Configuring a JSON Web Token to Secure Downloads of iOS and tvOS In-House Apps
This article explains how to configure a JSON Web Token (JWT) in Jamf Pro to secure downloads of iOS and tvOS in-house apps from an external distribution server. Once the JWT is configured, in-house apps can only be downloaded on managed devices and within the time period that you specify.
Jamf Pro 9.101.0 and later
- Log in to Jamf Pro.
- Click Settings.
- In the Global Management area, click PKI Certificates.
- Click the JSON Web Token Configuration tab.
- Click the New button to create a new JSON Web Token Configuration.
- In the Display Name field, enter a name for the token.
- In the Encryption Key area, do one of the following:
a. Choose Paste or Type Encryption Key, then enter or paste the RSA private encryption key in the Paste the Encryption Key Below field.
b. Choose Upload Encryption Key File, then click Choose File to upload a .pem file containing the RSA private encryption key.
- In the Token Expiry area, choose the time period during which in-house apps can be downloaded. After the specified time period, in-house apps can no longer be downloaded.
- Click Save.
When the JSS sends the device an install application command for an in-house app, a new JWT is generated and added to the download URL as a "token" query parameter.
Ensuring Validation with the External Distribution Server
The administrator of the external distribution server will need to perform further setup to ensure the external distribution server validates the request using the JWT "token" query parameter.
Note: Until the distribution point validates the requests, unsecured downloads of in-house apps are still possible.
Important Implementation Details
The JWT is generated using the RS256 algorithm, and is signed with the RSA private key provided in the Configuration.
In addition, the JWT has the following claims:
- "sub" (subject) of "AppManifest"
- "iss" (issuer) of "JSS"
- "exp" (expiration) configurable in the JSON Web Token Configuration