Skip to main content
Date: April 6, 2026

Highlights

  • Better performance when removing/cleaning systems from the Admin Console
  • Admin-Initiated Device Log Collection
  • Force Certificate Renewal
  • Display Directory Password Expiration
  • Periodic User Information Updates
  • Enrollment Security Improvements
  • Bug Fixes

Enhancements

New Heartbeat Architecture

  • The Mac Authenticator has moved to a new, more responsive heartbeat system. A lightweight heartbeat is now called at sign-in and every 5 minutes to keep device state current, while a deeper device evaluation runs once per hour. Configuration data is now delivered directly in the heartbeat response, and device unenrollment is handled in real time when the server signals it.

Admin-Initiated Device Log Collection

  • Administrators can now request device logs directly from the Admin Console without requiring any action from the end user. When a log request is received during a heartbeat check-in, the Mac Authenticator will automatically collect and upload logs in the background. Each log request is processed only once to prevent duplicate uploads.

Force Certificate Renewal

  • The Mac Authenticator can now automatically renew a user’s smart card certificate when instructed to do so by the platform. When a forced renewal is triggered, the existing certificate is replaced with a new one and the old certificate is removed. If the renewal fails, the existing certificate is preserved and the Mac Authenticator will retry once per hour until successful. The renewed certificate is fully compatible with Kerberos and CBA SSO authentication.

Display Directory Password Expiration

  • The TruU status bar menu now displays the user’s directory password expiration date, making it easy to know when a password change is needed before it causes a sign-in interruption. The text reads “Directory password expires on” and turns red if the password has already expired. This feature is controlled by a configuration key and is hidden when expiration information is unavailable.

Periodic User Information Updates

  • The Mac Authenticator now periodically refreshes the enrolled user’s information from the platform once every 12 hours. If the user’s display name has changed, it is updated within the app. If the user’s UPN has changed, a new smart card certificate is automatically requested to keep authentication working seamlessly.

Enrollment Security Improvements

  • The enrollment process has been updated to use the latest enrollment endpoints, tying enrollment to the specific device and preventing unauthorized enrollment attempts outside of the TruU software. The enrollment abort flow has also been updated to properly notify the platform when enrollment is cancelled or fails.

Bug Fixes

  • Fixed an issue where the app could hang or feel unresponsive at launch. App startup and deferred operations have been refactored for a smoother experience.
  • Fixed an issue where a black screen appeared for several seconds after tapping “Get Started” during enrollment. A loading indicator is now shown while the app prepares.
  • Fixed an issue where the “Welcome to TruU” screen flickered briefly between the enrollment loader and the “Create Your PIN” page.
  • Fixed an issue where tapping “Cancel” on the TruU Token window during enrollment still allowed enrollment to complete unexpectedly.
  • Fixed an issue where SSO would time out and leave the user stuck on a web sign-in spinner.
  • Fixed an issue where PIN authentication could fail on the first attempt, requiring the user to enter the same PIN a second time to succeed.
  • Fixed an issue where changing the PIN multiple times in quick succession could result in the account being unenrolled.
  • Fixed an issue where the new PIN did not work for login or uninstall after a PIN change, while the old PIN was still accepted.
  • Fixed an issue where the “Different from current PIN” requirement indicator activated while typing in the current PIN field, before the user had entered anything in the new PIN field.
  • Fixed an issue where the Change PIN screen displayed “Incorrect Length” instead of showing the required PIN length.
  • Fixed an issue where a false “Enrollment Finalization Failed” error was shown during smartcard pairing even though enrollment completed successfully.
  • Fixed an issue where enrollment was lost after upgrading to a newer build.
  • Fixed an issue where the ADE flow could show “Profile successfully set up” with no way to continue, requiring a hard reboot.
  • Fixed an issue where a user’s password was written to the logs during ADE enrollment.
  • Fixed an issue where clean uninstallation did not complete correctly after upgrading or when the system was in a bad configuration state.
  • Fixed an issue where leftover keychain data from a previous enrollment could prevent a new enrollment from succeeding. The old data is now detected and cleaned up automatically at the start of enrollment.
  • Fixed an issue where the TruU menu icon would start blinking and the app would enter a broken state after cancelling enrollment multiple times.
  • Fixed an issue where XPC calls between the Mac Authenticator and the background daemon timed out, causing enrollment and diagnostics to fail.
  • Fixed an issue where the SmartCard token could become unpaired after a PIN change, causing the lock screen to prompt for a password instead of a PIN. A stability-first debounce approach now prevents unnecessary restarts of system components.
  • Fixed an issue where Kerberos tickets were being re-issued with a new cache ID after expiry instead of being renewed within the same cache.
  • Fixed an issue where Kerberos was not generating any tickets on macOS Sequoia (macOS 15) in recent builds.
  • Fixed an issue where the OAuth token stopped refreshing after a few hours or when Kerberos tickets were being generated.
  • Fixed an issue where the certificate renewal status in the menu remained stuck on “Renewing certificate…” even after a failure. It now shows “Renewal failed. Tap to retry.”
  • Fixed an issue where the “Renew Certificate” option remained visible in the TruU menu after a certificate had already been renewed successfully.
  • Fixed an issue where the Mac Authenticator still showed a device as enrolled after the user was deleted from the Admin Console.
  • Fixed an issue where the “Enable Certificate PIN” window could become stuck during enrollment, requiring a machine restart to dismiss.
  • Fixed an issue where the Kerberos Status section in System Diagnostics showed duplicate and redundant error messages.
  • Fixed an issue where System Diagnostics showed Touch ID as “Enabled” even when the user had not enabled it within TruU.
  • Fixed an issue where the Diagnostics view showed OAuth token dates of “1 Jan 1970” when no user was enrolled.
  • Fixed an issue where Domain Status and JAMF Connect showed incorrect status indicators in the Diagnostics view.
  • Fixed an issue where the Report Issue feedback text area did not auto-focus on macOS 26.
  • Fixed an issue where the Smartcard Agent PIN dialog did not auto-focus, requiring the user to click the field manually before typing.
  • Fixed an issue where the USER_ENROLLMENT_END event was being triggered twice in the event log.
  • Fixed an issue where failed events were being retried too aggressively. Retry logic now backs off appropriately on network errors and retries at most once per hour when the server is unreachable.
  • Fixed an issue where the FQDN was not being persisted correctly due to a data type mismatch.
  • Fixed an issue where a “Failed PIN” event was incorrectly fired alongside a successful “Change PIN” event.
  • Fixed an issue where NitroSSO did not work after a fresh install and enrollment.
  • Fixed an issue where logging caused excessive disk writes. The legacy log persistence layer has been removed and log uploads from both the agent menu and the login screen now route through a single unified service.
  • Fixed an issue where macOS 26.1 beta caused a black screen at the login window after FileVault authentication.
  • Fixed an issue where pressing Cmd+Q could unexpectedly quit the Mac Authenticator. This keyboard shortcut is now ignored.
  • Fixed missing translations for “Touch ID” in Malay and Traditional Chinese.
  • Fixed an issue where SmartCard identity pairing could be lost after changing a PIN, causing an unexpected “TruU Token” pairing prompt to appear. Pairing is now correctly preserved across PIN changes.
  • Fixed a memory leak that caused the Mac Authenticator to consume excessive memory over time, destabilizing the system and requiring users to manually kill the process.
  • Fixed an issue where a user could successfully re-enroll on a device that had been unenrolled by an administrator, without a de-registration event appearing in the Admin Console.
  • Fixed an issue where the “Enable Certificate Trust” window did not appear for certain users after ADE enrollment, while working correctly for others.
  • Fixed an issue where SSO did not work after completing enrollment via the ADE flow.
  • Fixed an issue where the certificate trust flow would get stuck in a loop, continuing to display “Certificate trust not yet enabled” even after the user had completed the steps to enable it.
  • Fixed an issue when updating macOS 26.4 the Mac Authenticator would not be able to access the users keychain and would not be able to authenticate to the TruU cloud or be able to authenticate when making requests for kerberos tickets.