Configuring ZTNA for Google Chrome Local Network Access

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Google Chrome 142 introduced a security feature called Local Network Access (LNA), which restricts how web pages can connect to local network addresses. Because Jamf Zero Trust Network Access (ZTNA) routes traffic through an IP address range that Chrome classifies as local, Chrome 142 and later might display a permission prompt or silently block connections to ZTNA-protected resources. Affected scenarios include SaaS applications loading content from ZTNA-covered hosts, web apps using iframes or WebSocket connections through the ZTNA tunnel, and browser-based login flows that time out without an error.

To avoid service disruption, deploy the LocalNetworkAccessIpAddressSpaceOverrides policy using Google Chrome 146 or later. This policy instructs Chrome to treat specific IP address ranges as public, preventing LNA prompts and connection failures. Use a Custom Settings payload in Jamf Pro to deploy this policy to managed Mac computers.

Requirements

  • Jamf Pro 11.0.0 or later

  • Managed Mac computers with Jamf Connect ZTNA

  • Google Chrome 146 or later

  • Jamf Security Cloud configuration profile scoped to the target devices

  1. In Jamf Pro, click Computers in the sidebar.
  2. Click Configuration Profiles in the sidebar.
  3. Click New .
  4. Enter a name for the profile in the General payload.
  5. From the payloads menu, click Application & Custom Settings > Upload.
  6. Click + Add.
  7. In the Preference Domain field, enter: com.google.Chrome
  8. In the Property List field, paste the following PLIST content: 
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyLists-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalNetworkAccessIpAddressSpaceOverrides</key>
    <array>
      <string>[fd53:1c5a::]/32=public</string>
      <string>10.240.0.0/14=public</string>
      <string>240.0.0.0/14=public</string>
    </array>
  </dict>
</plist>
  9. From the Scope tab, add the target computers or smart groups.
  10. Click Save.

Chrome applies the LocalNetworkAccessIpAddressSpaceOverrides policy to the specified IP address range. ZTNA-protected resources load without LNA prompts or connection failures.

To verify that Chrome applied the policy, navigate to chrome://policy in Google Chrome and verify that the LocalNetworkAccessIpAddressSpaceOverrides policy is listed with Status: OK and the value includes d53:1c5a::=public.