When a device is unable to route traffic via Jamf Connect's Zero Trust Network Access secure tunnel for any reason, Jamf recommends that you allow the device to "fail open". This allows the device to continue to operate and keeps the user productive, albeit without security protections or policies for general internet traffic.
The tunnel may fail to work properly for many reasons, which includes restrictive firewalls/networks or temporary service interruptions.
You may configure the device's networking to "fail close", which requires the device to always route traffic via Zero Trust Network Access. If the Jamf Security Cloud proxy cannot be reached, app and browser connections will be forced to fail.