- Create an Activation Profile that activates the Network access service capability.
Note:Per-App VPN mode inherently disables the Content controls and Network security device-wide and capabilities. If you still need these services, you must deploy a second device-wide traffic vectoring profile. Contact Jamf Support for assistance.
- Configure Identity-based Provisioning or download the iOS/iPadOS App Configuration from the Managed Deployment section of the newly created Activation Profile.
- Deploy the Jamf Trust app (and managed app configuration as required) to target devices.
Best Practice:Jamf recommends that you deploy Jamf Trust via Apple's volume purchasing and deploy the enterprise single sign-on profile, where supported.
- The Per-App VPN profile is automatically detected and "adopted" during the device activation process.
Note:The user is not required to enter their PIN code to install the VPN during this process. The VPN has already been pre-authorized via the UEM solution.
- Upon successful activation, verify that the Per-App VPN in still exists and contains an updated server address (replacing open.wandera.app).
- Open an app that has been authorized to use the Per-App VPN—or open Safari and connect to a specified Safari Domain—and observe that the VPN icon shows briefly and the connection succeeds.
Zero Trust Network Access is configured and deployed on your devices in Per-App VPN mode. Users will notice the VPN icon appear in their device's status bar when they request a resource that uses the Per-App VPN. Otherwise, the VPN icon will appear.
The Zero Trust Network Access VPN will now be limited to just the defined applications and Safari domains, as configured in your UEM solution.