pro, click Devices in the sidebar.

2. Click Search Inventory in the sidebar.
3. Perform a simple or advanced mobile device search.
For more information, see Simple Mobile Device Searches or Advanced Mobile Device Searches.
4. Click the device you want to put in Lost Mode.
5. Click the Management tab.
6. Click Enable/Disable Lost Mode.
7. Choose an option from Displayed Information pop-up menu, and then enter the message and phone
number you want to display on the Lock Screen.

482
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: If you provide a phone number to display on an iPhone's Lock Screen, calls can only be made
to that number. All other phone functionality is disabled.

8. (Optional) Select Always enforce Lost Mode.

If a lost device is erased and is successfully re-enrolled via a PreStage enrollment, Lost Mode will be
immediately re-enabled and new location coordinates will be obtained. Lost Mode will stop being
automatically re-enabled upon enrollment after a command is successfully sent by Jamf Pro to disable Lost
Mode.
9. (Optional) Select Lost Mode Sound to require the device to play a sound.
10. Click Enable Lost Mode.

The selected device will display your message and optional text.

GPS coordinates for the device's approximate location are displayed in the device's inventory information
(Inventory > Security). You can use the Update Location remote command to update the GPS coordinates
collected for a device in Lost Mode.

Important: If a mobile device has a passcode enabled, Apple's Data Protection feature may cause the
mobile device to lose network connectivity after 48 hours or a device restart, and the mobile device will
lose access to Wi-Fi passwords in the keychain. If the device is unable to receive the Disable Lost
Mode MDM command, you may need to erase the device before it becomes functional again. For more
information, see Data Protection overview in Apple Platform Security.

Setting Wallpaper on Mobile Devices

You can use Jamf Pro to set the wallpaper image on multiple mobile devices.

Note: If you want to set the wallpaper image on an individual device, use the Set Wallpaper remote
command.

Requirements
• Supervised mobile devices
• An image cropped to the proper size. You can find the display resolution for all iPad and iPhone models
on Apple's Tech Specs webpage.

483
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

1. In Jamf Pro, click Devices in the sidebar.

2. Click Smart Device Groups in the sidebar.
3. Select the target group.
4. Click the Automated Management tab.
5. Click Edit .
6. Select Set Wallpaper (supervised only).
7. Under Wallpaper Screens, select which screens the wallpaper should be set for.
8. Click Upload Wallpaper Image and upload the wallpaper image.
9. (Optional) Select Schedule Ongoing Commands to configure additional times for the wallpaper to be
sent to devices in the scope of the smart group.

Note: Setting the wallpaper is accomplished by sending an MDM command rather than deploying a
configuration profile. To prevent users from changing the wallpaper, deploy a configuration profile
with a Restrictions payload and enable the "Modifying wallpaper" restriction. Ongoing scheduling is
only recommended for environments where users are allowed to modify the wallpaper.

10. Click Save .

Jamf Pro sends a Set Wallpaper command the next time mobile devices in the smart group check in with Jamf
Pro.

Note: After a mobile device joins a smart group, the Set Wallpaper command is sent immediately. If a
mobile device is a member of multiple smart groups and each smart group has a Set Wallpaper
command, multiple Set Wallpaper commands will be sent to the device in the order the device joined the
smart groups.

Supervision
Supervision provides additional control over the configuration and restrictions of a computer or mobile device
that is owned by your organization. For example, you can control operating system features (e.g., AirDrop) and
manage applications (e.g., set up Single App Mode). With Apple Business Manager or Apple School Manager,
supervision can be enabled as part of the enrollment process with Jamf Pro.

For iOS, iPadOS, and tvOS devices, supervision can be enabled manually using Apple Configurator. A
computer with macOS 11 or later is considered supervised when it is enrolled with Jamf Pro. For more
information, see About Apple device supervision in Apple Platform Deployment.

484
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Certain mobile device management (MDM) features (e.g., setting restrictions or sending management
commands) are available only for supervised computers and devices. For more information, see the following
topics in Apple Platform Deployment:

• Review MDM payloads for Apple devices

• MDM restrictions for supervised Apple devices
• MDM commands for Apple devices

Supervision Identities
If you supervise and deploy devices using Apple Configurator and Jamf Pro, you can use a supervision identity
to pair supervised devices with multiple Apple Configurator workstations that have the same supervision
identity. A supervision identity can be applied to a device by pairing the device with an Apple Configurator
workstation or by enrolling the device with Jamf Pro using a PreStage enrollment configured with an
Automated Device Enrollment (formerly DEP) instance that has a supervision identity.

Supervision identity certificate (.p12) files can be created with Jamf Pro or Apple Configurator, and you can
store it in Jamf Pro for use with other Apple Configurator workstations or add it to an Automated Device
Enrollment instance to associate it with devices that enroll with a PreStage enrollment.

Note: To ensure devices are paired securely with each Apple Configurator workstation, the
workstations you are using must have matching supervision identities. If the wrong identity is applied to
a device, the device must be wiped, re-supervised, and re-enrolled to change the identity.

For more information about supervision identities, see the Apple Configurator User Guide.

Creating or Uploading a Supervision Identity

You can create or upload a supervision identity in Jamf Pro for use with Apple Configurator.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Device management section, click Apple Configurator enrollment .
3. Click the Supervision Identities tab, and then click Edit.
4. Do one of the following:
◦ Click New to create a new supervision identity.
◦ Click Upload and then click Upload Supervision Identity to upload the supervision identity (.p12).
5. Configure the supervision identity using the fields on the pane.
6. Click Save .

485
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Downloading a Supervision Identity

You can download a supervision identity from Jamf Pro and add it to the Apple Configurator workstations that
you want your devices with the same supervision identity to trust.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Device management section, click Apple Configurator enrollment .
3. Click the Supervision Identities tab.
4. Click View next to the supervision identity you want to download.
5. Click Download.

Importing a Supervision Identity to Apple Configurator

You can import a supervision identity to Apple Configurator using a supervision identity (.p12) file from Jamf
Pro or another Apple Configurator instance.

1. Double-click the supervision identity ( .p12) file.

2. When prompted, select the System keychain from the Keychain menu and click the Add button.
3. Enter the local administrator password.
4. Enter the password for the .p12 identity certificate.
5. Import the identity to Apple Configurator.
a. In Apple Configurator, navigate to Apple Configurator > Settings > Organizations.
b. Click to add a new organization.
c. Do one of the following:
▪ Sign in with a Managed Apple ID from an Apple School Manager or Apple Business Manager
account with Device Enrollment Manager privileges assigned to it.
▪ Click Skip and manually enter information about your organization.
d. Select Choose an existing supervision identity, and then click Next.
e. Choose your identity from the Keychain.
f. Click Done, then enter your administrator password.
6. Repeat steps 1–5 on other Apple Configurator workstations.

Adding a Supervision Identity to an Automated Device Enrollment

Instance
When you add a supervision identity to an Automated Device Enrollment (formerly DEP) instance, that identity
is applied to all devices enrolled using a PreStage enrollment that is configured with the Automated Device
Enrollment instance.

486
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

Note: Devices that are already enrolled with Jamf Pro and associated with an Automated Device
Enrollment instance must be re-enrolled to associate with the supervision identity for that Automated
Device Enrollment instance.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Automated Device Enrollment .
3. Click the Automated Device Enrollment instance you want to add a supervision identity to.
4. Click Edit .
5. Select the supervision identity you want to add from the Supervision Identity for Use with Apple
Configurator pop-up menu.
6. Click Save .

Supervising Mobile Devices with Apple Configurator

Supervision allows you to control additional functions on a device using Jamf Pro. This feature is intended for
institutionally owned mobile devices. If you have devices that are not eligible for inclusion in Apple Business
Manager or Apple School Manager, you can supervise them via Apple Configurator, a free app in the Mac App
Store.

Best Practice: Supervising Devices via Automated Device Enrollment

Best practice workflows cover common scenarios; however, the following recommendations may not
apply in your environment.
The best way to use supervision is to enroll devices via Apple Business Manager or Apple School
Manager. Any devices that are enrolled with Jamf Pro via Automated Device Enrollment through Apple
Business Manager or Apple School Manager are supervised over the air. Contact your local Apple
Business Team to determine if your existing institutionally owned devices can be added to an Apple
deployment account. If your Apple Business Team cannot determine if your existing institutionally
owned devices can be added, Jamf recommends using Apple Configurator for iPhone to add iPhone
and iPad devices to Apple Business Manager.

Important: Any time you enable supervision on a mobile device, the device is wiped.

Requirements
Download Apple Configurator.

487
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

1. Connect your mobile device to a computer and open the latest version of Apple Configurator.
2. Choose "Prepare" from the Actions pop-up menu at the top of your screen.
3. Choose "Manual Configuration" from the Prepare with pop-up menu.

4. Select the Supervise devices checkbox, and then click Next.

5. Choose "Do not enroll in Automated Device Enrollment" from the Server pop-up menu, and then click
Next.
6. Enter organization information to display details about the institution that owns this device, and then click
Next.
7. Unless you have previously worked with supervision identities, select the Generate a new supervision
identity checkbox to complete this process, and then click Next.
8. Select the steps you want presented to the user in the Setup Assistant, and then click Prepare.

488
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

The mobile device is wiped and reboots as a supervised device.

You can now use user-initiated enrollment to enroll the device with Jamf Pro and take advantage of the
additional features that require supervision. For more information, see Device Enrollment.

Unmanaging Mobile Devices

Unmanaging mobile devices in Jamf Pro removes the MDM profile from the devices. This stops all
communication between the devices and Jamf Pro, ending all management capabilities.

Note: If you want to unmanage an individual device, use the Unmanage Device remote command. For
more information, see Sending Remote Commands to a Mobile Device.

489
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Mobile Devices

If you want to erase devices, use the Wipe Device remote command instead. For more information, see
Remote Commands for Mobile Devices.

1. In Jamf Pro, navigate to the target device group by clicking either Smart Device Groups or Static Device
Groups in the sidebar, and then select the target group.
For more information, see Group Management.
2. Click View at the bottom of the page.
3. Click Action.
4. Select Send Remote Commands.
5. Click Next.
6. Select Unmanage Institutionally Owned Device.
A warning message and text field will appear.
7. Confirm that you want to unmanage the devices by typing the number of devices in the text field.
8. Click Next.

A confirmation message will be displayed.

Unmanaging devices does not remove their inventory records from Jamf Pro. For instructions on removing
unmanaged devices from inventory, see Deleting a Mobile Device from Jamf Pro.

490
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Managing Users
About User Management
User management with Jamf Pro allows you to distribute the following items to users:

• Mac App Store apps

• In-house apps
• App Store apps
• In-house books
• Book Store books
• iOS configuration profiles
• macOS configuration profiles
• Policies

Inventory for Users

User Inventory Information
Jamf Pro stores detailed inventory information for each user. You can view and edit this information from Jamf
Pro.

Viewing and Editing Inventory Information

1. In Jamf Pro, click Users in the sidebar.
2. Perform a simple or advanced user search.
For more information, see Simple User Searches or Advanced User Searches.

Note: You can quickly search for all users in Jamf Pro without entering a query by clicking Search.

3. Click the user you want to view information for.

The user's inventory information is displayed.

491
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

4. To make changes to an editable inventory field, select the category that contains the information you want
to edit, click Edit, and make changes as needed.
5. Click Save .

Changes to a user’s site are only applied in the Users tab. All other changes to a user’s inventory information
are applied in the Users tab and also in the inventory information for computers, and mobile devices that the
user is assigned to.

Note: Removing a user from a site removes the user assignment from all computers and mobile
devices that belong to that site.

User Inventory and Criteria Reference

This section lists the inventory attributes you can view for a user. These attributes can be used as criteria for
your smart user groups and advanced user searches. Attribute labels are the same in inventory information
and in criteria lists unless otherwise noted. Some attributes are editable.

General Category
The General category allows you to view the following information for a user:

• User Image

Note:
◦ Shared iPad only
◦ Displays only when user images are enabled and the requirements for enabling Apple Education
Support are met
◦ You can edit the URL for the user image by selecting the Custom Image URL checkbox. This
allows you to overwrite the existing distribution point URL for a single user image.

• Username
• Full Name
• Email Address
• Phone Number
• Position
• Extension Attributes
• Site

492
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Extension attributes are also displayed in the General category of user inventory information.

For more information about enabling user images as a part of Apple Education Support, see Apple Education
Support Settings.

Roster Category
The Roster category of inventory attributes only displays if your environment is integrated with Apple School
Manager. The following table lists the inventory attributes you can view for a user:

Field Notes

Last Sync

Status

User Number

Full Name from Roster

First Name

Middle Name

Last Name

Managed Apple ID

Managed Apple ID uses federated This field displays whether or not a user's Managed Apple ID uses federated
authentication authentication. This enables Microsoft Entra ID credentials to be leveraged as
the user's Managed Apple ID. For more information about federated
authentication, see Intro to federated authentication with Apple School Manager
from the Apple School Manager User Guide.

Grade

Password Policy The following options are available for the Password Policy:
• 4-Digit
• 6-Digit
• Standard (8 or more numbers and letters)
Shared iPad only

Mobile Devices Category

The Mobile Devices category displays a list of mobile devices that the user is assigned to.

493
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Computers Category
The Computers category displays a list of computers that the user is assigned to.

eBooks Category
The eBooks category displays a list of books distributed to the user.

Volume Assignments Category

The Volume Assignments category displays a list of content assigned to the user via volume assignments.

You can use the following volume assignments criteria in your smart groups and advanced searches:

• Content Name
• Content Type
• VPP Account
• VPP Invitation Status

VPP Codes Category

The VPP Codes category displays a list of VPP codes redeemed by the user.

User Assignments
Jamf Pro allows you to assign LDAP users to computers and mobile devices. Assigning a user to a device in
Jamf Pro creates a user assignment that can be added as a target user to the scope of remote management
tasks. For example, if you assign the user "samantha.johnson" to a device, you can then add that user to the
scope of a configuration profile. All devices assigned to "samantha.johnson" install the profile. Assigning a user
to a device also allows the user to receive email or SMS messages on the device to which they are assigned.

There are two ways to assign a user to a computer or mobile device:

• Manually (Requires the device to be enrolled with Jamf Pro)

• During user-initiated enrollment (LDAP users only)

In addition, Jamf Pro allows you to remove user assignments.

This section explains how to manually assign a user to a device, and how to remove a user assignment.

494
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Manually Assigning a User to a Computer or Mobile Device

Requirements
To assign a user to a mobile device, you need a Jamf Pro user account with the "Assign Users to Mobile
Devices" privilege.

To assign an LDAP user to a device, you need an LDAP server set up in Jamf Pro. For more information,
see LDAP Directory Service Integration.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Perform a simple or advanced search.
For more information on computer searches, see Simple Computer Searches or Advanced Computer
Searches.
For more information on mobile device searches, see Simple Mobile Device Searches or Advanced Mobile
Device Searches.
3. Click the computer or mobile device you want to assign a user to.
4. Select the User and Location category and click Edit.
5. Do one of the following:
◦ To assign an existing user, enter the user’s partial or full username in the Username field and click the
Search button. Click Choose across from the user you want to assign, and then click Save.
The Full Name, Email Address, Phone Number, and Position fields are populated automatically.
◦ To assign and create a new user, enter information about the user and click Save.

Removing a User Assignment from a Computer or Mobile Device

1. In Jamf Pro, click Computers or Devices in the sidebar.
2. Perform a simple or advanced search.
For more information on computer searches, see Simple Computer Searches or Advanced Computer
Searches.
For more information on mobile device searches, see Simple Mobile Device Searches or Advanced Mobile
Device Searches.
3. Click the computer or mobile device you want to remove a user assignment from.
4. Select the User and Location category and click Edit.
5. Remove the username from the Username field and click Save.
The information in the Full Name, Email Address, Phone Number, and Position fields is removed
automatically.

495
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

User Extension Attributes

Extension attributes allow you to collect extra inventory information. Extension attribute values are populated
by using an input type, which can be any of the following:

• Text field
• Pop-up menu

In Jamf Pro, you can create extension attributes manually. They are displayed in the General category of user
inventory information.

Note: Depending on the input type and data type (string, integer, date), extension attributes may add
time and network traffic to the inventory collection process.

Extension Attribute Input Types

Extension attributes collect inventory data by using an input type. You can configure the following input types:

Text Fields

You can display a text field in inventory information. You can enter a value in the field anytime using Jamf
Pro.

Pop-up Menus

You can display a pop-up menu in inventory information. You can choose a value from the pop-up menu
anytime using Jamf Pro.

Creating a User Extension Attribute

1. In Jamf Pro, click Settings in the sidebar.

2. In the User management section, click Extension attributes .

3. Click New.
4. Configure the following settings:
a. Name your extension attribute.
b. (Optional) Enter a description.
c. Choose the type of data being collected from the Data Type pop-up menu.
d. Choose an input type to populate your extension attribute from the Input Type pop-up menu.
5. Click Save .

496
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Simple User Searches

A simple user search functions like a search engine, allowing you to quickly search the users in your inventory
for a general range of results.

You can base searches on any of the following attributes:

• Username
• Full name
• Email address

Search Syntax
This section explains the syntax to use for search functions. In general, searches are not case-sensitive.

Note: The default search preference is “Exact Match”. For most items, the option can be changed to
either “Starts with” or “Contains”. For more information about configuring account preferences, see Jamf
Pro User Accounts and Groups.

The following table explains the syntax you can use for search functions:

Search Function Usage Example

Return all Results Use an asterisk (*) without any other Perform a search for “*” or leave the
characters or terms, or perform a search field empty to return all results.
blank search.

Perform Wildcard Searches Use an asterisk after a search term to Perform a search for “key*” to return
return all results with attributes that all results with names that begin with
begin with that term. “key”.

Use an asterisk before a search term Perform a search for “*note” to return
to return all results with attributes that all results with names that end with
end with that term. “note”.

Use an asterisk before and after a Perform a search for “*ABC*” to return
search term to return all results that all results that includes “ABC”.
include that term.

Include Multiple Search Terms Use multiple search terms separated Perform a search for “key*, *note” to
by a comma (,) to return all results that return all results that begins with “key”
include those search terms. and ends with “note”.

497
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Search Function Usage Example

Exclude a Search Term Use a hyphen (-) before a search term Perform a search for “ABC*, -*note” to
to exclude results that include the return all results with names that begin
term. with “ABC” except for those that end
with “note”.

Performing a Simple User Search

1. In Jamf Pro, click Users in the sidebar.
2. Click Search Users in the sidebar.
3. Enter one or more search terms in the field provided.
4. Press the Enter key.

The list of search results is displayed.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see User Reports or Mass Actions for Users.

Advanced User Searches

Advanced user searches allow you to use detailed search criteria to search for users in Jamf Pro. These types
of searches give you more control over your search by allowing you to do the following:

• Generate specific search results.

• Specify which attribute fields to display in the search results.
• Save the search.

Criteria Operators
The following table lists operators and examples of how they might be used to qualify values:

Operator Definition Example

is Matches the specified string exactly The criteria "'Computer Name' is 'Test Computer
6'" includes computers with the name "Test
Computer 6". By contrast, a computer with the
name "Test Computer 7" is not included.

is not Matches values that do not match the specified The criteria "'Display Name' is not 'CEO iPad'"
string exactly includes all devices except those with the exact

498
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

Operator Definition Example

display name "CEO iPad". By contrast, a device

with the display name "'CEO iPad Old'" is not
included.

like Matches value that contain the specified string The criteria "'Computer Name' like 'AP Science
Mac'" includes computers with names such as
"AP Science Mac 1", "AP Science Mac 2", and
"AP Science Mac 3".

not like Matches values that do not contain the specified The criteria "'Display Name' not like 'Staff'"
string includes devices with display names such as
"Student A", "Student B", and "Smith Personal
iPhone".

matches regex Matches values that match the specified regular The criteria "'Computer Name' matches regex
expression (regex). For more information on '^LAB-.*$s'" includes computers with names
regex, see the Using Regex with Smart Groups such as "LAB-ART-101", "LAB-CS-101", and
and Advanced Searches article. "LAB-CS-102".

does not match Matches values that do not match the specified The criteria "'Display Name' does not match
regex regular expression (regex). For more information regex '^HS'" includes devices with display
on regex, see the Using Regex with Smart names such as "iPad HS loaner" and "11 HS
Groups and Advanced Searches article. iPad".

And/Or Groupings
If you have multiple criteria, you can use "and/or" groupings to define the relationships between them and
create logic that includes the devices you want in your advanced search. The following groupings are available
when multiple criteria are used:

• and—Only devices that fulfill all related criteria will be included in membership.
• or—Devices that fulfill any of the related criteria will be included in membership.

If more complex logic is necessary to define the relationships between your criteria, you can use the
parenthesis pop-ups to group criteria together.

Creating an Advanced User Search

1. In Jamf Pro, click Users in the sidebar.
2. Click Search Users in the sidebar.
3. Click New.
4. Use the Search pane to configure basic settings for the search.

499
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

To save the search, select the Save this Search checkbox.

5. Click the Criteria tab and add criteria for the search:
a. Click Add.
b. Click Choose for the criteria you want to add.
c. Choose an operator from the Operator pop-up menu.
d. Enter a value in the Value field or browse for a value by clicking Browse .
e. Repeat steps a through d to add criteria as needed.
6. Choose an operator from the And/Or pop-up menus to specify the relationships between criteria.
7. To group criteria and join multiple operations, choose parentheses from the pop-up menus around the
criteria you want to group.

Operations in the search take place in the order they are listed (top to bottom).
8. Click the Display tab and select the attribute fields you want to display in your search results.

Note: Some criteria cannot be viewed in advanced search results in Jamf Pro. These criteria can be
selected for export from the Export Only pane.

9. Click Save .

10. To view the search results, click View .

The results of a saved search are updated each time user information is modified and users meet or fail to
meet the specified search criteria.

You can export the data in your search results to different file formats or perform actions on the results. For
more information, see User Reports or Mass Actions for Users.

User Reports
The data displayed in smart or static group membership lists or user search results can be exported from Jamf
Pro to the following file formats:

500
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

• Comma-separated values file (.csv)

• Tab delimited text file (.txt)
• XML file

Creating User Reports

1. In Jamf Pro, click Users in the sidebar.
2. Do one of the following:
◦ View user group memberships. For more information, see Smart Groups or Static Groups.
◦ View simple or advanced user search results. For more information, see Simple User Searches or
Advanced User Searches.
3. At the bottom of the list, click Export.
4. Follow the onscreen instructions to export the data.

The report downloads immediately.

Mass Actions for Users

Mass actions allow you to perform potentially tedious tasks for multiple users at the same time. You can use
Jamf Pro to perform the following mass actions:

• Add users to a site.

• Delete users from Jamf Pro.

Mass actions can be performed on static or smart group membership lists or user search results.

Adding Multiple Users to a Site

You can use Jamf Pro to add multiple users to a site from static or smart group membership lists or user
search results. When you add multiple users to a site, those users retain previous site memberships.

You can only add multiple users to a site if there are one or more sites in Jamf Pro.

1. In Jamf Pro, click Users in the sidebar.

2. Do one of the following:
◦ View user group memberships. (For more information, see Smart Groups or Static Groups.)
◦ View simple or advanced user search results. (For more information, see Simple User Searches or
Advanced User Searches.)
3. At the bottom of the list, click Action.
4. Select Add Users to a Site.

501
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

5. Follow the onscreen instructions to add users to a site.

Mass Deleting Users

You can mass delete users from Jamf Pro.

If you have site access only and you mass delete users that belong to the site, the users are deleted from the
full Jamf Pro (not just the site).

A user cannot be deleted from Jamf Pro if there are dependencies for the user. For example, a user cannot be
deleted if the user is assigned to a mobile device.

1. In Jamf Pro, click Users in the sidebar.

2. Do one of the following:
◦ View user group memberships. (For more information, see Smart Groups or Static Groups.)
◦ View simple or advanced user search results. (For more information, see Simple User Searches or
Advanced User Searches.)
3. At the bottom of the list, click Action.
4. Select Delete Users.
A list of dependencies is displayed if you cannot delete users. The number of users is displayed next to the
dependency.
5. Follow the onscreen instructions to delete users.

Manually Adding a User to Jamf Pro

You can manually add a user to Jamf Pro.

1. In Jamf Pro, click Users in the sidebar.

2. Click Search Users in the sidebar.
3. Leave the search field blank and press the Enter key.
4. Click New.
5. Enter information about the user.
6. Click Save .

Deleting a User from Jamf Pro

You can remove a user from your inventory by deleting it from Jamf Pro.

1. In Jamf Pro, click Users in the sidebar.

2. Click Search Users in the sidebar.

502
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Users

3. Perform a search for the user you want to delete.

For more information, see Simple User Searches.
4. Click the user.
5. Click Delete , and then click Delete again to confirm.

503
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

Group Management
You can create groups in Jamf Pro to organize computers, mobile devices, or users that share similar
attributes. You can use these groups as a basis for performing advanced searches and configuring the scope
of remote management tasks, such as adding them to Classes for use with Apple's Classroom app or
performing mass actions.

You can create smart groups and static groups for computers, mobile devices, or users. Smart groups are
based on criteria and have dynamic memberships. Static groups have fixed memberships that you manually
assign.

Smart Groups
Jamf Pro allows you to create smart groups for managed computers, mobile devices, or users. You can create
smart groups based on one or more inventory attributes.

To avoid issues, smart group criteria should be well-defined and avoid using circular recalculations where two
smart groups rely on the membership of the other. We recommend you use smart groups for scoping,
deployment, and actionable items. For information gathering, queries, and reports, use the advanced search
feature.

For more information about inventory attributes that you can base smart groups on, see the following sections:

• Computer Inventory and Criteria Reference

• Mobile Device Inventory and Criteria Reference
• User Inventory and Criteria Reference

After creating a smart group, you can view its memberships.

Related Content

• Computer Reports
• Mass Actions for Computers
• Mobile Device Reports
• Mass Actions for Mobile Devices

Criteria Operators
The following table lists operators and examples of how they might be used to qualify values:

504
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

Operator Definition Example

is Matches the specified string exactly The criteria "'Computer Name' is 'Test Computer
6'" includes computers with the name "Test
Computer 6". By contrast, a computer with the
name "Test Computer 7" is not included.

is not Matches values that do not match the specified The criteria "'Display Name' is not 'CEO iPad'"
string exactly includes all devices except those with the exact
display name "CEO iPad". By contrast, a device
with the display name "'CEO iPad Old'" is not
included.

like Matches value that contain the specified string The criteria "'Computer Name' like 'AP Science
Mac'" includes computers with names such as
"AP Science Mac 1", "AP Science Mac 2", and
"AP Science Mac 3".

not like Matches values that do not contain the specified The criteria "'Display Name' not like 'Staff'"
string includes devices with display names such as
"Student A", "Student B", and "Smith Personal
iPhone".

matches regex Matches values that match the specified regular The criteria "'Computer Name' matches regex
expression (regex). For more information on '^LAB-.*$s'" includes computers with names
regex, see the Using Regex with Smart Groups such as "LAB-ART-101", "LAB-CS-101", and
and Advanced Searches article. "LAB-CS-102".

does not match Matches values that do not match the specified The criteria "'Display Name' does not match
regex regular expression (regex). For more information regex '^HS'" includes devices with display
on regex, see the Using Regex with Smart names such as "iPad HS loaner" and "11 HS
Groups and Advanced Searches article. iPad".

And/Or Groupings
If you have multiple criteria, you can use "and/or" groupings to define the relationships between them and
create logic that includes the devices you want in your advanced search. The following groupings are available
when multiple criteria are used:

• and—Only devices that fulfill all related criteria will be included in membership.
• or—Devices that fulfill any of the related criteria will be included in membership.

If more complex logic is necessary to define the relationships between your criteria, you can use the
parenthesis pop-ups to group criteria together.

505
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

Creating a Smart Group

Requirements
To enable the Send email notification on membership change setting, email notifications must be
enabled in Jamf Pro. For more information, see the following:

• SMTP Server Integration

• Email Notifications

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click Smart Computer Groups, Smart Device Groups, or Smart User Groups.
3. Click New.
4. Enter a display name for the group.
5. To enable email notifications, select the Send email notification on membership change checkbox.
6. Click the Criteria tab and add criteria to the group:
a. Click Add.
b. Click Choose for the criteria you want to add.

Note: Only your 30 most frequently used criteria are listed. To display additional criteria, click
Show Advanced Criteria.

c. Choose an operator from the Operator pop-up menu.

d. Enter a value in the Value field or browse for a value by clicking Browse .
e. Repeat steps a through d to add criteria as needed.

Note: Creating a smart group with no criteria will cause all managed computers, mobile devices,
or users to be included in the group's membership.

7. Choose an operator from the And/Or pop-up menus to specify the relationship between criteria.
8. To group criteria and join multiple operations, choose parentheses from the pop-up menus around the
criteria you want to group.

506
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

9. (Optional) If you are creating a smart device group, you can configure the group to send remote commands
to mobiles devices when the devices become members of that group. For example, the Set Wallpaper
remote command can be configured to automatically set the wallpaper on devices when they become
members of the smart group. Click the Automated Management tab and configure remote commands to
send to devices that are members of the group.
10. Click Save .

11. (Optional) Click View to view a list of group memberships.

Operations in the group take place in the order they are listed (top to bottom).

Group memberships are updated each time the following happens:

• Computers submit inventory to Jamf Pro and meet or fail to meet the specified criteria.

Note: Some inventory attributes are updated when computers check in rather than when they submit
inventory (e.g., Last Check-in). Smart groups containing criteria based on these attributes update
memberships each time computers check in.

• Mobile devices contact Jamf Pro and meet or fail to meet the specified criteria.
• User information is edited.

Viewing Smart Group Memberships

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Smart Computer Groups, Smart Device Groups, or Smart User Groups.
3. Click the smart group you want to view memberships for.

4. Click View .

A list of group memberships is displayed.

507
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

Viewing Smart Group Dependencies

You can view dependency reports for smart groups to identify where you are using smart groups in Jamf Pro.
This can help you decide how to best use and organize the smart groups in your environment.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Smart Computer Groups, Smart Device Groups, or Smart User Groups.
3. Click the smart group you want to view dependencies for.
4. Click the Reports tab.

A table is displayed listing any dependencies of the smart group.

Adding a Smart Group to the Jamf Pro Dashboard

Adding a smart group to the Jamf Pro Dashboard helps you monitor computer, mobile device, or user count
based on the criteria selected.

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click Smart Computer Groups, Smart Device Groups, or Smart User Groups.
3. Click the smart group that you want to add to the Jamf Pro Dashboard.
4. Select the Show in Jamf Pro Dashboard checkbox.

5. Click Dashboard in the sidebar.

6. Navigate to the Smart Computer Groups, Smart Mobile Device Groups, or Smart User Groups area
of the Jamf Pro Dashboard and find the widget for the smart group you added.
7. Click any item in the widget to view the details.

Static Groups
Static groups give you a way to organize computers, mobile devices, or users by assigning them to a group.
These groups have fixed memberships that must be changed manually.

After creating a static computer group, you can view its memberships.

Related Content

• Computer Reports
• Mass Actions for Computers
• Mobile Device Reports
• Mass Actions for Mobile Devices

508
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Group Management

Creating a Static Group

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Static Computer Groups, Static Device Groups, or Static User Groups.
3. Click New.
4. Configure basic settings for the group.
5. Click the Assignments tab and select the checkbox for each computer, device, or user you want to add.
6. Click Save .

7. (Optional) Click View to view a list of group memberships.

Computers become members of the group the next time they check in with Jamf Pro.

Mobile devices become members of the group the next time they contact Jamf Pro.

Viewing Static Group Memberships

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Static Computer Groups, Static Device Groups, or Static User Groups.
3. Click the static group you want to view memberships for.

4. Click View .

A list of group memberships is displayed.

509
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

Managing Apple OS Updates

macOS Updates
Apple releases a new operating system for computers annually and several minor macOS updates throughout
the year. Jamf recommends you upgrade or update to the latest macOS version to reduce security
vulnerabilities, support greater user efficiency and productivity with new features, and use new computer
management capabilities.

Jamf Pro supports many methods to deploy software upgrades and updates for macOS. For detailed
instructions on using these methods, see the Deploying macOS Upgrades and Updates with Jamf Pro
technical paper.

(Beta) Updating macOS Using Managed Software

Updates
You can use the (Beta) managed software updates feature to update the OS of computers belonging to smart
or static group membership lists, eliminating the need for inventory searches and reducing the number of
screens required for deploying OS updates.

Important: This feature is in beta, so you may notice inconsistent or unexpected behavior.

Requirements
Target computers with macOS 11 or later, supervised or enrolled via a PreStage enrollment in Jamf Pro

Note: To have the update for computers with Apple silicon (i.e., M1 chip) installed automatically
without user interaction, a Bootstrap Token for target computers must be escrowed with Jamf Pro.
macOS will automatically request the Bootstrap Token from Jamf Pro to authorize updates that were
scheduled to install.

1. In Jamf Pro, click Computers in the sidebar.

510
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

2. Click Software Updates in the sidebar.

3. Click Use new experience.

Warning: Enabling the (Beta) managed software updates feature will cancel any in-flight updates.
In-flight updates include any update commands that have been deployed from Jamf Pro. You can
re-deploy these updates with the (Beta) managed software updates feature. When the new feature
is enabled, mass action update commands are disabled.

4. Click Computer Group.

A list of smart computer groups and static computer groups is displayed.
5. Select a single group or multiple groups and click Update selected.
6. Select one of the following for Install Action:
◦ To download the update on computers for users to install themselves, select Download only.
◦ To download and install the update on computers automatically, select Download and install.
◦ To download and install the update on computers, but allow users to defer the installation of the update,
select Download, install, and allow deferral.
◦ To download the update and schedule a specific date and time for the update to install automatically via
declarative device management, select Download and schedule to install (Available for Jamf Cloud-
hosted environments only).

Note: Keep the following in mind about using Download and schedule to install:
▪ Download and schedule to install requires computers with macOS 14.
▪ Scheduling via declarative device management is not supported in Jamf Premium Cloud Plus.
▪ A declaration is sent to the computer immediately after clicking Apply. The installation of the
update is enforced at the date and time set in Jamf Pro. When the update completes, the
computer proactively reports to Jamf Pro.
▪ For more information about declarative device management, see: Declarative Device
Management.

◦ To download and install the update on computers automatically and force restart the computer, select
Download, install, and restart.

Warning: Download, install, and restart can cause data loss because the computer will restart
without warning when the command completes.

7. Select one of the following for Target Version:

511
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

◦ To download the update for the latest macOS version based on each device's eligibility, select Latest
version based on device eligibility.
◦ To download the latest major macOS version, select Latest major version.
◦ To download the latest minor macOS version, select Latest minor version.
◦ To download the update for a specific macOS version, select Specific version and select the version
from the pop-up menu.
8. Click Apply.

The requested update is sent to the selected groups. A message appears indicating if the requested updates
are successful. To view the status of a deployed update, click the Management tab in a device inventory
record.

iOS, iPadOS, and tvOS Updates

With Jamf Pro, you can update iOS, iPadOS, and tvOS or defer the availability of updates for supervised
mobile devices.

For more information about the software update process, see About software updates for Apple devices in
Apple Platform Deployment.

(Beta) Updating iOS, iPadOS, and tvOS Using Managed

Software Updates
You can use the (Beta) managed software updates feature to update the OS of mobile devices belonging to
smart or static group membership lists, eliminating the need for inventory searches and reducing the number of
screens required for deploying OS updates.

Important: This feature is in beta, so you may notice inconsistent or unexpected behavior.

Requirements
Target devices with iOS 14 or later, iPadOS 14 or later, or tvOS 14 or later, supervised or enrolled via a
PreStage enrollment in Jamf Pro

512
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

Note: Devices in Single App Mode may not receive update commands. Consider deploying any iOS,
iPadOS, or tvOS updates before placing a device in Single App Mode. Devices already in Single App
Mode may need to be taken out of this mode to receive the update.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Software Updates in the sidebar.
3. Click Use new experience.

Warning: Enabling the (Beta) managed software updates feature will cancel any in-flight updates.
In-flight updates include any update commands that have been deployed from Jamf Pro. You can
re-deploy these updates with the (Beta) managed software updates feature. When the new feature
is enabled, mass action update commands are disabled.

4. Click Mobile Device Group.

A list of smart device groups and static device groups is displayed.
5. Select a single group or multiple groups and click Update selected.
6. Select one of the following for Install Action:
◦ To download the update on devices for users to install themselves, select Download only.
◦ To download and install the update on devices automatically, select Download and install.
◦ To download the update and schedule a specific date and time for the update to install automatically via
declarative device management, select Download and schedule to install (Available for Jamf Cloud-
hosted environments only).

Note: Keep the following in mind about using Download and schedule to install:
▪ Download and schedule to install requires mobile devices with iOS 17 or later, or iPadOS
17 or later. tvOS is not supported.
▪ Scheduling via declarative device management is not supported in Jamf Premium Cloud Plus.
▪ A declaration is sent to the device immediately after clicking Apply. The installation of the
update is enforced at the date and time set in Jamf Pro. When the update completes, the
device proactively reports to Jamf Pro.
▪ For more information about Declarative Device Management, see: Declarative Device
Management.

513
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

Important: Due to Apple's MDM framework, the Download, install, and restart and Download,
install, and allow deferral commands will only function on computers. These commands are not
supported on mobile devices. For mobile devices, Download and install will automatically install
the update and restart the device.

7. Select one of the following for Target Version:

◦ To download the update for the latest iOS, iPadOS, or tvOS version based on each device's eligibility,
select Latest version based on device eligibility.
◦ To download the latest major iOS, iPadOS, or tvOS version, select Latest major version.
◦ To download the latest minor iOS, iPadOS, or tvOS version, select Latest minor version.
◦ To download the update for a specific iOS, iPadOS, or tvOS version, select Specific version and select
the version from the pop-up menu.
8. Click Apply.

The requested update is sent to the selected groups. A message appears indicating if the requested updates
are successful. To view the status of a deployed update, click the Management tab in a device inventory
record.

Updating iOS, iPadOS, and tvOS Using a Mass Action

Command
To update iOS, iPadOS, and tvOS devices using the mass action workflow, you need to identify target devices.
You can do this using one of the following methods:

• Simple search
• Advanced search
• Static group
• Smart group

Best Practice: Using a Smart Group to Identify Target Devices

Best practice workflows cover common scenarios; however, the following recommendations may not
apply in your environment.
Create a smart mobile device group similar to the following to find and target supervised devices:

514
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

For more information on creating a smart device groups, see Smart Groups.

Requirements
• Target devices with iOS 14 or later, iPadOS 14 or later, or tvOS 14 or later, supervised or enrolled via
Prestage enrollment in Jamf Pro.
• A valid push certificate in Jamf Pro

Note: Devices in Single App Mode may not receive update commands. Consider deploying any iOS,
iPadOS, or tvOS updates before placing a device in Single App Mode. Devices already in Single App
Mode may need to be taken out of this mode to receive the update.

Considerations for devices with a passcode enabled:

• If a device has a passcode enabled, you can optionally clear the passcode by sending a mass action
before attempting the update.

Important: Jamf does not recommend clearing passcodes for security purposes. For example,
clearing a passcode from an iOS device with a mass action command will disable security
functions such as FaceID and TouchID, and will remove passcode-secured items from Apple
Wallet. This allows anyone with physical access to the device to use it. If a configuration profile
with a passcode requirement was set, the next person to use the device is prompted to set a new

515
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

passcode. Consider how this may impact your organization before using this option.For more
information about Apple's security capabilities, see Apple Platform Security.

• If a device is locked with a passcode, the update will download but remain uninstalled until the user
acknowledges the update. The user is prompted to enter their passcode to install the update or defer for
an overnight installation. The user can defer the prompt up to three times before they are required to
schedule the update.

For more information on updating devices with a passcode enabled, see Managing iOS and iPadOS
software updates and upgrades in Apple Platform Deployment.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Search Inventory, Smart Groups, or Static Groups.
3. Click the name of an advanced mobile device search, smart device group, or static device group.
4. Click View.
5. Click Action.
6. Select Send Remote Commands.
7. Click Next.
8. Select Update OS Versions on supervised devices.
9. If updating iOS devices or iPadOS devices, ensure the Update iOS Version (iOS 9 - 10.2, enrolled via a
PreStage enrollment; and/or iOS 10.3 or later) checkbox is selected.
10. Select one of the following for Target Version:
◦ To download the update for the latest iOS version, select Latest version based on device eligibility.
◦ To download the update for a specific iOS version, select Specific version and select the version from
the pop-up menu.
11. Select one of the following for iOS Install Action:
◦ To download the update on devices for users to install themselves, select Download the update for
users to install.
◦ To download and install the update on devices automatically, select Download and install the
update, and restart devices after installation.
12. If updating Apple TV devices, ensure the Update tvOS Version (tvOS 12 or later) checkbox is selected,
and then select a Target Version.
13. To send the remote command, click Next.
14. Click Done.

The operating system on the devices is updated.

516
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

Deferring Availability of iOS, iPadOS, and tvOS Updates

with a Configuration Profile
You can create a configuration profile with a Restrictions payload to defer the availability of iOS, iPadOS, and
tvOS updates up to 90 days from the date released by Apple. During the deferral, the new version of the
operating system will not appear as available on user devices. After the set period, the new operating system
version will become available, and users can update their operating system.

Note: Updates installed via remote commands are not deferred by this restriction.

Requirements
Supervision is required.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the profile.
5. In the Restrictions payload, click Functionality.
6. In the filter, select iOS or tvOS and Supervised.
7. Enable the Defer software update setting and choose the number of deferral days.
8. Click the Scope tab and configure the scope of the configuration profile.

Best Practice: To narrow the restriction to a specific group of supervised devices that are not using
the current iOS, iPadOS, or tvOS version, select Mobile Device Groups and click Add next to the
smart device group you created.

9. Click Done.
10. Click Save to deploy the configuration profile.

Viewing OS Update Information

If you use MDM command-based workflows in Jamf Pro to upgrade or update the operating system for
computers and mobile devices, you can monitor the progress of the workflow in the Management and

517
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

History tabs of computer and mobile device inventory records. This information is useful for Jamf Pro
administrators who want to inspect the progress and history of individual managed updates.

Requirements
Managed computers or mobile devices that are Supervised or enrolled via a PreStage enrollment

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Search Inventory in the sidebar.
3. Choose "Computer" or "Mobile Devices" from the Search pop-up menu.
4. Enter one or more search terms and press the Enter key or click Search to find all computers or mobile
devices.
5. Click the computer or device you want to view management information for.
6. To view the operating system update, click the Management tab, and then click the Operating System
category.
For more information about the Operating System category, see Computer Management Information or
Mobile Device Management Information.

7. To view the operating system history, click the History tab, and then click the Operating System History
category.

518
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Managing Apple OS Updates

For more information about the Operating System History category, see Computer History Information or
Mobile Device History Information.

519
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Content Distribution
Content Distribution Methods using Jamf Pro
To install apps and books on devices, Jamf Pro includes two distribution methods:

• Make Available in Jamf Self Service—Users open Self Service and choose to install available apps and
books. You can choose whether or not to make the content managed, when possible.
• Install Automatically/Prompt Users to Install—Apps and books are automatically installed or prompt the
user to install them first. This method automatically makes a mobile device app and book managed, when
possible. Automatic installation of apps and books only occurs if the following device conditions are met:

◦ The device is supervised.

◦ A license for the app is assigned to the device or the associated user for the device.
Apps
◦ If the app is distributed via user-assigned managed distribution, the user is signed
into the App Store on the device and registered with volume purchasing.

◦ The device is supervised.

◦ The user is signed in to the App Store on the device and registered with volume
purchasing, and a license for the book is assigned to the user.
◦ The Book Store is not disabled on the device.
◦ The device is not configured to require an Apple ID password for all purchases.
If managed book requirements are not met, the book is made available in Self Service
for users to install as a fallback option.
Books

Note: If a user in the scope of a book and the managed book requirements are
met, the book is installed automatically on all mobile devices assigned to the
user in Jamf Pro. On other mobile devices that do not meet managed book
requirements or computers assigned to the same user, the book is made
available in Self Service.

Related Content

• Items Available to Users in Jamf Self Service for macOS

520
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Managed Content in Jamf Pro

Managing content using Jamf Pro allows you to have more control over the distribution and removal of apps
and books, as well as the backup of data and options for updating the content.

Managed Apps
The following two factors determine whether an app can be managed by Jamf Pro:

• The app must be free or purchased in volume. For more information about volume purchasing, see the
following Apple documentation:
◦ Apple School Manager User Guide
◦ Apple Business Manager User Guide
• Mobile devices that have an MDM profile that supports managed apps.

The following table compares distribution settings for unmanaged versus managed apps:

Unmanaged apps Managed apps

Distribution Methods

Make available in Jamf Self Service ✔ ✔

Prompt users to install ✔

Removal Options

Remove from Jamf Self Service ✔ ✔

Remove from mobile devices ✔

Remove when MDM profile is removed ✔

Backup of App Data

Prevent backup of app data ✔

App Update Options

Schedule automatic app updates ✔ ✔

Force an app update ✔

App Validation Options (in-house apps only)

Schedule automatic app validation ✔

521
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Unmanaged apps Managed apps

Force app validation ✔

Managed App Configuration

Managed app configuration is a set of key-value pairs used to configure iOS applications. You can use
managed app configuration to configure and customize Jamf-managed apps for your organization.

You can use Jamf Pro to configure a managed app before distributing it to mobile devices.

For more information or to generate a managed app configuration, see the AppConfig Generator utility from
Jamf.

Managed App Configuration Variables

You can use $VARIABLES to populate settings in a managed app with attribute values stored in Jamf Pro. This
allows you to customize managed app settings on a per user or mobile device basis.

When the app is installed on a mobile device, the $VARIABLE is replaced with the value of the corresponding
attribute in Jamf Pro.

Note: An $EXTENSIONATTRIBUTE_<#> variable is generated each time you create a mobile device
extension attribute. For more information, see Mobile Device Extension Attributes.

Variable Mobile Device Information

$DEVICENAME Mobile Device Name

$SERIALNUMBER Serial Number

$UDID UDID

$USERNAME Username

$FULLNAME or $REALNAME Full Name

$EMAIL Email Address

$PHONE Phone Number

$ROOM Room

522
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Variable Mobile Device Information

$POSITION Position

$MACADDRESS MAC Address

$JSSID Jamf Pro ID

$APPJSSID Jamf Pro ID of the App

$SITEID Site ID

$SITENAME Site Name

$BUILDINGNAME Building Name

$BUILDINGID Building ID

$DEPARTMENTID Department ID

$DEPARTMENTNAME Department Name

$JPS_URL Jamf Pro URL

Converting an Unmanaged App to Managed

You can convert an app from an unmanaged state to a managed state after the app is installed on a mobile
device. Conversion occurs differently depending on the supervision state and enrollment method for the
device:

• On supervised devices, management conversion occurs silently.

• On unsupervised devices, users are prompted to allow management. If the user declines to manage the app
on their device, they are prompted to manage the app each time the device checks in with Jamf Pro until
management is accepted.
• Management conversion of apps on devices enrolled via User Enrollment is not supported.

Requirements
Supervised or unsupervised devices enrolled via Automated Device Enrollment or Device Enrollment

1. In Jamf Pro, click Devices in the sidebar.

2. Click Mobile Device Apps in the sidebar.
3. Click the app you want to convert from unmanaged to managed.

523
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

4. Click Edit .
5. On the General pane, select Make App Managed when possible.
6. Select Make app managed if currently installed as unmanaged.
7. Click the Scope and ensure devices enrolled via User Enrollment are not in the scope's target or are
configured as an exclusion.
8. Click Save .

Apps are convert from an unmanaged to a managed state on devices in the scope.

Setting Up Per-App Networking for Mobile Devices

Per-App Networking allows you to secure network traffic on mobile devices by configuring VPN, DNS proxies,
and web content filters at the app-level for mobile devices.

Per-App Networking is configurable for all managed devices and enrollment types (Automated Device
Enrollment, Device Enrollment, and User Enrollment).

Keep the following limitations in mind:

• You can have multiple DNS Proxies, but you cannot mix system-wide and Per-App DNS proxies.
• You can have up to seven Per-App Content Filters and one system-wide filter.

Requirements
• Apps must be managed on mobile devices.
• To configure DNS proxies and web content filters, you need mobile devices with iOS 16 or later.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Configuration Profiles in the sidebar.
3. Click New.
4. Configure any of the following payloads to configure network traffic settings.
◦ VPN
◦ DNS proxy
◦ Content Filter
5. For each payload you configure, select the Enable per-app networking checkbox.
This allows you to select the configuration from the app's distribution settings in Jamf Pro.
6. Configure any other payloads, including the General payload.
7. Click Save .
8. Click Mobile Device Apps in the sidebar.

524
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

9. Select or add the app you want to configure Per-App Networking for.
10. Click Edit .
11. On the General pane, use the Per-App Networking settings to choose available network traffic
configurations for the app.

Note: Each Per-App Networking setting only displays if a mobile device configuration profile with a
VPN, DNS proxy, or Content Filter payload exists in Jamf Pro and the Enable per-app networking
checkbox is selected in the payload.

12. Click Save .

Per-App Networking is enabled for the app and distributed to devices in the scope of the app.

To configure Per-App Networking for additional apps, select or add the apps in Jamf Pro and choose available
Per-App Networking settings.

Related Content

• Per-App VPN (Jamf Security Cloud)

• AppLayerVPN MDM payload settings for Apple devices (Apple)
• DNS Proxy MDM payload settings for Apple devices (Apple)
• Web Content Filter MDM payload settings for Apple devices (Apple)

Managed Books
The following books can be managed:

• In-house books
• Books available in the Book Store that are free or purchased in volume and assigned to the user via
managed distribution
For more information, see User-Assigned Managed Distribution.

When managed book requirements are met, the book is installed on iOS devices and users can view it with
Apple Books. If you try to make an app managed but these requirements are not met, the app behaves as
unmanaged.

The following table provides more detail about managed books:

525
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Unmanaged Books (iOS and

Managed Books (iOS only)
macOS)

Distribution Methods

Make available in Jamf Self Service ✔ ✔

Install automatically/prompt users to ✔

install

Removal Options

Remove from Jamf Self Service ✔ ✔

Remove in-house books from mobile ✔

devices

Remove from computers

Remove in-house books when MDM ✔

profile is removed

Volume Content
Managed distribution with Jamf Pro allows you to fully control your organization's apps and books. Jamf Pro
can be used to automatically update apps in Jamf Pro and on devices on a schedule, and force app updates at
any time.

Two managed distribution workflows exist for content purchased in volume:

Device-assigned managed distribution

Content is assigned and distributed directly to managed devices. Apple IDs are not required, and you do
not need to register users with volume purchasing or create volume assignments. Device-assigned
content does not appear in the user's own App Store purchase history and cannot be updated by users.

Distributing content to devices is recommended for devices enrolled via Automated Device Enrollment or
Device Enrollment. For more information, see Device-Assigned Managed Distribution.

User-assigned managed distribution

Content is distributed to the managed device, but the content license is assigned directly to the user
using a Managed or personal Apple ID. This requires registering users with volume purchasing and
assigning content licenses to users before you distribute content.

526
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Distributing content to users is recommended for personally owned devices that are enrolled via User
Enrollment. For more information, see User-Assigned Managed Distribution.

Device-Assigned Managed Distribution

Device-assigned managed distribution assigns apps directly to managed devices using Jamf Pro. This method
is recommended for institutionally owned devices enrolled via Automated Device Enrollment or Device
Enrollment.

Apps you purchase in Apple Business Manager or Apple School Manager sync with Jamf Pro. You can then
configure the app's distribution settings, including choosing the volume location that purchased the app, and
add devices to the app scope. For more information, see Apps Purchased in Volume.

Keep the following in mind about device-assigned managed distribution:

• Apps assigned directly to a device do not require the use of Apple IDs.
• Books cannot be assigned directly to devices and require user-assigned managed distribution.
• Users with multiple managed devices require multiple licenses.
• If you have apps that were distributed with user-based volume assignments and the apps are device-
assignable, you can move to device-based managed distribution for the apps. For more information, see the
Moving from User- to Device-based Volume Purchasing Assignments article.

For more information about purchasing apps and books in volume, see the following from Apple Platform
Deployment.

• Intro to content distribution for Apple devices

• Content distribution methods for Apple devices

527
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

User-Assigned Managed Distribution

User-assigned managed distribution distributes content to devices but uses Apple IDs to assign content
licenses directly to users. This method is required for personally owned devices enrolled via User Enrollment,
which do not report a serial number to Jamf Pro.

To assign content to users, you register Apple IDs with volume purchasing, and then create volume
assignments to associate content licenses with users. You can then configure the app's distribution settings
and add the users' devices to the app scope.

Registering users with volume purchasing is different depending on if personal Apple IDs or Managed Apple
IDs are used. For more information, see Volume Assignments for Users.

Keep the following in mind about user-assigned managed distribution.

• User-assigned managed distribution is the only way to distribute Apple Books. Assigning books to devices
is not supported.
• Users with multiple managed devices do not need multiple app licenses.

For more information about purchasing apps and books in volume, see the following from Apple Platform
Deployment.

• Intro to content distribution for Apple devices

• Content distribution methods for Apple devices

528
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Volume Purchasing Registration for Users

To assign volume content to users, you must register the users with volume purchasing. This involves setting
up automatic registration for users with Managed Apple IDs, and sending registration invitations to users with
personal Apple IDs.

Four distribution methods are supported:

Automatically register only users with Managed Apple IDs and skip invitation

Users in the scope of the invitation and have Managed Apple IDs are automatically registered with
volume purchasing without any invitation or prompt. Users in the scope of the invitation without Managed
Apple IDs are not invited or registered with volume purchasing.

Send the invitation via email

An invitation URL is sent via email. If LDAP authentication is required, users are prompted to log in with
their LDAP directory account credentials or a Jamf Pro user account.

Prompt the user to accept the invitation

A notification that invites users to register displays on devices. Users only need to accept the invitation on
one device, even if the invitation displays on multiple devices. On computers, users can also access the
invitation in Self Service by clicking Notifications icon in the Self Service toolbar.

Make the invitation available in Self Service only

The user can access the invitation in Self Service by clicking the Notifications icon on computers or
tapping VPP Invitations on mobile devices. The user only needs to accept the invitation on one device,
even if the invitation is shown on multiple devices.

Automatically Registering Managed Apple IDs with Volume

Purchasing
Users with Managed Apple IDs can be automatically registered with volume purchasing without any end user
interaction.

Requirements
The Automatically register with volume purchasing if users have Managed Apple IDs checkbox
must be selected for the volume location used to invite and assign content to users with Managed Apple
IDs. For more information, see Volume Purchasing Integration.

529
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

1. In Jamf Pro, click Users in the sidebar.

2. Click Smart User Groups in the sidebar.
3. Click New.
4. In the General pane, enter a Display Name, such as Managed Apple IDs.
5. In the Criteria pane, add the following device criteria that includes all Managed Apple IDs in the smart
group:

6. Click Save .
7. In Jamf Pro, click Users in the sidebar.
8. Click Invitations.
9. In the General pane, enter a Display Name, such as Invitation for Managed Apple IDs.
10. Choose "Automatically register only users with Managed Apple IDs and skip invitation" from the
Distribution Method pop-up menu.
11. In the Scope pane, add your smart group that contains Managed Apple IDs as a target for the invitation.
12. Click Save .

Users with Managed Apple IDs are automatically registered with volume purchasing in Jamf Pro.

Inviting Apple IDs to Register with Volume Purchasing

If users do not have Managed Apple IDs, you must manually invite the users to register their personal Apple
IDs with volume purchasing.

Keep the following in mind when configuring invitations:

• Users are connected to the App Store and prompted to enter their Apple ID to complete the registration
process.
• Invitations made available in Self Service are accessible on any device assigned to a user.
• If a user receives more than one invitation, they must accept each invitation individually.
• When users attempt to install apps and books before registering with volume purchasing, they are prompted
to accept the invitation before the app or book installs.

Requirements
• A volume location integrated with Jamf Pro

530
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

For more information, see Volume Purchasing Integration.

• One or both invitation distribution methods enabled:
◦ A push certificate in Jamf Pro to send an invite via a notification
For more information, see Push Certificates.
◦ An SMTP server in Jamf Pro for email invitations. If you also require users to authenticate with an
LDAP directory account, you need and LDAP server set up in Jamf Pro.
For more information, see SMTP Server Integration and LDAP Directory Service Integration

1. In Jamf Pro, click Users in the sidebar.

2. Click Invitations.
3. Click New.
4. Use the General pane to configure basic settings for the invitation, including the location and the method to
use for sending the invitation.

Note: The invitation is automatically added to the site that the location belongs to.

5. Click the Scope tab and configure the scope of the invitation.

Note: If the site of the location is changed at any point, users that do not belong to that location's
site are removed from the scope of the invitation.

6. Click Save .

An invitation is immediately sent to the users you specified. You can view the status of the invitation in the list
of invitations.

To view invitation usage, select the invitation and then click Usage .

To resend an invitation that has not been accepted by users, select the invitation and click Resend .

Redoing User Registration for an Unintended Apple ID

You can redo the registration for a user that registered using an unintended Apple ID. This process temporarily
revokes the apps assigned to the user and then reassigns the apps after the user accepts the new invitation.
Depending on your environment, this process may take awhile.

531
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Note: Books assigned to the user remain associated with the unintended Apple ID.

1. In Jamf Pro, click Users in the sidebar.

2. Perform a simple or advanced user search. For more information, see the Simple User Searches or
Advanced User Searches.
3. Click the user you want to redo the volume purchasing registration for.
4. Click Redo, and then click Volume Purchasing again.

A new invitation is immediately sent to the user.

Volume Assignments for Users

Jamf Pro allows you to assign App Store apps and books purchased in volume to users for user-assigned
managed distribution. After apps are assigned to users, you can also use Jamf Pro to revoke them from users.
Books cannot be revoked.

Volume assignments require you to choose a location in Jamf Pro. All content purchased for managed
distribution using that location is automatically available. You can then specify the content that you want to
assign, and the users you want to assign it to (called "scope").

Note: Jamf Pro also supports device-based managed distribution, which allows you to distribute App
Store apps directly to computers and mobile devices. For device-based distribution, user assignments
are not required. For more information, see Device-Assigned Managed Distribution.

For more information on purchasing and distributing apps and books in volume, see the following Apple
documentation:

• Apple School Manager User Guide

• Apple Business Manager User Guide

Related Content

• Apps Purchased in Volume

• Books Purchased in Volume

Creating a Volume Assignment

Create a volume assignment that assigns content to users.

532
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Requirements
• A volume location must be set up in Jamf Pro.
For more information, see Volume Purchasing Integration.
• Users must be registered with volume purchasing to assign the content purchased in volume to them.
For more information, see Volume Purchasing Registration for Users.

1. In Jamf Pro, click Users in the sidebar.

2. Click Volume Assignments in the sidebar.
3. Click New.
4. Use the General payload to configure basic settings for the volume assignment, including the location.

Note: The assignment is automatically added to the site that the location belongs to.

5. Use the Apps and eBooks payloads to select the checkbox for each app and book you want to assign.
6. Click the Scope tab and configure the scope of the assignment.

Note: If the site of the location is changed at any point, users that do not belong to that location site
are removed from the scope of the invitation.

Best Practice: To assign volume content to personally owned devices that have a Managed Apple
ID, use a smart group that contains devices with Managed Apple IDs and add it to the scope of your
volume assignment.

7. Click Save .

533
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Revoking Apps from Users

To revoke specific apps from all users in the scope of a volume assignment, you remove the apps from the
volume assignment.

To revoke all the apps in a volume assignment from specific users, you remove the users from the scope.

1. In Jamf Pro, click Users in the sidebar.

2. Click Volume Assignments in the sidebar.
3. Click the volume assignment you want to revoke.
4. Select the Apps payload and remove apps from the assignment as needed.
5. Click the Scope tab and remove users from the scope as needed.
For more information, see Scope.

6. Click Save .

If the Notify users when an app is no longer assigned to them checkbox is selected for the location, a
notification is sent to users.

Revoking All Apps from Users

For each location, you can revoke all apps that have been assigned to users.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Volume purchasing .
3. Click the location for which you want to revoke all apps.
4. Click Revoke All, and then click OK to confirm.

If the Notify users when an app is no longer assigned to them checkbox is selected for the location, a
notification is sent to users.

Viewing Content Associated with a Volume Assignment

For each volume assignment, you can view the apps or books in the App Catalog or eBook Catalog in Jamf
Pro. This allows you to modify the scope of the content to redistribute it.

1. In Jamf Pro, click Users in the sidebar.

2. Click Volume Assignments in the sidebar.
3. Click a volume assignment to view the content.
4. Select the Apps or eBooks payload.
A list of content is displayed.

534
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

5. If the app or book has been added to the App Catalog or eBook Catalog in Jamf Pro, click the link next to
the app or book to view the content.

The content is displayed in the App Catalog or eBook Catalog, and you can modify the scope to redistribute
the content.

Adding Content Associated with a Volume Assignment

For each volume assignment, you can add the assigned apps and books to the App Catalog or eBook Catalog
in Jamf Pro.

1. In Jamf Pro, click Users in the sidebar.

2. Click Volume Assignments in the sidebar.
3. Click the volume assignment for the content you want to add to the App Catalog or eBook Catalog.
4. Select the Apps or eBooks payload.
A list of content is displayed.
5. If the app or book has not been added to the App Catalog or eBook Catalog in Jamf Pro, click the button
next to the app or book to add it.

The content is displayed in the App Catalog or eBook Catalog, and you can add the content to the catalog for
distribution.

Viewing the Users that Volume Purchasing Content is Assigned To

For each volume assignment, you can view the users that content purchased in volume is assigned to.

1. In Jamf Pro, click Users in the sidebar.

2. Click Volume Assignments in the sidebar.
3. Click the volume assignment for which you want to view the users that the content is assigned to.
4. Select the Apps or eBooks payload.
A list of content is displayed.
For each app or book, you can view the number of users that the content is assigned to in the In Use
column.
5. To view the users that the content is assigned to, click the number displayed in the In Use column.

VPP Codes
Jamf Pro allows you to distribute App Store apps and books purchased in volume to computers and mobile
devices by distributing redeemable VPP codes. When you distribute App Store apps and books, and associate
VPP codes with the app or book, you can track VPP code redemption.

535
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

To distribute an app or book to computers or mobile devices using VPP codes, you need an Excel spreadsheet
(.xls) that contains VPP codes for the app or book.

For more information on purchasing apps and books in volume, see the following Apple documentation:

• Apple School Manager User Guide

• Apple Business Manager User Guide

Note: As an alternative to VPP code distribution, Jamf Pro also supports device-assigned managed
distribution for computers and mobile devices and user-assigned managed distribution for users. For
more information, see Device-Assigned Managed Distribution and User-Assigned Managed Distribution.

For information on distributing App Store apps using redeemable VPP codes, see Apps Purchased in Volume.

For information on distributing books to computers or mobile devices using redeemable VPP codes, see Books
Purchased in Volume.

Apps Purchased in Volume

Jamf Pro allows you to distribute App Store apps and apps purchased in volume (including custom apps and
apps offered as a Universal Purchase) to computers, mobile devices, and users. After an app is distributed,
you can use Jamf Pro to manage future updates.

Jamf Pro provides two app distribution methods:

• Install the app automatically/prompt users to install the app

• Make the app available in Self Service

You can distribute App Store apps and apps purchased in volume using managed distribution. For more
information, see Device-Assigned Managed Distribution.

Alternatively, Jamf Pro supports distributing App Store apps and apps purchased in volume using redeemable
VPP codes. For more information, see VPP Codes.

App Store apps for computers that are distributed with user-based assignments or with VPP codes are not
managed by Jamf Pro. Users can update apps using the App Store or uninstall apps from their computers.

Apps are enabled by default when added to Jamf Pro, which allows you to edit the app details and assign
licenses. When an app is disabled, the app's subsequent installations are stopped, it is removed from Self
Service, and you can no longer edit the app details. Disabled apps are not removed from devices that already
installed the app.

536
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Warning: If app information from Apple is unavailable, Jamf Pro displays the following warning
banner:"Complete information about this app is currently unavailable, or the
app may be unavailable from the App Store."To ensure app deployment succeeds for
apps that are in the App Store but missing information from Apple, Jamf Pro does not automatically
disable apps. If this banner displays, verify the following about the impacted app:

1. Confirm that the app is still available in the App Store.

2. If the app is no longer in the App Store, manually disable the app.

General Requirements
The requirements for distributing an App Store app or an app purchased in volume vary for computers and
mobile devices.

Computer Requirements

• To allow users to install App Store apps from Self Service via MDM or to allow App Store apps to be
installed automatically you need the following:
◦ A push certificate in Jamf Pro (For information, see Push Certificates.)
◦ The Enable certificate-based authentication and Enable Push Notifications settings configured in
Jamf Pro (For information, see Security Settings.)
◦ Computers that are bound to a directory service or local user accounts that have been MDM-enabled
(For information, see Directory Bindings and MDM-Enabled Local User Accounts.)

Note: Local user account are automatically MDM-enabled the first time an App Store app is
installed automatically or via Self Service, or when a user-level configuration profile is installed via
Self Service. With PreStage enrollment, the first local user account that is created is made MDM-
enabled.

• Apps assigned to computers or users via managed distribution (For more information, see Device-Assigned
Managed Distribution and User-Assigned Managed Distribution.)
• To allow users to install apps from the App Store (linked from Self Service), you need the following:
◦ Computers that are bound to a directory service or local user accounts that have been MDM-enabled
(For information, see Directory Bindings and MDM-Enabled Local User Accounts.)
◦ Users may be prompted to enter an Apple ID

537
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

• Per-App VPN connections are only applied to computers with macOS 11 or later. (For more information
about how create a computer configuration profile with a Per-App VPN connection, see Computer
Configuration Profiles.)

Mobile Device Requirements

• To install an App Store app, an app purchased in volume, or an update, users may be prompted to enter an
Apple ID.
• Apps assigned to mobile devices or users via managed distribution (For more information, see Device-
Assigned Managed Distribution and User-Assigned Managed Distribution.)
• Per-App Networking configurations require an existing mobile device configuration profile with a VPN, DNS
Proxy, or Content Filter payload configured. For more information, see Setting Up Per-App Networking for
Mobile Devices.

Distributing an App Store App or App Purchased in Volume

To distribute an app, add the app to Jamf Pro and then configure app settings and scope to distribute it to
target devices or users.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Mac Apps or Mobile Device Apps in the sidebar.
3. Click New.
4. (Mobile devices only) Select App Store app or apps purchased in volume and click Next.
5. Do one of the following:
◦ To add an app by browsing the App Store or apps purchased in volume, enter the name of the app,
choose an App Store country or region and click Next. Then click Add for the app you want to add.
◦ To add an app by uploading a VPP code spreadsheet, click Choose File and upload the Excel
spreadsheet (.xls) that contains VPP codes for the app.
◦ To add an app by manually entering information about it, click Enter Manually.
6. Use the General pane to configure settings for the app, including the distribution method.
If you are distributing the app to mobile devices, you can choose whether to make the app managed.
You can also enable automatic app updates.

Note: You can require a mobile device to have a tethered network connection to download the app.
A tethered network connection requires a computer with macOS 10.12.4 or later, and must be
connected to the Internet via Ethernet and have Wi-Fi turned off. Portable computers must be
plugged in to a power source because the tethered caching service prevents computers from going
to sleep. Select the Require tethered network connection for app installation checkbox. This
checkbox is only displayed if "Install Automatically/Prompt Users to Install" is chosen in the

538
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Distribution Method pop-up menu. App updates will not require tethering; this setting is for initial
installations of an app only.

7. Click the Scope tab and configure the scope of the app.
For more information, see Scope.
8. (Optional) Click the Self Service tab and configure the way the app is displayed in Self Service.
You can customize the text displayed in the description for the app in Self Service by using Markdown in
the Description field. For information about Markdown, see the Using Markdown to Format Text article.

Note: The Self Service tab is only displayed if "Make Available in Self Service" is chosen in the
Distribution Method pop-up menu.

9. (Optional) If you want to distribute the app directly to computers or mobile devices via managed
distribution, do the following:
a. Click the Managed Distribution tab, and then click the Device Assignments tab.
b. (Computers only) Select the Assign Volume Content checkbox.
c. (Mobile devices only) Select the Assign Content Purchased in Volume checkbox.
d. Choose the location that has purchased the app.
10. (Optional) If you want to associate VPP codes with the app and have not already uploaded a VPP code
spreadsheet, do the following:
a. Click the Managed Distribution tab, and then click the VPP Codes tab.
b. Upload the Excel spreadsheet (.xls) that contains VPP codes for the app.
11. (Optional) (Mobile devices only) Click the App Configuration tab and configure app preferences.

Note: The App Configuration tab is only displayed if the Make App Managed when possible
checkbox is selected.For more information or to generate a managed app configuration, see the
AppConfig Generator utility from Jamf.

12. Click Save .

Removing an App Store App or an App Purchased in Volume

You can use Jamf Pro to remove an app from a computer or mobile device.

To removing an app from both a computer or mobile device remove the targets from the scope of the app. For
more information, see Scope.

539
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

On computers, removing targets from the scope of the app revokes the app license (if applicable) but does not
remove the app from the computer. To completely remove the app from the computer, the app must be
manually dragged to the Trash on the target computer.

On mobile devices, the app is removed the next time the device contacts Jamf Pro.

App Store App Updates

You can configure updates for App Store apps and apps purchased in volume (including custom apps and
apps offered as a Universal Purchase) in Jamf Pro. Updates can be configured for individual apps or for all
apps.

The following update settings are available:

• Schedule automatic app updates—Schedule automatic app updates for App Store apps and apps
purchased in volume. This automatically updates app descriptions, icons, and versions in Jamf Pro. This
update happens once a day during the configured time.
• Automatically force apps to update—Automatically force App Store apps and apps purchased in volume
to update on devices. This update happens automatically every time a device checks in with Jamf Pro. You
can also automatically update apps installed via Jamf Self Service if you made apps available in Self
Service for users to install.
• Manually force apps to update—Manually force all App Store apps and apps purchased in volume to
update immediately on devices if there are updates available in Jamf Pro.For mobile device apps, this
update applies to managed apps only. For more information, see Managed Content in Jamf Pro.

Updating an Individual App Store App

You can configure updates for an individual App Store app or app purchased in volume in Jamf Pro.

1. In Jamf Pro, click Computers or Devices in the sidebar.

2. Click Mac Apps or Mobile Device Apps.
3. Click Edit .
4. Do one of the following:

Schedule Jamf Pro to automatically check the App Store for app updates
Automatically update the app description, icon, and version.
◦ Choose a country or region to use when syncing apps with the App Store from the App Store
Country or Region pop-up menu.
◦ Set the time of day to sync apps with the App Store with the App Store Sync Time pop-up
menus.

540
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Note: Jamf Cloud syncs based on Coordinated Universal Time (UTC), but times displayed
reflect the user's time zone preferences.

Automatically Force App Updates

Automatically force App Store apps and apps purchased in volume to update on computers and
mobile devices when they become available in Jamf Pro.
Force Update
Manually force App Store apps and apps purchased in volume to immediately update on computers
and mobile devices if there are updates available in Jamf Pro.

5. Click Save .

App Store app updates are distributed based on the selected update setting.

Configuring Update Settings for All App Store Apps

You can configure update settings for all App Store apps or apps purchased in volume in Jamf Pro.

1. In Jamf Pro, click Settings in the sidebar.

2. (Computers only) In the Computer management section, click App updates .

3. (Mobile devices only) In the Device Management section, click App maintenance . Ensure you are
on the App Updates pane.
4. Click Edit .
5. Select one of the following:

Schedule Jamf Pro to automatically check the App Store for app updates
Automatically update the app description, icon, and version.
◦ Choose a country or region to use when syncing apps with the App Store from the App Store
Country or Region pop-up menu.
◦ Set the time of day to sync apps with the App Store with the App Store Sync Time pop-up
menus.

Note: Jamf Cloud syncs based on Coordinated Universal Time (UTC), but times displayed
reflect the user's time zone preferences.

541
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Automatically Force App Updates

If you made apps available in Self Service for users to install, select Automatically update apps
installed via Self Service to update the apps installed on computers without requiring end user
intervention.
Force Update
Manually force App Store apps and apps purchased in volume to immediately update on computers
and mobile devices if there are updates available in Jamf Pro.

6. Click Save .

App Store app updates are distributed based on the selected update setting.

Books Purchased in Volume

Jamf Pro allows you to distribute books that are available in the Book Store to computers, mobile devices, and
users. Jamf Pro provides two distribution methods for Book Store books:

• Install the book automatically/prompt users to install the book (iOS only)
• Make the book available in Self Service.

After a book is installed, users can view it using the Books app.

Note: Books available in the Book Store cannot be distributed to personally owned mobile devices.

When you distribute a book available in the Book Store, you add it to Jamf Pro and configure settings for the
book. Then, you specify the computers, mobile devices, and users that should receive it (called “scope”).

Note: Removing a target from the scope of a book does not revoke the book license from the user it
was assigned to and does not remove the book from any device it was installed on.

Books are enabled by default when added to Jamf Pro. This means you can edit the book details and assign
licenses, and the book will be displayed in Self Service or installed on computers and mobile devices based on
the selected distribution method.

A book will be automatically disabled in Jamf Pro if it is a managed distribution item that has been removed
from the Book Store. You will not be able to assign licenses, and the installation commands will not be sent.
The book will not be displayed in Self Service. An automatically disabled managed distribution item will not be
removed from computers or mobile devices that already have this item installed.

542
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

For more information on purchasing books in volume, see the following Apple documentation:

• Apple School Manager User Guide

• Apple Business Manager User Guide

Distributing a Book Purchased in Volume

Requirements
Devices must have users assigned to them before distributing eBooks to the devices. For more information,
see User Assignments.

1. Send an invitation to the devices you want to receive eBooks.

For more information, see Inviting Apple IDs to Register with Volume Purchasing.
2. Accept the invitation on the devices you sent the invitation to.

Note: If the devices have managed Apple IDs and have Automatically register with volume
purchasing if users have Managed Apple IDs checked in the invite, no acceptance is required.

3. Create a volume assignment for the eBook scoped to the same users who were invited in step 1. For more
information, see Volume Assignments for Users.
4. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
5. Click eBooks in the sidebar.
6. Click New.
7. Select eBook available in the iBooks Store and click Next.
8. Do one of the following:
◦ Click the Automatically Populate Purchased Content checkbox.
◦ To add the book by browsing the Book Store, enter the name of the book, choose a Book Store country
and click Next. Then click Add for the book you want to add.
◦ To add the book by uploading a VPP code spreadsheet, click Choose File and upload the Excel
spreadsheet (.xls) that contains VPP codes for the book.
◦ To add the book by manually entering information about it, click Enter Manually.

Note: iBooks files (.ibooks) may need to be added manually.

9. Use the General pane to configure settings for the book, including the display name and distribution
method.

543
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

You can disable a book by deselecting the Enable checkbox.

This stops the book's subsequent installations and prevents it from displaying in Self Service. You cannot
edit book details if it is disabled.
10. Click the Scope tab and configure the scope of the book.
For more information, see Scope.

Note: When deploying books purchased in volume, the scope target must consist of the user or
users that have been invited to receive eBooks in step 1 and those users must have accepted the
invitation before they will receive it. Removing a user from the scope of a book purchased in volume
will not remove the book from the user's device, nor will it return the purchased license. Once a user
has been scoped a license for a book, they retain that license forever.

.
11. (Optional) Click the Self Service tab and configure the way the book is displayed in Self Service.
You can customize the text displayed in the description for the app in Self Service by using Markdown in
the Description field. For information about Markdown, see the Using Markdown to Format Text article.

12. Click Save .

For books set to the “Install Automatically” distribution method, books are installed the next time mobile
devices in the scope check in with Jamf Pro. Users can view installed books with the Books app.

For books set to the ”Make Available in Self Service” distribution method and books that cannot be installed
automatically, books are available in Self Service for users to install the next time Self Service is launched.

Simple Volume Content Searches

A simple volume purchasing content search functions like a search engine, allowing you to quickly search the
apps and books in Jamf Pro for a general range of results.

Volume purchasing content searches are based on the name of the app or book you are searching for and
display the following information:

• Content Name—Name of the app or book

• Location—Volume purchasing location used to purchase the content
• Content Type—Type of content
• Total Content—Total content that has been purchased with the volume purchasing location
• In Use—Number of apps or books assigned to computers, mobile devices, or users
• Volume Assignments—Number of volume assignments that the content is associated with

544
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

As an alternative, you can create an advanced volume content search that uses detailed search criteria.
Advanced volume content searches can be saved for later use. For more information, see Advanced Volume
Content Searches.

Related Content

• Volume Content Reports

• Volume Assignments for Users
• Device-Assigned Managed Distribution

Search Syntax
This section explains the syntax to use for search functions. In general, searches are not case-sensitive.

Note: The default search preference is “Exact Match”. For most items, the option can be changed to
either “Starts with” or “Contains”. For more information about configuring account preferences, see Jamf
Pro User Accounts and Groups.

The following table explains the syntax you can use for search functions:

Search Function Usage Example

Return all Results Use an asterisk (*) without any other Perform a search for “*” or leave the
characters or terms, or perform a search field empty to return all results.
blank search.

Perform Wildcard Searches Use an asterisk after a search term to Perform a search for “key*” to return
return all results with attributes that all results with names that begin with
begin with that term. “key”.

Use an asterisk before a search term Perform a search for “*note” to return
to return all results with attributes that all results with names that end with
end with that term. “note”.

Use an asterisk before and after a Perform a search for “*ABC*” to return
search term to return all results that all results that includes “ABC”.
include that term.

Include Multiple Search Terms Use multiple search terms separated Perform a search for “key*, *note” to
by a comma (,) to return all results that return all results that begins with “key”
include those search terms. and ends with “note”.

545
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Search Function Usage Example

Exclude a Search Term Use a hyphen (-) before a search term Perform a search for “ABC*, -*note” to
to exclude results that include the return all results with names that begin
term. with “ABC” except for those that end
with “note”.

Performing a Simple Volume Purchasing Content Search

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Search Volume Content in the sidebar.
3. Enter one or more search terms in the field provided.
4. Press the Enter key.

The list of search results is displayed.

Viewing Where Content is Assigned

You can view the computers, mobile devices, or users that content is assigned to.

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click Search Volume Content in the sidebar.
3. Enter one or more search terms in the field provided.
4. Press the Enter key.
A list of content is displayed.
5. To view where the content is assigned, click the number displayed in the In Use column.

Computers that have the content assigned to them are listed on the Computers pane.

Mobile devices that have the content assigned to them are listed on the Mobile Devices pane.

Users that have the content assigned to them are listed on the Users pane.

Viewing the Volume Assignments that Content is Associated With

You can view the volume assignments that content is associated with.

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click Search Volume Content in the sidebar.
3. Enter one or more search terms in the field provided.
4. Press the Enter key.

546
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

A list of content is displayed.

5. To view the Volume assignments that the content is assigned to, click the number displayed in the Volume
Assignments column.

Advanced Volume Content Searches

Advanced volume purchasing content searches allow you to use detailed search criteria to search apps and
books in Jamf Pro. These types of searches give you more control over your search by allowing you to do the
following:

• Generate specific search results.

• Specify which attribute fields to display in the search results.
• Save the search.

As an alternative, you can quickly search volume content for a general range of results. For more information,
see Simple Volume Content Searches.

Creating an Advanced Volume Purchasing Content Search

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Search Volume Content in the sidebar.
3. Click New.
4. Use the Search pane to configure basic settings for the search.
To save the search, select the Save this Search checkbox.
5. Click the Criteria tab and add criteria for the search:
a. Click Add.
b. Click Choose for the criteria you want to add.
c. Choose an operator from the Operator pop-up menu.
d. Enter a value in the Value field or browse for a value by clicking Browse .
e. Repeat steps a through d to add criteria as needed.
6. Choose an operator from the And/Or pop-up menus to specify the relationships between criteria.
7. To group criteria and join multiple operations, choose parentheses from the pop-up menus around the
criteria you want to group.

547
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

8. Click the Display tab and select the attribute fields you want to display in your search results.
9. Click Save .

Operations in the search take place in the order they are listed (top to bottom).

The results of a saved search are updated each time content is modified and meets or fails to meet the
specified search criteria.

To view the search results, click View . You can export the data in your search results to different file
formats. For more information, see Volume Content Reports.

Volume Content Reports

The data displayed in volume purchasing content search results can be exported from Jamf Pro to the
following file formats:

• Comma-separated values file (.csv)

• Tab delimited text file (.txt)
• XML file

Creating Volume Purchasing Content Reports

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Search Volume Content in the sidebar.
3. View simple or advanced volume purchasing content search results.
For more information, see Simple Volume Content Searches and Advanced Volume Content Searches.
4. At the bottom of the list, click Export.
5. Follow the onscreen instructions to export the data.

548
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

The report downloads immediately.

In-House Content
In-house apps are enterprise apps developed through the Apple Developer Enterprise Program and books that
are not available in the Book Store. Jamf Pro allows you to distribute in-house apps and books directly to
computers, mobile devices, and users. You can also configure settings for the content, such as the following:

• Hosting location
• Distribution method
• Whether to make the content managed
• Which devices and users should receive the content (called "scope").

Hosting Locations
When distributing in-house content, consider where the content will be hosted. There are three hosting
locations that you can use:

• Distribution points—This hosting location is only available if your principal distribution point is the cloud
distribution point. To use this hosting location, you upload the content to the principal distribution point when
configuring settings for the content in Jamf Pro.

Note: Content cannot be replicated to file share distribution points.

• Web server—This hosting location is always available, regardless of what type of distribution point the
principal is. To use this hosting location, the content must be hosted on a web server before you distribute it.
Then, when you distribute the content, you specify the URL where it is hosted. If your principal distribution
point is a file share distribution point, it is recommended that you host large apps or books on a web
server.Jamf Pro also allows you to configure a JSON Web Token (JWT) to control the distribution of iOS
and tvOS in-house apps from a web server. In-house apps downloaded from the Jamf Pro database are
automatically secured with JWT. For more information see JSON Web Token for Securing In-House
Content.
• jamfsoftware database (in-house apps only)—If your principal distribution point is a file share
distribution point, you can use Jamf Pro to upload the app and host it in the jamfsoftware database.

549
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

JSON Web Token for Securing In-House Content

You can configure a JSON Web Token (JWT) in Jamf Pro to secure downloads of packages, in-house apps,
and in-house books hosted on a web server. After the JWT is configured, packages, in-house apps, and books
can only be downloaded on managed computers and mobile devices and within the time period you specify.

Note: Packages, in-house apps, and books must be hosted on the same web server that is configured
for JWT authentication.

The JWT is generated using the RS256 algorithm, is signed with the RSA private key provided in the
configuration, and has the following claims:

• "sub" (subject) of "AppManifest"

• "iss" (issuer) of "JSS"
• "exp" (expiration) configurable in the JSON Web Token Configuration settings

After configuring the JWT, the administrator of the web server must perform further setup to ensure the server
validates the request using the JWT "token" query parameter.

Important: Until the web server validates the requests, unsecured downloads of in-house apps and
books may still be possible.

Configuring a JSON Web Token

1. In Jamf Pro, click Settings in the sidebar.
2. In the Global section, click PKI certificates .
3. Click the JSON Web Token Configuration tab.
4. Click New.
5. Enter a display name for the token.
6. Select one of the following encryption key options:
a. Choose Paste or Type Encryption Key, then enter the RSA private encryption key in the Paste the
Encryption Key Below field.
b. Choose Upload Encryption Key File, then click Choose File to upload a .pem file containing the
RSA private encryption key.

550
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Note: The OpenSSL binary can be used to generate the RSA private key. To generate an RSA
private key using OpenSSL from the service hosting packages or apps, open Terminal and
execute the command: openssl genrsa -out key.pem 2048

7. From the Token Expiry pop-up menu, select a time period during which in-house apps and books can be
downloaded. After the specified time period, in-house apps and books can no longer be downloaded.
8. Click Save .

When Jamf Pro sends the device a command to install an in-house app or ebook, a new JWT is generated and
added to the download URL as a "token" query parameter. For example, the download URL https://
example.com/download/example_app.ipa would look similar to the following with the JWT added:

https://example.com/download/example_app.ipa?token=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJBcH
BNYW5pZmVzdCIsImlzcyI6IkpTUyIsImV4cCI6MTUwMzMyNDMxNH0.SeoxBY0EaCf4KV3UOyDMmu.

Provisioning Profiles for In-House Apps

Provisioning profiles (.mobileprovision) authorize the use of in-house apps. For an in-house app to work,
the provisioning profile that authorizes it must be installed on mobile devices.

If the provisioning profile that authorizes an in-house app is not bundled in the app archive (.ipa) file, you
must upload the profile to Jamf Pro before distributing the app.

If a provisioning profile expires, you can edit the provisioning profile record in Jamf Pro and replace the existing
profile with the new version to allow continued use of the app.

Deleting a provisioning profile from Jamf Pro removes it from mobile devices that have it installed.

Uploading a Provisioning Profile

1. In Jamf Pro, click Devices in the sidebar.
2. Click Provisioning Profiles in the sidebar.
3. Click Upload and upload the provisioning profile.
4. Enter a display name for the profile.
5. Click Save .

551
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Downloading a Provisioning Profile

If you no longer have access to the original (.mobileprovision) file for a provisioning profile in Jamf Pro,
you can download it from Jamf Pro.

1. In Jamf Pro, click Devices in the sidebar.

2. Click Provisioning Profiles in the sidebar.
3. Click the provisioning profile you want to download.
4. Click Download .

The profile is downloaded immediately.

In-House Apps
In-house apps are enterprise apps developed through the Apple Developer Enterprise Program. Jamf Pro
allows you to distribute in-house apps to users, iOS devices, iPadOS devices, and Apple TV devices with tvOS
10.2 or later. After an app has been distributed, you can also use Jamf Pro to update or remove the app from
mobile devices.

Jamf Pro provides two distribution methods for in-house apps:

• Install the app automatically/prompt users to install the app

• Make the app available in Self Service

For more information on the Apple Developer Enterprise Program or to register, see the Apple Developer
Enterprise Program from the Apple Developer website.

When you distribute an in-house app, you configure settings for the app, such as the hosting location,
distribution method, whether to make the app managed, and which users and devices should receive it (called
"scope").

Managed in-house apps that have been distributed to mobile devices can be validated using the app validation
settings. For more information, see In-House App Maintenance Settings.

Related Content

• Hosting In-House Books and Apps on a Tomcat Instance

552
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Distributing an In-House App

Requirements
• A bundle identifier for the app (located in the PLIST file for the app)
• An archived app file (.ipa) or the URL where the app is hosted on a web server

Note: If you are hosting the app from a web server, the MIME type for the archived app file must
be /application/octet-stream

1. In Jamf Pro, click Devices in the sidebar.

2. Click Mobile Device Apps in the sidebar.
3. Click New.
4. Select In-house app and click Next.
5. Use the General pane to configure settings for the app, including the distribution method and hosting
location.
If you choose "Distribution Points" or "jamfsoftware database" from the Hosting Location pop-up menu,
be sure to upload the archived app file.

Note: You can require a mobile device to have a tethered network connection to download the app.
A tethered network connection requires a computer with macOS 10.12.4 or later, and must be
connected to the Internet via Ethernet and have Wi-Fi turned off. Portable computers must be
plugged in to a power source because the tethered caching service prevents computers from going
to sleep. Select the Require tethered network connection for app installation checkbox. This
checkbox is only displayed if "Install Automatically/Prompt Users to Install" is chosen in the
Distribution Method pop-up menu. App updates will not require tethering; this setting is for initial
installations of an app only.

6. Click the Scope tab and configure the scope of the app.
For more information, see Scope.
7. (Optional) (iOS and iPadOS only) Click the Self Service tab and configure the way the app is displayed in
Self Service.
You can customize the text displayed in the description for the app in Self Service by using Markdown in
the Description field. For information about Markdown, see the Using Markdown to Format Text article.

553
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Note: The Self Service tab is only displayed if "Make Available in Self Service" is chosen in the
Distribution Method pop-up menu.

8. (Optional) Click the App Configuration tab and configure the preferences as needed.

Note: The App Configuration tab is only displayed if the Make App Managed when possible
checkbox is selected.For more information or to generate a managed app configuration, see the
AppConfig Generator utility from Jamf.

9. Click Save .

The app is distributed the next time mobile devices in the scope check in with Jamf Pro. If users were added as
targets to the scope, the app is distributed to the devices those users are assigned to the next time the devices
check in with Jamf Pro.

Distributing an In-House App Update

1. In Jamf Pro, click Devices in the sidebar.
2. Click Mobile Device Apps in the sidebar.
3. Click the app you want to update.
4. Do one of the following:
◦ To distribute an update for an in-house app that is hosted on a web server, upload the new archived app
file to the web server and update app URL.
◦ To distribute an update for an in-house app that is hosted on distribution points or in the jamfsoftware
database, upload the new archived app file using Jamf Pro.
5. Enter the new version number for the app.

Important: Do not change the bundle identifier. Jamf Pro uses the existing bundle identifier to
distribute the update.

6. Click Save .

The update is distributed the next time mobile devices in the scope contact Jamf Pro.

554
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

In-House App Maintenance Settings

You can use the App Maintenance settings in Jamf Pro to perform the following maintenance for in-house
apps:

• Automatic Updates—You can enable Jamf Pro to automatically update all in-house apps that are installed
on mobile devices for the apps that were made available in Jamf Self Service for iOS. This allows you to
update the apps without user interaction.
• App Validation—App validation is the process of ensuring that the provisioning profile associated with an
in-house app is still authorizing the use of the app. You can automatically validate all managed in-house
apps on mobile devices by customizing how frequently Jamf Pro performs app validation.You can also
manually force all devices to check in with Apple to validate installed in-house apps. This is useful if you
know that devices may be offline for an extended period of time and you want to validate apps before the
device is offline.The validation status for a managed in-house app on a mobile device is collected each time
inventory information for the device is reported to Jamf Pro, and is displayed in the inventory information for
that device. If an app cannot be validated, the validation status is reported as "not validated", and the app
will not open until a successful validation occurs. For information about the situations in which an app may
be reported as "not validated", see the Cannot Validate a Managed In-House App article.

Enabling Automatic App Updates

1. In Jamf Pro, click Settings in the sidebar.
2. In the Device management section, click App maintenance .
3. Click the In-House Apps tab.
4. Click Edit .
5. Select Automatically update apps installed via Self Service.
6. Click Save .

Configuring App Validation

1. In Jamf Pro, click Settings in the sidebar.
2. In the Device management section, click App maintenance .
3. Click the In-House Apps tab.
4. Click Edit .
5. To enable automatic app validation, do the following:
a. Select Automatically validate all managed in-house apps.
b. Specify how often Jamf Pro attempts to validate apps using the Validation Frequency pop-up menu.
You can choose to validate apps every week, every two weeks, every four weeks, or every eight
weeks. The default validation frequency is "every week”.

555
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

6. To force app validation, click Force Validation.

7. Click Save .

In-House Books
In-house books are books that are not available in the Book Store. Jamf Pro allows you to distribute in-house
books to computers, mobile devices, and users. Jamf Pro provides two distribution methods for in-house
books:

• Install the book automatically/prompt users to install the book (iOS only)
• Make the book available in Self Service

After a book is installed, users can view it using the Books app.

When you distribute an in-house book, you configure settings for the book. Then, you specify the computers,
mobile devices, and users that should receive it (called “scope”).

Related Content

• Hosting In-House Books and Apps on a Tomcat Instance

Distributing an In-House Book

Requirements
To distribute an in-house book, the book must be one of the following types of files:

• ePub file (.epub)

• iBooks file (.ibooks)
• PDF

Note: In-house books cannot be distributed to personally owned mobile devices.

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click eBooks in the sidebar.
3. Click New.
4. Select In-house eBook and click Next.
5. Use the General pane to configure settings for the book, including the display name and distribution
method.

556
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Content Distribution

Note: If you choose "Make Available in Self Service" as the distribution method, the Make eBook
managed when possible checkbox is selected by default. However, in-house books distributed to
computers cannot be managed. For more information, see Managed Content in Jamf Pro.

If your principal distribution point is the cloud distribution point and you choose "Distribution Points" from
the Hosting Location pop-up menu, be sure to upload the book file. For more information about hosting
locations, see In-House Content.
6. Click the Scope tab and configure the scope of the book.
For more information, see Scope.
7. (Optional) Click the Self Service tab and configure the way the book is displayed in Self Service.
You can customize the text displayed in the description for the app in Self Service by using Markdown in
the Description field. For information about Markdown, see the Using Markdown to Format Text article.

Note: The Self Service tab is only displayed if "Make Available in Self Service" is chosen in the
Distribution Method pop-up menu.

8. Click Save .

For books set to the “Install Automatically” distribution method, books are installed the next time mobile
devices in the scope check in with Jamf Pro. Users can view installed books with the Books app.

For books set to the ”Make Available in Self Service” distribution method and books that cannot be installed
automatically, books are available in Self Service for users to install the next time Self Service is launched.

Removing a Managed In-House Book from Mobile Devices

To remove a managed in-house book from one or more devices, you remove the mobile device or devices
from the scope.

1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.

2. Click eBooks in the sidebar.
3. Click the book you want to remove.
4. Click the Scope tab and remove mobile devices from the scope as needed.
For more information, see Scope.

5. Click Save .

The book is removed the next time the mobile devices check in with Jamf Pro.

557
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Classroom Management
Apple Education Support Settings
The Apple Education Support settings in Jamf Pro allow you to do the following:

• Enable support for Shared iPad and Apple's Classroom app— You can allow computers and iPads to
be added to Classes in Jamf Pro for use with Apple's Classroom app. In addition, this setting allows iPads to
be added to Classes in Jamf Pro as Shared iPad for use with Apple's Classroom app.
• Enable user images— Enabling user images allows an image or student photo to be displayed in the
Classroom app and on the login screen for Shared iPads. The user image is also displayed in the inventory
information for each user.
• Integrate with Apple School Manager— Integrating Jamf Pro with Apple School Manager allows you to
import students, teachers, and classes from Apple School Manager. This automatically creates new users
and classes in Jamf Pro for use with Apple's Classroom app.

General Requirements
Support for Apple’s Classroom app applies to the following devices:

• Supervised iPads with iOS 9.3 or later

• Teacher computers with macOS 10.14 or later
• Student computers with macOS 10.14.4 or later

Note: When assigning a student or teacher to a computer in Jamf Pro, you must ensure that the
username in Jamf Pro matches the username of the MDM-enabled user on the computer. For more
information about enabling MDM for users, see MDM-Enabled Local User Accounts. In addition, see the
Managing User Approved MDM with Jamf Pro article.

In addition, support for Shared iPad for use with Apple's Classroom app applies to supervised iPads with iOS
9.3 or later.

To enable user images, you need the following:

• Images hosted on a distribution point with an enabled web server It is recommended that you disable
directory index browsing for your distribution point to ensure that the image files on the server are secure.

558
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Note: It is recommended that the user images are in PNG format and are 256x256 pixels.

• A CA certificate (.pem) downloaded from Jamf Pro is needed to establish a secure connection between the
Jamf Pro server and the distribution point so that the user images are populated for each user in Jamf Pro.
For more information about CA certificates, see PKI Certificates.

In addition, you need a valid push certificate in Jamf Pro. For more information, see Push Certificates.

Shared iPad and Apple's Classroom App Support

When you enable the Apple Education Support settings, Jamf Pro generates an EDU profile that is installed on
an iPad or computer when the device is added to a Class in Jamf Pro for use with Apple's Classroom app. The
EDU profile configures the device with user and class information. For information about enabling Shared iPad
during enrollment, see Automated Device Enrollment.

For more information about Shared iPad, see Shared iPad in Apple device deployments in Apple's Education
Deployment Guide.

Supporting Shared iPad and Apple's Classroom App

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Apple education support .
3. Click Edit .
4. Select the Enable Apple Education Support checkbox.
5. Click Save .

Jamf Pro generates an EDU Profile that is installed on devices when they are added to a Class in Jamf Pro.

iPads that are enrolled with Jamf Pro using a PreStage enrollment that has Shared iPad enabled are enabled
as Shared iPad for use with Apple's Classroom app when they are added to a Class in Jamf Pro.

User Images for Education

You can enable user images as a part of Apple Education Support. When you enable user images, you allow
an image or student photo to be displayed in the Classroom app and on the login screen for Shared iPads. The
user image is also displayed in the inventory information for each user.

User images must be hosted on a distribution point with an enabled web server. The URL for that distribution
point must be specified in Jamf Pro when you enable user images.

559
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

When setting up the distribution point URL, it is recommended that you use a variable in the URL and name
the image files so that they function with the variable you choose. For example, if the distribution point URL is
https://www.mycompany.com/$USERNAME.png, the username in Jamf Pro for each user will be inserted into
the URL in place of the $USERNAME variable. If you name each image file using the username in Jamf Pro for
each user, the correct image will be displayed for each user.

You can use the following variables in the distribution point URL for user images:

• $USERNAME
• $FULLNAME
• $REALNAME
• $EMAIL
• $PHONE
• $POSITION
• $EXTENSIONATTRIBUTE_<#>

Note: Once you have specified a distribution point URL for user images, you can choose to specify a
custom URL for a single user's image from the inventory information for a user. The custom URL
overrides the specified distribution point URL. For more information about specifying a custom URL, see
User Inventory and Criteria Reference.

For step-by-step instructions on preparing to use user images, see the Integrating with Apple School Manager
to Support Apple's Education Features Using Jamf Pro technical paper.

Enabling User Images

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Apple education support .
3. Click Edit .
4. If you have not enabled Apple Education Support, select the Enable Apple Education Support
checkbox.
5. Select the Enable User Images checkbox.
6. Enter a distribution point URL for user images.

Important: Editing the distribution point URL for user images causes existing EDU profiles to be
redistributed. This can increase network traffic.

560
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

7. If you have not already downloaded the CA certificate (.pem), click Download to download the certificate,
and then save the certificate in the appropriate location dictated by your web server vendor.
8. (Optional) If your web server uses a self-signed certificate or a certificate signed by an internal CA, you
must upload an additional certificate (.p12 or .pem) from your web server to the Jamf Pro server to
establish trust between the Jamf Pro server and the web server hosting the user images.
9. Click Save .
10. (Optional) Use the Test button to ensure that the user images on your distribution point are accessible.

Due to caching, user images may not appear immediately on devices. You may need to restart the device or
the Classroom app in order for user images to appear.

Apple School Manager Integration

The Apple Education Support settings allow you to integrate Jamf Pro with Apple School Manager. Integrating
with Apple School Manager allows you to do the following:

• Specify a class naming format. This is applied to all classes imported from Apple School Manager.
• Specify a class description format. This is applied to all classes imported from Apple School Manager. The
description is displayed in Apple's Classroom app.
• Sync Jamf Pro with Apple School Manager to automatically update user and class information in Jamf Pro
at a scheduled time. You can also force Jamf Pro to sync immediately with Apple School Manager.
• Choose user criteria for matching imported users from Apple School Manager with existing users in Jamf
Pro. Imported user information is appended to the Roster category of user inventory information for the
existing user in Jamf Pro.
• Automatically create new users in Jamf Pro by importing users from Apple School Manager.
• Automatically create classes in Jamf Pro by importing classes from Apple School Manager.

Note: It is recommended that you only use one Apple School Manager account to integrate with Jamf
Pro. Using more than one account makes it difficult to isolate the account causing the issues when
troubleshooting.

Integrating Jamf Pro with Apple School Manager creates one instance of Apple School Manager in Jamf Pro.
To integrate with Apple School Manager, you need to associate an Automated Device Enrollment (formerly
DEP) instance with the Apple School Manager instance. You can associate one Automated Device
Enrollmentinstance with one Apple School Manager instance.

561
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Class Naming and Description Format

When you integrate with Apple School Manager, you choose variables in Jamf Pro that match values for class
information in Apple School Manager. Jamf Pro allows you to specify variables that apply to a class name and
class description when the class is imported from Apple School Manager to Jamf Pro. You can specify
variables for the following settings:

• Class Naming Format—When a class is imported, the variables are applied to the display name of the
class in the order you select. For example, if you select "Course Name" and "Class Source ID", the class is
imported to Jamf Pro with a name like "Biology12345". The default values for the class naming format are
"Course Name" and "Class Source ID".
• Class Description Format—When a class is imported, the variables are applied to the description of the
class in the order you select. For example, if you select "Location" and "Instructor", the class is imported to
Jamf Pro with a description like "EauClaireSamanthaJohnson". This setting overwrites existing class
descriptions the next time Jamf Pro syncs with Apple School Manager for classes that have already been
imported.

The following table displays the available variables in Jamf Pro and the values for class information that the
variables match in Apple School Manager. The same variables are available for the class naming format and
the class description format:

Class Information in
Variable in Jamf Pro Notes
Apple School Manager

Location Name Role/Location

Class ID Class ID

Class Source ID Course ID

Course Name Course Name Course Name" must contain a value prior to importing the
class to Jamf Pro.

Class Name Class Name

Course Number Course Number

Class Room Room

Class Site N/A Value is populated based on the site the class is imported
to in Jamf Pro.

Instructor Name N/A Value is populated based on "Last Name" for the teacher
that is imported with the class. If there is no value for "Last

562
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Class Information in
Variable in Jamf Pro Notes
Apple School Manager

Name", this value is populated with the value for "Full

Name".
If there are multiple teachers in a class, the "Instructor
Name" value is populated with the teacher name that
comes first alphabetically by last name.

Instructor Grade N/A Value is populated based on "Grade" for the teacher that is
imported with the class.
If there are multiple teachers in a class, the "Instructor
Grade" value is populated with the teacher name that
comes first alphabetically by last name.

Class Number Class Number

Custom N/A In addition to variables, you can apply a custom field to the
class naming format to separate variables or enter custom
text. For example, if you select "Course Name", "Custom
Text", and "Class Source ID", and enter a hyphen (-) in the
Custom Text field, the class is imported to Jamf Pro with a
name like "Biology-12345".

Note: If a value is not available in Apple School Manager for the variable selected in Jamf Pro, a blank
value is displayed in Jamf Pro for that selected variable in the class name.

Apple School Manager Sync Time

You can configure how frequently Jamf Pro syncs information from Apple School Manager. Configuring a sync
time allows user and class information to be updated automatically if there is updated information available in
Apple School Manager. You can choose to sync never, daily, once a week, every other week, or once a month.
The default sync time is "Never". In addition, you can force Jamf Pro to sync immediately with Apple School
Manager. For more information, see Forcing an Apple School Manager Sync.

Information is only synced from Apple School Manager to Jamf Pro, not from Jamf Pro to Apple School
Manager.

When the configured sync time is reached or you have forced an Apple School Manager sync, inventory
information in the Roster category is updated for the imported users and users associated with an imported
class. Class information, such as the display name, is also updated. If you modify the class naming format after

563
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

a class has been imported, the class name is updated and the class naming format is re-applied to the classes
that have been imported.

If a student or teacher is added to a class in Apple School Manager after a class has been imported, the user is
imported to Jamf Pro and matched with existing users during a sync based on the criteria for matching
imported users from Apple School Manager. If there is no match, the imported user is added to Jamf Pro as a
new user in the Users tab.

If you have not yet imported users or classes from Apple School Manager when the configured sync time is
reached, information is synced at the time configured and stored in the Jamf Pro database for the class or user
until they are imported.

Note: Jamf Pro performs one sync at a time.

Matching Criteria for Importing Users from Apple School Manager

When you integrate Jamf Pro with Apple School Manager, you choose Jamf Pro user criteria to match with
Apple School Manager user criteria. Users that are imported to Jamf Pro are matched to existing users in Jamf
Pro based on the selected user criteria.

The following table displays the criteria you can use to match imported users from Apple School Manager to
existing users in Jamf Pro:

Jamf Pro User Criteria Apple School Manager User Criteria

Email (Jamf Pro server) Email

Email (Jamf Pro server) Managed Apple ID

Username (Jamf Pro server) Source System Identifier

Source System Identifier Username

User Extension Attributes

Managed Apple ID (Jamf Pro server) Managed Apple ID

The default criteria matches "Email (Jamf Pro)" with "Managed Apple ID" from Apple School Manager and an
operator of "equals".

564
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Configuring an Instance of Apple School Manager

Requirements
To integrate with Apple School Manager, you need to integrate Jamf Pro with Automated Device
Enrollment. For more information, see Automated Device Enrollment Integration.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Apple education support .
3. Click Edit .
4. Click the Apple School Manager tab.
5. Select the Enable Apple School Manager Integration checkbox.
6. Click Add.
If you have not integrated Jamf Pro with Automated Device Enrollment (formerly DEP), click the
Automated Device Enrollment settings link.
7. Enter a display name for the Apple School Manager instance.
8. Choose an Automated Device Enrollment instance from the Automated Device Enrollment Instance
pop-up menu.
9. Use the Class Naming Format options to select a variable to apply to the name of a class when importing
the class from Apple School Manager. To add more variables, click Add and select "Variable" or "Custom
Text".
To remove a variable, click the "X" next to the variable field.

10. (Optional) Use the Class Description Format options to select a variable to apply to the description of a
class when importing the class from Apple School Manager. To add more variables, click Add and select
"Variable" or "Custom Text".
To remove a variable, click the "X" next to the variable field.
11. (Optional) To select a time that Jamf Pro should sync with Apple School Manager, choose a time interval
from the Apple School Manager Sync Time pop-up menu, and then configure the days and time to sync.
The time zone that is displayed is the time zone that is configured in System Settings (macOS 13 or later)
or System Preferences (macOS 12 or earlier).

565
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Note: It is recommended that you choose to sync with Apple School Manager at a time other than
when you choose to flush logs or back up your database.

12. Choose criteria to use for matching imported users from Apple School Manager with existing users in Jamf
Pro using the Matching Criteria for Importing Users options:
a. Select Jamf Pro or Apple School Manager user criteria from the User Criteria pop-up menu on the left.
b. Choose an operator from the Operator pop-up menu.
c. Select Jamf Pro or Apple School Manager user criteria from the User Criteria pop-up menu on the
right.

13. Click Save .

When you import users or classes, the variables selected for the Class Naming Format are applied to the class
display name, and the user information from Apple School Manager is matched to existing user information in
Jamf Pro based on the selected criteria.

Jamf Pro updates user and class information from Apple School Manager at the time configured.

Forcing an Apple School Manager Sync

You can force Jamf Pro to sync immediately with Apple School Manager. This allows you to update user and
class information in Jamf Pro when needed. For more information about syncing Jamf Pro with Apple School
Manager, see Apple School Manager Sync Time.

Note: Forcing Jamf Pro to sync with Apple School Manager can add significant network traffic in Jamf
Pro. It is recommended that you force sync at a time other than when you choose to flush logs or back
up your database.

1. In Jamf Pro, click Settings in the sidebar.

2. In the Global section, click Apple education support .
3. In the list of Apple School Manager instances, click the Force Sync button next to the instance that you
want to manually sync Jamf Pro with.

Jamf Pro immediately syncs information from Apple School Manager.

566
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

If you force Jamf Pro to sync with more than one instance of Apple School Manager, Jamf Pro performs one
sync at a time.

Note:

• Deleting an Apple School Manager instance removes the information in the Roster category of user
inventory information that is imported from Apple School Manager. This disables Shared iPad for
users.
• Deleting an Apple School Manager instance does not remove the users or classes that have been
imported from Apple School Manager.

Classes
Jamf Pro allows you to create classes for use with Apple’s Classroom app and Jamf Teacher. When you create
a class in Jamf Pro, you use a payload-based interface to configure settings to apply to teacher and student
computers and iPads. These settings are then applied to the devices in a class for use with Apple’s Classroom
app and Jamf Teacher.

In addition, you can use an assistant in Jamf Pro to import classes created in Apple School Manager and
configure them to be used with Apple's Classroom app and Jamf Teacher. When you import a class to Jamf
Pro, you also import the users associated with the class.

Class Payloads
The payloads you choose to configure for the class depend on if your environment uses Shared iPad. The
following table explains the payloads you can configure in Classes:

Payload Description

General This payload allows you to enter a display name and description for a class.

Students This payload allows you to add students to a class.

Student User Groups This payload allows you to add student user groups to a class.

Teachers This payload allows you to add teachers to a class.

Teacher User Groups This payload allows you to add teacher user groups to a class.

Mobile Device Groups This payload allows you to add mobile device groups to a class.

567
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Payload Description

App Usage Restrictions This payload allows you to restrict which apps are available to a student.
Shared iPad only

Home Screen Layout This payload allows you to configure the layout of the Dock and the pages on the student
iPad.
Shared iPad only

Apple's Classroom App Class Configuration

When creating a class for Apple's Classroom app, you can configure settings for the following environments:

• Environment with Shared iPad—In this environment, you add a student user group that contains students
with Managed Apple IDs to a class. You also add a mobile device group that contains Shared iPad devices.
You assign the teacher to an iPad or computer in Jamf Pro, and then add the teacher to the class (either as
an individual user or as a user group).In addition, you can include app usage restrictions and Home screen
layout settings to customize the student experience on the iPad.
• Environment without Shared iPad—In this environment, you assign each student to an iPad in Jamf Pro.
Then, you add the students (either as individual users or as a user group) to a class. You assign the teacher
to an iPad or computer in Jamf Pro, and then add the teacher to the class (either as an individual user or as
a user group).
• Environment with computers—In this environment, you assign a student to a computer in Jamf Pro. Then,
you add the students to a class (either as individual users or as a user group). You assign the teacher to an
iPad or computer in Jamf Pro, and then add the teacher to the class (either as an individual user or as a
user group).

Note: When assigning a student or teacher to a computer in Jamf Pro, you must ensure that the
username in Jamf Pro matches the username of the MDM-enabled user on the computer.

When you create a class for use with Apple's Classroom app, Jamf Pro automatically installs an associated
EDU profile on the teacher and student devices. This profile allows student and teacher devices to
communicate. It also ensures that students can log in to a Shared iPad device if Shared iPad has been
enabled on the iPad.

Classes Imported from Apple School Manager

You can automatically create classes in Jamf Pro by importing classes from Apple School Manager. When you
integrate with Apple School Manager, you configure a class naming format by choosing variables that are

568
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

applied to the display name for all imported classes. In addition, the Students payload and Teachers payload
for imported classes are automatically populated with the information imported from Apple School Manager.

An assistant in Jamf Pro guides you through the process of importing classes from Apple School Manager. It
allows you to choose the class you want to import from a list of classes in Apple School Manager. When you
import a class, you also import the users associated with the class. This automatically creates new users in
Jamf Pro and appends inventory information to existing users. For information about users imported from
Apple School Manager, see Importing Users to Jamf Pro from Apple School Manager.

Note: If a user is added to a class in Apple School Manager after the class has been imported, the user
is imported to Jamf Pro and matched with existing users at the configured sync time based on the
criteria for matching imported users from Apple School Manager. If there is no match, the imported user
is added to Jamf Pro as a new user in the Users tab.

After a class is imported, class information is updated automatically based on the Apple School Manager Sync
Time.

For more information about class naming, matching criteria for importing users, and Sync Time, see Apple
School Manager Integration.

General Requirements
If you are creating a class to work with Apple's Classroom app and Jamf Teacher, you need the following:

• Apple Education Support enabled in Jamf Pro. (For more information, see Apple Education Support
Settings.)
• Teacher assigned to an iPad or computer in Jamf Pro. If using student computers in a class, the student
must be assigned to the computer. (For more information, see User Assignments.)

Note: When assigning a student or teacher to a computer in Jamf Pro, you must ensure that the
username in Jamf Pro matches the username of the MDM-enabled user on the computer. For more
information about enabling MDM for users, see the following:
◦ MDM-Enabled Local User Accounts
◦ Managing User Approved MDM with Jamf Pro

In addition, you must ensure that teacher and student devices meet the minimum device requirements for use
with Apple’s Classroom app. For more information about device requirements, see Classroom requirements in
Apple's Classroom User Guide.

To import class information from Apple School Manager, you need the following:

569
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

• Jamf Pro integrated with Apple School Manager (For more information, see Apple School Manager
Integration.)
• A Jamf Pro user account with the "Users" and "Classes" privileges

Configuring a Class
1. In Jamf Pro, click Computers , Devices , or Users in the sidebar.
2. Click Classes.
3. To create a new class, click New and do the following:
a. Use the General payload to enter a display name and description for the class.
If you specify a Class Description Format when integrating with Apple School Manager, the Description
field is not editable.

Note: The description for the class is not synced from Jamf Pro to Apple School Manager.

b. Add students to the class using the Students payload or the Student User Groups payload.
c. Add teachers to the class using the Teachers payload or the Teacher User Groups payload.
4. To import class information from Apple School Manager, click Import and do the following:
a. Follow the onscreen instructions to import class information.

Note: If you are importing a large number of classes (e.g., 10,000), a progress bar is displayed
in the assistant during the import process. You can click Done and perform other management
tasks while the import takes place.

If you import users from Apple School Manager that match current users in Jamf Pro, you can choose
to match the imported user with the current user, or create a new user in Jamf Pro with the information
imported from Apple School Manager.
b. Click Done.
Class information is imported to Jamf Pro, and user information is applied in the Users tab.
If you have site access only, classes are imported to your site only.
c. Click the class you imported, and then click Edit to add devices and optional Shared iPad payloads to
the class.
5. Add computers or mobile devices to the class by doing the following:
◦ Add mobile device groups to the class using the Mobile Device Groups payload.
◦ Add computers to the class by adding students that are assigned to computers.
6. (Optional) If your environment uses Shared iPad, do the following:
a. Use the Restrictions payload to restrict which apps are available to users on Shared iPad.

570
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

b. Use the Home Screen Layout payload to configure the layout of the Dock and the pages on the iPad.
7. Click Save .

Note:

• If you change the site of a class, devices in the class are removed from the class. Users that are not
already added to the new site are also removed from the class.
• Deleting a class also deletes the EDU profile from devices in the class.

Student Setup
To allow students to log in on Shared iPad, you need to ensure that the student's Managed Apple ID is entered
in the Roster category of user inventory information. To do this, you can create new users or edit existing users
in the Users tab.

The following information can be specified in the Roster category of user inventory information:

• Full Name from Roster—This is the name that you created for the student in Apple School Manager.
• Managed Apple ID—This information is required to use Shared iPad.
• Password Requirement—This requires students to set their passcode to the specified number of passcode
characters and is required to use Shared iPad. You can choose to require a four-digit numeric code, a six-
digit numeric code, or a complex code. Choosing "complex" allows students to set an alpha-numeric
passcode.

After you enter Roster information for students in user inventory information, you can create a user group that
contains students with Managed Apple IDs in your environment. This allows you to add a smart or static user
group when you create a class in Jamf Pro for use with Apple's Classroom app.

Importing Users to Jamf Pro from Apple School Manager

You can import users to Jamf Pro from Apple School Manager. This allows you to automatically create new
users in Jamf Pro from the users in Apple School Manager or append information to existing users in Jamf Pro.

When you import users from Apple School Manager, the following fields are populated in the Roster category
of the user's inventory information:

• Last Sync
• Status
• User Number

571
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

• Full name from Roster

• First Name
• Middle Name
• Last Name
• Managed Apple ID
• Grade
• Password Policy

An assistant in Jamf Pro guides you through the process of importing all users or a subset of users from Apple
School Manager. If you choose to import a subset of users, you need to choose the criteria and values for the
users you want to import. For example, you could import the students from an "Addition & Subtraction" course
or an "Algebra" course only.

You can select from the following options when importing users from Apple School Manager:

• Match to an existing user in Jamf Pro—Imported users are matched to existing users in Jamf Pro based
on the criteria selected when integrating Jamf Pro with Apple School Manager. Jamf Pro displays potential
existing users in Jamf Pro that match the specified criteria. When you select an existing user in Jamf Pro to
match the imported user to, information is populated in the Roster category of the user's inventory
information. If this information existed prior to matching the imported user with the existing user, the
information is updated.

572
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

• Create a new user in Jamf Pro—If you choose to create a new user, the imported user is automatically
added to Jamf Pro in the Users tab and inventory information is entered in the Roster category of the user's
inventory information.

Note: The number of users you can import and match varies depending on your environment. Importing
a large number of users at once may affect performance. You may need to perform more than one
import to import all users to Jamf Pro from Apple School Manager.

After users are imported, if an Apple School Manager Sync Time is configured for the Apple School Manager
instance, user information is updated automatically based on the scheduled frequency and time.

Importing Users from Apple School Manager

Requirements
To import users to Jamf Pro from Apple School Manager, you need the following:

• Jamf Pro integrated with Apple School Manager (For more information, see Apple School Manager
Integration.)
• A Jamf Pro user account with the "Users" privilege

1. In Jamf Pro, click Users in the sidebar.

2. Click Search Users in the sidebar.
3. Leave the search field blank and press the Enter key.
4. Click Import.

573
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Classroom Management

Note: If you choose to import a subset of users, choose the criteria, operator, and values to use to
define the subset of users to import.When importing a subset of users based on multiple criteria,
choose "or" from the And/Or pop-up menus if the criteria are the same.

5. Follow the onscreen instructions to import users.

Note: If you are importing a large number of users (e.g., 10,000), a progress bar is displayed in the
assistant during the import process. You can click Done and perform other management tasks while the
import takes place.

User information is imported to Jamf Pro and applied in the Users tab.

If you have site access only, users are imported to your site only.

574
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Copyright and Trademarks

Copyright and Trademarks

© 2002-2023 Jamf. All rights reserved.

Jamf has made all efforts to ensure that this guide is accurate.

Jamf
100 Washington Ave S Suite 1100
Minneapolis, MN 55401-2155
(612) 605-6625

Under the copyright laws, this publication may not be copied, in whole or in part, without the written consent of
Jamf.

The CASPER SUITE, COMPOSER®, the COMPOSER Logo®, Jamf, the Jamf Logo, JAMF SOFTWARE®,
the JAMF SOFTWARE Logo®, RECON®, and the RECON Logo® are registered or common law trademarks
of JAMF SOFTWARE, LLC in the U.S. and other countries.

ADmitMac is a registered trademark of Thursby Software Systems, Inc.

Adobe, Adobe AIR, Adobe Bridge, Adobe Premier Pro, Acrobat, After Effects, Creative Suite, Dreamweaver,
Fireworks, Flash Player, Illustrator, InDesign, Lightroom, Photoshop, Prelude, Shockwave, and all references
to Adobe software are either registered trademarks or trademarks of Adobe Systems Incorporated in the
United States and/or other countries.

Amazon, Amazon CloudFront, Amazon RDS, Amazon S3, and Amazon Web Services are trademarks of
Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Apple, the Apple logo, Apple Remote Desktop, Apple TV, AirPlay, Finder, FileVault, FireWire, iBeacon, iBooks,
iPad, iPhone, iPod touch, iTunes, Keychain, Mac, MacBook, MacBook Pro, MacBook Air, macOS, OS X, and
Safari are trademarks of Apple Inc., registered in the United States and other countries. AppleCare, App Store,
iBooks Store, iCloud, and iTunes Store are service marks of Apple Inc., registered in the United States and
other countries.

Centrify is a registered trademark of Centrify Corporation in the United States and/or other countries.

Chrome and Google are trademarks or registered trademarks of Google Inc.

Cisco and IOS are trademarks or registered trademarks of Cisco in the United States and other countries.

Intel and McAfee Endpoint Protection are either registered trademarks or trademarks of the Intel Corporation in
the United States and other countries.

575
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.
 Copyright and Trademarks

Likewise is a trademark of Likewise Software.

Linux is a registered trademark of Linus Torvalds in the United States and other countries.

Microsoft, Microsoft Edge, Microsoft Intune, Active Directory, Azure, Excel, OneNote, Outlook, PowerPoint,
Silverlight, Windows, Windows Server, and all references to Microsoft software are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Mozilla and Firefox are registered trademarks of the Mozilla Foundation.

NetIQ is a trademark or registered trademark of NetIQ Corporation in the United States.

Java, MySQL, and all references to Oracle software are either registered trademarks or trademarks of Oracle
and/or its affiliates. Other names may be trademarks of their respective owners.

The Skype name, associated trademarks and logos, and the "S" logo are trademarks of Skype or related
entities.

Sophos is a trademark or registered trademark of Sophos Ltd.

TeamViewer is a trademark of TeamViewer Germany GmbH.

Tomcat is a trademark of the Apache Software Foundation.

Ubuntu is a registered trademark of Canonical Ltd.

All other product and service names mentioned herein are either registered trademarks or trademarks of their
respective companies.

576
PDF Generated: 01/02/24
This PDF is current as of the date it was generated. For current information, visit learn.jamf.com
© Copyright 2002 - 2024 Jamf. All rights reserved.