Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. If you like what you see, join us in person at the ninth annual Jamf Nation User Conference (JNUC) this October for three days of learning, laughter and IT love.

Configuring a JSON Web Token to Secure Downloads of iOS and tvOS In-House Apps


This article explains how to configure a JSON Web Token (JWT) in Jamf Pro to secure downloads of iOS and tvOS in-house apps from an external distribution server. Once the JWT is configured, in-house apps can only be downloaded on managed devices and within the time period that you specify.

Products Affected

Jamf Pro 9.101.0 and later


  1. Log in to Jamf Pro.
  2. Click Settings.
  3. In the Global Management area, click PKI Certificates.
  4. Click the JSON Web Token Configuration tab.
  5. Click the New button to create a new JSON Web Token Configuration.
  6. In the Display Name field, enter a name for the token.
  7. In the Encryption Key area, do one of the following: a. Choose Paste or Type Encryption Key, then enter or paste the RSA private encryption key in the Paste the Encryption Key Below field. b. Choose Upload Encryption Key File, then click Choose File to upload a .pem file containing the RSA private encryption key.
  8. In the Token Expiry area, choose the time period during which in-house apps can be downloaded. After the specified time period, in-house apps can no longer be downloaded.
  9. Click Save.

Additional Information

URL Differences

When the JSS sends the device an install application command for an in-house app, a new JWT is generated and added to the download URL as a "token" query parameter.

For example,


Ensuring Validation with the External Distribution Server

The administrator of the external distribution server will need to perform further setup to ensure the external distribution server validates the request using the JWT "token" query parameter.

Note: Until the distribution point validates the requests, unsecured downloads of in-house apps are still possible.

Important Implementation Details

The JWT is generated using the RS256 algorithm, and is signed with the RSA private key provided in the Configuration.

In addition, the JWT has the following claims:

  • "sub" (subject) of "AppManifest"
  • "iss" (issuer) of "JSS"
  • "exp" (expiration) configurable in the JSON Web Token Configuration
Like Comment