Configuring Jamf Connect's Zero Trust Network Access capabilities via Per-App VPN allows you to managed network traffic at the app-level rather than the device-level. Common use cases include:
You are migrating from another VPN, where Per-App VPN was standard and desired behavior.
You only want to enable specific apps to use the VPN, to separate work from personal data for security purposes.
You do not want a device-wide VPN due to privacy or transparency reasons (for example, for BYOD devices or privacy-centric organizations).
You do not use the Jamf Protect's content filtering or endpoint and network protection capabilities, and only intend to enable zero-trust access on managed devices.
When Zero Trust Network Access is deployed, keep the following in mind:
Per-App VPN is only available on managed devices with iOS, iPadOS, or macOS.
Only the source applications and Safari domains you specify will be subject to Jamf Protect's capabilities services. Any device-wide capabilities—such as endpoint and network protection or internet content filtering and usage controls— require a secondary configuration of the device; for example, Global HTTP Proxy or DNS profile.
All traffic from a specified source application will route from the device to the Jamf Security Cloud cloud via a Zero Trust Network Access micro-tunnel. You must define access policies for all of the destinations (hostnames) each app uses. Unclassified traffic—that is traffic that is not attributed to an access policy—is dropped for security reasons.
Whenever the Per-App VPN configuration is changed by an administrator, the user must open the Jamf Trust app for the new configuration to apply.
Jamf Security Cloud WireGuard VPN supports Apple's Per-App VPN secure networking mode.
On Apple platforms, Per-App VPN requires that the MDM server configures and manages the apps and Safari domains that are to use the Jamf Security Cloud VPN.
This is done by deploying a Per-App VPN configuration profile from your organization's MDM server to target devices. This profile contains:
Information targeting the Jamf Trust app as the provider of the Per-App VPN connection
A mapping of the apps (by their UEM server-issued identifiers), if any, that are to use the Per-App VPN
A list of Safari domains, if any, that are to use the Per-App VPN
The creation and management of this profile differs by UEM solution vendor in their management admin user interface, but the resulting configuration profiles to drive Per-App VPN behavior are ultimately the same.
After being pushed to end user devices, Jamf Trust will "adopt" the UEM-delivered Per-App VPN configuration instead of creating a device-wide VPN configuration when the user activates the app. This preserves the app and Safari domain definitions that were configured by the administrator, effectively deploying the app into Per-App VPN mode on the device.
From then on, the Per-App VPN will only activate and handle traffic from the defined apps and Safari domains, without any specific user action required to enable or disable the VPN.
The Zero Trust Network Access policy engine still applies to this traffic. This means that although app/Safari domain traffic traverses the Per-App VPN to the Jamf Security Cloud cloud, this traffic must still pass the access and security requirements as defined in Access Policies to route to enterprise destinations successfully.