Releases: zentralopensource/zentral
v2025.10
What's new?
Managed DDM asset for ACME & SCEP certificates
A new MDM artifact type is available: Certificate Asset. With this artifact, Zentral can manage the DDM declarations and credentials required to distribute a device or user certificate via DDM. It leverages the ACME and SCEP issuers, with their different integration backends (SCEP static challenge, Microsoft & Okta dynamic SCEP challenge, …). This can be used in every DDM configuration that references a com.apple.asset.credential.acme or com.apple.asset.credential.scep asset. You can for example combine this artifact with a Configuration artifact to put a com.apple.configuration.security.identity on the devices.
Our official Terraform provider has been updated to support this new artifact type. You can find in the docs a configuration example for an Okta device certificate, with dynamic SCEP challenges and device & user information variables.
Dynamic auto admin passwords
Before this release, Zentral could only set a global password for the automatically created admin accounts during ADE. With this release, a password is automatically generated for each device. It is encrypted and stored in the device record. An API endpoint is available to retrieve this password. An audit event is generated every time the password is decrypted in the GUI or the API, with the usual Zentral event metadata (user agent, service account or user, ip, time, …). A MDM command can also be automatically scheduled with a configurable delay to set a new password.
Other notable changes
Enrolled device & user records now keep track of the last IP used by the MDM daemon & agent. The last IP is included in the API responses. The MDM managed users have also been added to the enrolled device responses.
The ADE skip keys and DDM declaration definitions have been updated with the latest release of the apple/device-management repository.
Bug fixes, upgrade
Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.
v2025.9
MDM ACME certificates
ACME for MDM with SCEP fallback
The MDM device certificate issuance was completely refactored for this release. MDM enrollments now support not only SCEP issuers, but also ACME issuers. If an enrollment has both of them configured, Zentral will pick ACME for compatible devices, with a hardware bound key (iOS, T2, and Apple Silicon devices), and an attestation (iOS and Apple Silicon devices). For this to work, you need a compatible CA, like the one included in our SaaS product Zentral Cloud, where devices can get a hardware bound MDM ACME identity with the attestation Serial Number and UDID info attached to the certificate. Modules can be easily added to support other CAs.
One time challenges, with extra checks
In our cloud, Zentral also sends the expected CSR information to the CA. It gets a one time challenge in return that is used as ClientIdentfier in the ACME payload or Challenge in the SCEP payload. The CA can then verify the device request and reject it if it contains unexpected information.
The certificate issuers are modular in Zentral. We support one time challenges for Zentral Cloud, Microsoft NDES and the Okta Device Attestation. If you need Zentral to support a different product, or if you are a CA vendor with a different workflow, do not hesitate to contact us!
Other changes
- API endpoint to send custom MDM commands to a device
- Tag filters for the MDM enrolled devices API endpoint
- Osquery configuration packs "excluded tags" for better scoping
- Santa "is voting rule" filter in the rule list views
Bug fixes, upgrade
Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.
v2025.8.1
v2025.8
Why releases, what changed?
We have decided to bring much needed visibility to the development of Zentral. The recommendation so far has been to always deploy the main branch (= stable branch) and to read the CHANGELOG.md file to find out about the new features and the breaking changes. That has led us to the current state of things where our customers see that they are running v2022.2-944-ged013fc5 which is 944 😅commits after release v2022.2…
We are changing this today. We will release more often, and summarize the changes in the release notes published on GitHub (we will keep the more detailed list of changes in the CHANGELOG.md file). We will keep the same format YYYY.MM. In case a bug is found and a fix has to be released quickly, we will use patch releases YYY.MM.P. For example, 2025.8.1 would be a patch release for 2025.8. The recommendation for running Zentral stays about the same: always use the latest tagged version (latest patch release or if no patch release is available, latest minor release).
Summary of the changes since … v2022.2
There is a good reason to tag releases more often: It will be easier to write about the new features, fixes and breaking changes. Obviously, a lot has happened since v2022.2. About 950 commits! Here is our attempt at summarizing the main changes. For future releases, we will be able to go into more detail. Remember that the reference is the CHANGELOG.md file.
MDM
The MDM has seen a lot of development since 2022. DDM is fully supported. Some functionalities like rolling software updates can be automatically managed by Zentral. You can also send custom payloads, which make it easy to test the new Apple MDM features.
Santa
2024 saw the release of our voting system that enables end-users to request exceptions when running in allowlist mode. We have also improved the admin console workflows. Administrators can use usage aggregates to easily build their allowlists.
We will continue our efforts (10 years in November) to support all the Santa features that can be supported by third party sync servers. Last month, we released the support for the new and really powerful CEL rules for example.
Munki
Munki is a very important part of our vision for a MacOS client. Zentral can leverage it to run script based compliance checks. You can now import a mSCP benchmark via Terraform and see the metrics in Prometheus!
We have also improved the distribution of packages and client resources with the support of multiple Munki repositories that can be configured via API.
Core
Zentral is an event driven solution. We are consolidating all the events generated when a piece of configuration is changed with the Audit Events.
The probes and their associated actions can be configured via API too. That enables our SaaS customers to filter their events and trigger webhooks or slack notifications.
The events stores can be also configured via API. SaaS customers can now also ship their Santa events to their Splunk instances.
IdP integration plays an important role for device management. We have updated our integrations to support SCIM for real-time synchronization of group memberships.
GitOps
All of the above is configurable via our official Terraform provider. The first release was in July 2022. We have since added a lot of resources and the APIs to support them. Most of the day-to-day tasks are covered. You can use it to distribute MDM configuration profiles, Munki apps, update Santa rules, Osquery packs. You can also rotate your Splunk token, start a new event shipper, … all from your config-as-code repository and CI/CD system.
Breaking Changes
Please refer to the CHANGELOG.md file for a detailed list of the breaking changes. If you have a custom deployment of Zentral, please make sure to migrate to Redis or Valkey for the cache. Memcached is not supported anymore. The other breaking changes are the migration of the probes, actions and stores from the base.json configuration file into the Database, with APIs for their management. You need to plan carefully for this upgrade. Please contact us on the macadmins slack channel, and we will help you migrate without loss of functionality.
v2022.2 - New License
0080767
np5
Éric Falconnier
🎤 Announcement
This is the first release of Zentral under the new licensing scheme. After nearly 7 years, we have decided to concentrate our business on Zentral as a product. Most of the code stays under the Apache license but some modules, like the SAML authentication or the Splunk event store are licensed under a new source available license and require a subscription when used in production.
Do not hesitate to contact us if you need more information!
🥁 Some highlights
- GitHub workflow to build and push three flavours of the docker container to the docker hub.
- sumo logic event store module.
- Extra API endpoints for the new verified terraform provider.
- Automated MDM payload renewals.
- Flexible SCEP configuration for the MDM payloads.
- Separated OpenSearch and Elasticsearch store modules for higher compatibility.
- Upgrade to python3.10 bullseye docker base images.
See the CHANGELOG for more details and breaking changes.
v2022.1
1b98a58
np5
Éric Falconnier
🥁 Long overdue new release
It is time to cut a release, after so many new features have been implemented. Here are some of the highlights:
- Osquery and inventory based compliance checks, with Prometheus metrics
- Munki / Monolith metrics and sharding for package installs
- Santa team ID rules
- Event routing keys for the event stores
- Secrets engines to encrypt secrets in PostgreSQL
See the CHANGELOG for a more complete list.
🎤 Announcement
This is probably the last fully opensource release of Zentral (if no patch release is necessary). After nearly 7 years, we have decided to concentrate our business on Zentral as a product. To support this new orientation, we are going to change the license scheme in the coming weeks. Most of the code is going to stay under the Apache license, but some modules, like the SAML authentication, or the Splunk event store are going to be licensed under a new source available license, and will require a subscription when used in production. Do not hesitate to contact us if you need more information!
v2021.1
d32abe5
np5
Éric Falconnier
🚀 Santa module overhaul
The Santa module has been completely overhauled.
Breaking changes
Rules are not managed in the Probes anymore. They are managed under each Configuration in the Santa Setup.
If you upgrade from a previous Zentral release, please, make a backup! The existing rules in the Santa probes will be automatically migrated to each existing Zentral Santa Configuration. You need to carefully review them afterwards.
You can read more about it in the updated documentation.
v0.8.0-beta.0
b8feddb
np5
Éric Falconnier
🚀 Santa module overhaul
The Santa module has been completely overhauled.
Breaking changes
Rules are not managed in the Probes anymore. They are managed under each Configuration in the Santa Setup.
If you upgrade from a previous Zentral release, please, make a backup! The existing rules in the Santa probes will be automatically migrated to each existing Zentral Santa Configuration. You need to carefully review them afterwards.
You can read more about it in the updated documentation – Sorry, still a work in progress.
Main new features:
- Implementation of the Bundle info/events part of the Santa sync
- ALLOWLIST_COMPILER rules
- API endpoint to apply sets of rules to one or many Santa configurations
- API endpoint to ingest the
santactl fileinfoJSON output to populate the sha256 and apps in Zentral
v0.7.0-beta.0
Main things
- Realms for SSO (LDAP / OpenID Connect / SAML)
- MDM / DEP authentication using the realms, and auto user setup
Smaller thing
- Santa
EnableBadSignatureProtection
Fixes
- Santa enrollment packages
v0.6.0-beta.1
Small things
- Link from incident to Kibana linked events
- Better enrollment package download buttons
Fixes
- Timestamp in Azure Log Analytics
- probe payload filters
- osquery release choices