v2026.2

What's new?

OIDC API token issuer

It is now possible to exchange an OIDC ID token for a short-lived Zentral API token. This can be used to authenticate from GitHub workflows or GitLab pipelines for example. No need to store (and rotate) a Zentral API token in your repository configuration anymore. Just add an OIDC API token issuer to the Zentral service account.

HTTP action CEL transformation

We have added an optional CEL transformation to our HTTP event action (webhook). The event data can now be transformed (filtered, pruned, reshaped, …) before being posted to an API endpoint. This should remove the need for a custom AWS lambda or GCP cloud function in most of the cases.

Device Lock PIN

The latest MDM device lock PIN is now encrypted and stored in the device record. It is automatically cleared once the device contacts the MDM after being unlocked. There is a special permission that is required to reveal the PIN. An event is generated each time the PIN is revealed, with metadata about the user or service account that authenticated to reveal the PIN.

Other notable changes

The copy-to-clipboard functionality for secrets (FileVault PRK, Recovery Lock, …) has been reworked and standardized.

The MDM can now distribute provisioning profiles. The provisioning profile artifacts have been also added to our official Terraform Provider for Zentral.

The machine tag name length limit has been removed.

The API for enrolled devices has been updated. The email or short name of the principal MDM device user can be now used to filter the results. Each enrolled device object in the responses also includes realm user information if the last enrollment session was authenticated.

Bug fixes, upgrade

The missing Windows 11 versions have been added to the inventory.

The MDM API endpoints for the artifacts are paginated now. You need to update your integrations and use the latest version of the Terraform provider.

The legacy inventory clients for Filewave, Sal & Watchman have been removed.

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2026.1

What's new?

API tokens

The Zentral API tokens have a new format. There have a fixed prefix: ztlu_ for the user tokens or ztls_ for the service account tokens. They also have a checksum. This makes them easier to detect in a CI/CD pipeline. This is based on the work that GitHub has done with their own tokens.

The older tokens are still valid. We will support them until v2026.5.

We have also added an optional name and expiry to the tokens. You can now create shorted lived tokens that are easy to identified in the admin console. In our SaaS, expired tokens are pruned after two weeks.

S3 Parquet event store

Zentral can now ship the events to an S3 bucket in Parquet files. This is a standard system that makes it easy to integrate Zentral with other enterprise solutions like Snowflake, AWS Glue, … This is available to all deployments, SaaS or not.

MDM API / Terraform

We have added the required API endpoints to manage even more MDM resources. You can now configure the ADE/DEP deployments and their custom web views with the official Zentral Terraform provider.

Google Workspace authentication

We have added the direct service account authentication to our Google Workspace module. Customers with GCP deployments can use this to authenticate for the groups to tags sync. SaaS or on prem users can still use the 3-way OAUTH authentication.

Other notable changes

The ABM/ASM device sync has been updated to better track devices that are moved between MDM servers.

We are continuing our work on the Audit Events. Audit Events are emitted when a resource is created, updated or deleted in Zentral. They contain information about the logged in user, the timestamp, the user agent and a summary of the changes.

Bug fixes, upgrade

Better ABM/ASM sync when using multiple MDM servers in ABM/ASM for complex workflows, with locks to avoid concurrent updates in bigger deployments.

The mass-tagging API SET operation errors have been fixed.

Configuration Profiles reported without PayloadUUID can now be saved in the inventory.

MDM artifact detail pages are much faster now, especially when they have multiple versions distributed to >10000 of devices.

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2025.12

What's new?

Native Google Workspace integration

This is the first release of our Google Workspace integration. You can now automatically tag devices in Zentral based on Google Workspace group memberships - without the need for a 3rd party sync service.

For example, you can map the hr@acme.org group to the departement:hr tag in Zentral. These tags can be used across all of our modules (Munki, MDM, Osquery, Santa) to scope configuration items like Configuration Profiles, Apps, Osquery compliance checks, Santa rules…

We have also updated our official Terraform provider to support those group → tags mappings, so that you can also integrate them along your MDM, Munki, Osquery & Santa resources in your GitOps CI/CD pipeline.

We have more plans for this module and will start work on inventory collection for Chromebook devices now.

ClickHouse as main event store (beta)

We have improved the ClickHouse event store to bring it on par with the OpenSearch / Elasticsearch integration. ClickHouse is a powerful analytical database and allows us to pre-aggregate resource-hungry queries. We can display useful stats directly in the Zentral UI, without having to redirect the users to a 3rd party system.

We will be migrating our SaaS tenants from OpenSearch to ClickHouse shortly.

Other notable changes

We are continuing our work on the Audit Events. Audit Events are emitted when a resource is created, updated or deleted in Zentral. They contain information about the logged in user, the timestamp, the user agent and a summary of the changes. Audit Event coverage of the Munki/Monolith modules is now greatly increased, with extra Audit Events for the Manifests, Sub-Manifests, and Sub-Manifest PkgInfo.

The FileVault encryption status is now integrated in our unified inventory model and inventory exports. No need to create a custom compliance check anymore.

Finally, we have upgraded the project to the 5.2 LTS release of the Django framework.

Bug fixes, upgrade

The APNS database queries to determine which device or user to notify next have been optimized.

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2025.11

What's new?

Major rework of the store apps installation

New API endpoints for the Apps & Books location assets and for the Store App MDM artifacts are available. The Store App artifacts can now be managed with the official Zentral Terraform Provider.

Better on-the-fly and on-demand license assignments for the store apps.

License assignments for com.apple.configuration.app.managed DDM configurations are now also managed by Zentral.

Support for Digicert - Trust Lifecycle Manager

Digicert - Trust Lifecycle Manager can now be used as SCEP issuer in Zentral. Zentral will automatically manage the seats and enrollment codes (the enrollment codes are used as one time SCEP challenges). The configuration of the SCEP issuer is manageable with the Terraform provider.

Other notable changes

The network interfaces are included in the full inventory exports.

The distribution of the configuration profiles via DDM is available as a blueprint option.

Audit trail events are generated for User & API Token operations.

The result time for the Osquery inventory query is preserved as last seen information in the inventory.

New contributors

We would like to welcome two new contributors: @daniel-zentral & @Sefux. Thanks for your help with this release!

Bug fixes, upgrade

The 500 errors for the API are now returned as JSON.

Zentral was returning a 204 HTTP status code for the DDM status channel updates. The MDM daemon expects a 200 response. This has been fixed, and more status channel updates are collected now.

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2025.10

What's new?

Managed DDM asset for ACME & SCEP certificates

A new MDM artifact type is available: Certificate Asset. With this artifact, Zentral can manage the DDM declarations and credentials required to distribute a device or user certificate via DDM. It leverages the ACME and SCEP issuers, with their different integration backends (SCEP static challenge, Microsoft & Okta dynamic SCEP challenge, …). This can be used in every DDM configuration that references a com.apple.asset.credential.acme or com.apple.asset.credential.scep asset. You can for example combine this artifact with a Configuration artifact to put a com.apple.configuration.security.identity on the devices.

Our official Terraform provider has been updated to support this new artifact type. You can find in the docs a configuration example for an Okta device certificate, with dynamic SCEP challenges and device & user information variables.

Dynamic auto admin passwords

Before this release, Zentral could only set a global password for the automatically created admin accounts during ADE. With this release, a password is automatically generated for each device. It is encrypted and stored in the device record. An API endpoint is available to retrieve this password. An audit event is generated every time the password is decrypted in the GUI or the API, with the usual Zentral event metadata (user agent, service account or user, ip, time, …). A MDM command can also be automatically scheduled with a configurable delay to set a new password.

Other notable changes

Enrolled device & user records now keep track of the last IP used by the MDM daemon & agent. The last IP is included in the API responses. The MDM managed users have also been added to the enrolled device responses.

The ADE skip keys and DDM declaration definitions have been updated with the latest release of the apple/device-management repository.

Bug fixes, upgrade

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2025.9

MDM ACME certificates

ACME for MDM with SCEP fallback

The MDM device certificate issuance was completely refactored for this release. MDM enrollments now support not only SCEP issuers, but also ACME issuers. If an enrollment has both of them configured, Zentral will pick ACME for compatible devices, with a hardware bound key (iOS, T2, and Apple Silicon devices), and an attestation (iOS and Apple Silicon devices). For this to work, you need a compatible CA, like the one included in our SaaS product Zentral Cloud, where devices can get a hardware bound MDM ACME identity with the attestation Serial Number and UDID info attached to the certificate. Modules can be easily added to support other CAs.

One time challenges, with extra checks

In our cloud, Zentral also sends the expected CSR information to the CA. It gets a one time challenge in return that is used as ClientIdentfier in the ACME payload or Challenge in the SCEP payload. The CA can then verify the device request and reject it if it contains unexpected information.

The certificate issuers are modular in Zentral. We support one time challenges for Zentral Cloud, Microsoft NDES and the Okta Device Attestation. If you need Zentral to support a different product, or if you are a CA vendor with a different workflow, do not hesitate to contact us!

Other changes

• API endpoint to send custom MDM commands to a device
• Tag filters for the MDM enrolled devices API endpoint
• Osquery configuration packs "excluded tags" for better scoping
• Santa "is voting rule" filter in the rule list views

Bug fixes, upgrade

Before you upgrade, do not forget to read the CHANGELOG and verify the backward incompatibilities. If you encounter any problem during the upgrade, contact us via email or in the #Zentral macadmins Slack channel.

v2025.8.1

This is a patch release to address a performance issue with the MDM blueprint detail view.

v2025.8

Why releases, what changed?

We have decided to bring much needed visibility to the development of Zentral. The recommendation so far has been to always deploy the main branch (= stable branch) and to read the CHANGELOG.md file to find out about the new features and the breaking changes. That has led us to the current state of things where our customers see that they are running v2022.2-944-ged013fc5 which is 944 😅commits after release v2022.2…
We are changing this today. We will release more often, and summarize the changes in the release notes published on GitHub (we will keep the more detailed list of changes in the CHANGELOG.md file). We will keep the same format YYYY.MM. In case a bug is found and a fix has to be released quickly, we will use patch releases YYY.MM.P. For example, 2025.8.1 would be a patch release for 2025.8. The recommendation for running Zentral stays about the same: always use the latest tagged version (latest patch release or if no patch release is available, latest minor release).

Summary of the changes since … v2022.2

There is a good reason to tag releases more often: It will be easier to write about the new features, fixes and breaking changes. Obviously, a lot has happened since v2022.2. About 950 commits! Here is our attempt at summarizing the main changes. For future releases, we will be able to go into more detail. Remember that the reference is the CHANGELOG.md file.

MDM

The MDM has seen a lot of development since 2022. DDM is fully supported. Some functionalities like rolling software updates can be automatically managed by Zentral. You can also send custom payloads, which make it easy to test the new Apple MDM features.

Santa

2024 saw the release of our voting system that enables end-users to request exceptions when running in allowlist mode. We have also improved the admin console workflows. Administrators can use usage aggregates to easily build their allowlists.
We will continue our efforts (10 years in November) to support all the Santa features that can be supported by third party sync servers. Last month, we released the support for the new and really powerful CEL rules for example.

Munki

Munki is a very important part of our vision for a MacOS client. Zentral can leverage it to run script based compliance checks. You can now import a mSCP benchmark via Terraform and see the metrics in Prometheus!
We have also improved the distribution of packages and client resources with the support of multiple Munki repositories that can be configured via API.

Core

Zentral is an event driven solution. We are consolidating all the events generated when a piece of configuration is changed with the Audit Events.
The probes and their associated actions can be configured via API too. That enables our SaaS customers to filter their events and trigger webhooks or slack notifications.
The events stores can be also configured via API. SaaS customers can now also ship their Santa events to their Splunk instances.
IdP integration plays an important role for device management. We have updated our integrations to support SCIM for real-time synchronization of group memberships.

GitOps

All of the above is configurable via our official Terraform provider. The first release was in July 2022. We have since added a lot of resources and the APIs to support them. Most of the day-to-day tasks are covered. You can use it to distribute MDM configuration profiles, Munki apps, update Santa rules, Osquery packs. You can also rotate your Splunk token, start a new event shipper, … all from your config-as-code repository and CI/CD system.

Breaking Changes

Please refer to the CHANGELOG.md file for a detailed list of the breaking changes. If you have a custom deployment of Zentral, please make sure to migrate to Redis or Valkey for the cache. Memcached is not supported anymore. The other breaking changes are the migration of the probes, actions and stores from the base.json configuration file into the Database, with APIs for their management. You need to plan carefully for this upgrade. Please contact us on the macadmins slack channel, and we will help you migrate without loss of functionality.

v2022.2 - New License

🎤 Announcement

This is the first release of Zentral under the new licensing scheme. After nearly 7 years, we have decided to concentrate our business on Zentral as a product. Most of the code stays under the Apache license but some modules, like the SAML authentication or the Splunk event store are licensed under a new source available license and require a subscription when used in production.

Do not hesitate to contact us if you need more information!

🥁 Some highlights

• GitHub workflow to build and push three flavours of the docker container to the docker hub.
• sumo logic event store module.
• Extra API endpoints for the new verified terraform provider.
• Automated MDM payload renewals.
• Flexible SCEP configuration for the MDM payloads.
• Separated OpenSearch and Elasticsearch store modules for higher compatibility.
• Upgrade to python3.10 bullseye docker base images.

See the CHANGELOG for more details and breaking changes.

v2022.1

🥁 Long overdue new release

It is time to cut a release, after so many new features have been implemented. Here are some of the highlights:

• Osquery and inventory based compliance checks, with Prometheus metrics
• Munki / Monolith metrics and sharding for package installs
• Santa team ID rules
• Event routing keys for the event stores
• Secrets engines to encrypt secrets in PostgreSQL

See the CHANGELOG for a more complete list.

🎤 Announcement

This is probably the last fully opensource release of Zentral (if no patch release is necessary). After nearly 7 years, we have decided to concentrate our business on Zentral as a product. To support this new orientation, we are going to change the license scheme in the coming weeks. Most of the code is going to stay under the Apache license, but some modules, like the SAML authentication, or the Splunk event store are going to be licensed under a new source available license, and will require a subscription when used in production. Do not hesitate to contact us if you need more information!