In network environments where a "split-brain" DNS is present—that is, where hostnames belonging to a specific domain can only be resolved by (internal) private DNS name servers—it is often necessary to bypass those domains from the web protection configuration. Otherwise, those private/internal hostname lookups will be sent to Jamf, where a public resolution will be attempted and will fail in most cases.
This is very common where VPNs are used or for situations where a device should only be able to resolve and connect to specific services when directly connected to the organization's local network (for example via Wi-Fi or Ethernet).
Unlike the solution to disable web protection on endpoints in this scenario, it may be desirable to keep web protection active to protect the device from network threat, but to bypass (that is, ignore) specific organization-owned domains.
To do this, define EvaluateConnection rules in the On Demand rules section of the DNS Settings profile. The DNS Settings ship from Jamf Security Cloud with some of these rules already configured, so you can add your own entries to the existing EvaluateConnection dictionary.
Assuming you want all DNS lookups destined to .company.com and .company.lcl to always bypass the web protection service—thereby using whatever DNS resolver has been set on the device given its current network connection—you would modify the On Demand rules as follows:
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>DomainAction</key>
<string>NeverConnect</string>
<key>Domains</key>
<array>
<string>*.customer.com</string>
<string>*.customer.lcl</string>
<string>*.jamf.com</string>
<string>*.jamfcloud.com</string>
<string>*.push.apple.com</string>
<string>identity.apple.com</string>
<string>iprofiles.apple.com</string>
<string>setup.icloud.com</string>
<string>vpp.itunes.apple.com</string>
<string>deviceservices-external.apple.com</string>
</array>
</dict>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
</dict>
</array> The service bypasses *.jamf.com and *.jamfcloud.com along with specific Apple services to enable service continuity in the event of a major web protection outage. This would allow the web protection service to be temporarily removed from endpoints in the event of a service outage.
If you are not using Jamf Cloud, Jamf recommends adding the hostname (for example, mdm.company.com) used by your macOS devices to communicate with your MDM server to the list of EvaluateConnection hosts.