Enable Enterprise Access for Vision Pro

The Apple Vision Pro is an exciting category of product, introducing the world to Spatial Computing.

Just like every other end user device, Vision Pro, running visionOS, needs secure access to organizational apps, data, and resources to be an effective tool at work.

This article will detail how you can use Jamf Connect’s Zero Trust Network Access (ZTNA), deployed via the Jamf Trust app from the App Store, to easily enable fast, seamless, and secure access to business resources without deploying any new hardware infrastructure. Though not a focus of this article, Jamf Protect may be deployed identically via Jamf Trust to enable mobile threat defense, network protection, and content filtering use cases simultaneously.

Mobile Device Management (MDM) for Vision Pro

🎉  Jamf Pro 11.3.1 and later supports Vision Pro devices running VisionOS 1.1 or later  🎉

To enable Vision Pro MDM management, Apple only allows for Account Driven User Enrollment or Device Enrollment methods. This requires Managed Apple IDs, and for the best user experience, Identity Provider (IdP) federation in Apple Business Manager (ABM).

You will need to configure your infrastructure to support Account Driven enrollments, and then Enable User Enrollment for Mobile Devices (specifically Vision Pro) in Jamf Pro.

For a complete list of supported MDM configurations, capabilities, and further Jamf Pro documentation, see Apple Vision Pro Management with Jamf Pro.

Solution Overview

Without managed enterprise network connectivity, a user may not be able to login to – or even connect to – work resources from a Vision Pro due to the organization’s network firewall or conditional access policies. This solution enables visionOS to connect to these resources via Jamf’s Security Cloud, which is possible through:

• Customer-dedicated Internet Egresses that present packets using a specific set of source IP addresses that are permitted to route packets through customer firewalls or through Identity Provider (IdP) conditional access policies

• Customer-dedicated Site-to-Site IPSec tunnels that provides secure routing of traffic from the Vision Pro to a customer’s existing data center or cloud network edges.

The high level end-to-end experience includes:

1. An administrator configures a Jamf Security Cloud tenant, including Identity Provider (IdP) integration, the definition of network egresses, and the definition of desired Access Policies.

2. The Vision Pro is enrolled in Jamf Pro using Account Driven Device Enrollment or Account Driven User Enrollment.

3. Jamf Pro installs the Jamf Trust app as a managed app via the App Store to the Vision Pro device upon enrollment (or the user download it from Self Service as desired).

4. The user activates Jamf Trust their IdP credentials, usually further secured with Multi-Factor Authentication (MFA).

5. Jamf Trust sets a device-wide or per-app VPN configuration – as defined in Jamf Pro – that routes traffic as defined by Access Policies to Jamf Security Cloud.

6. Enterprise network traffic generated from browsers or apps on the Vision Pro is encrypted then cryptographically validated on Jamf’s Global Cloud Edge.  The device’s context and user’s identity is evaluated against Access Policies to verify access to the requested resource.

7. If access is permitted, the traffic generated by the device is routed forward via:

   1. A dedicated IP Internet Egress gateway. This uses NAT to present the visionOS traffic to appear to originate from one of two highly availability public (global) IP addresses.

   2. A dedicated IPSec tunnel. This uses a Site-to-Site IPSec VPN route to land the visionOS packets directly on the destination network. NAT is used to present devices with a source IP belonging to a private subnet configured on the LAN/DMZ/VPC.

8. The customer edge infrastructure is configured to allow packets arriving from the Jamf Security Cloud:

   1. Identity Provider: Conditional Access or App Access polices are updated to permit logins from devices that are using either of the customer-assigned IP addresses.

   2. Firewall: Access Control Lists (ACLs) or similar security policies are configured to allow packets arriving over the IPSec tunnel to route to permitted destination subnets or IP addresses.

For a technical deep dive into how Jamf’s ZTNA routing architecture works to provide least-privilege, micro-tunnel based access to specific resources only – without exposing internal IPs or subnets to visionOS – see Network Engineer's Guide to Jamf Connect ZTNA.

End User Experience

Below is a video of the steps a Vision Pro user would step through to activate Jamf Trust and access company resources. Specifically, this video demonstrates how a user would:

1. Download and install Jamf Trust from the App Store on an unmanaged device.

   1. NOTE: Using Jamf Pro, this step would not be necessary!

2. Activate Jamf Trust with the organization's identity provider.

3. Install a device-wide VPN for ZTNA networking and DNS encryption.

4. Access an intranet website via Safari.

5. Block a test malicious or disallowed Internet destination.

Configuration Steps

Thanks to Jamf’s cloud-native ZTNA architecture, setting all of this up is really easy!

With the appropriate privileges and rights, a baseline configuration as defined below can be completed within an hour.

Pre-Requisties

To configure this solution, you will need the following:

• Apple Vision Pro!

  • Note: you can use an iOS, iPadOS, or macOS device to test configuration, for visionOS will work exactly the same.

• A Jamf Security Cloud tenant with Jamf Connect licensing

  • A Jamf Security Cloud administrator account with Global Administrator or Access Administrator rights.

  • If you don’t have a Jamf Security Cloud tenant or Jamf Connect licensing yet, contact your Jamf rep for a free trial by indicating that you would like to test Jamf Connect on a Vision Pro device.

    • Note: JNUC 2023 attendees were provided a free Jamf Security Cloud tenant. If you need help with access, please contact your Jamf representative.

• A supported Identity Provider (IdP): Okta, Microsoft Entra, or Google Workspace.

  • You will need an authorized admin that can add (OIDC) apps in your IdP’s configuration.

  • Note: If your IdP is federated with one of these three IdPs (eg. Ping, OneLogin), that will work as well!

• Networked edge infrastructure policy administration.

  • Depending on how you will be connecting to your infrastructure (IdP and/or Firewall integration), an admin with appropriate policy or infrastructure configuration privileges will need to allow traffic from Jamf Security Cloud.

Configure Jamf Security Cloud

Jamf Security Cloud Tenant Required

If you don’t have a Jamf Security Cloud tenant yet, contact your Jamf rep for a free trial by indicating that you would like to test Jamf Connect on a Vision Pro device.

Step 1: Configure Identity Provider Integration and an Activation Profile

1. Log into Jamf Security Cloud (RADAR) port with an account using your Jamf ID or other credentials.

2. Link your Identity Provider (IdP) to allow end users to activate the Jamf Trust app on their Vision Pro using their corporate credentials.

3. Create an Activation Profile that configures the Network access capability.

   1. You may optionally deploy the Security (Network threat protection and mobile threat defense) an/or Content controls (category content filtering) capabilities if you would like to deploy those as well.

   2. Select the Identity Provider you configured in the previous step, then complete the wizard configuration process.

4. Based upon your security requirements, you may enable (default) or disable Identity-based Provisioning.

   1. Enabled (default): This allows a Vision Pro user to download the Jamf Trust app from the App Store and select “Login with Okta/Microsoft/Google”. It eliminates the need to use an activation URL to activate the endpoint.

   2. Disabled: Users are required to possess an activation URL in addition to providing valid IdP credentials to activate the Jamf Trust app.

5. If Identity-based Provisioning is disabled, copy the Activation Profile URL to your device for use on Vision Pro test devices later.

Step 2: Configure Network Egresses

Depending upon the location and security model protecting the destination resource(s) you are trying to enable via this solution, define one or more of the below network egress configurations.

Tip

For simplicity, we recommend testing and validating with a source-based IP approach first if possible. This is simply because configuring an IPSec Site-to-Site tunnel is quite a bit more involved and will take more time to configure.

• For Source-based IP Policies (such as an IdP conditional access policy or edge firewall ACL exception), create a Dedicated Internet Gateway.

  • These are provisioned automatically within a few minutes. The High Availability (HA) set of IPs are available for immediate use once presented in the Jamf Security Cloud portal.

  • Configuration guidance for IdP-based access control based upon your IdP vendor will be provided in a later step in this document.

• For Site-to-Site IPSec tunneling to on-prem, data center, and/or private cloud resources, create a Custom IPSec Interconnect Gateway.

  • As required, configure one or more Custom DNS Zones to ensure visionOS can resolve internal IP addresses via Jamf Security Cloud.

Step 3: Configure Access Policies

With your network egress(es) configured, you are now ready to configure one or more Access Policies that will instruct the Vision Pro to route select enterprise traffic via the Jamf Connect tunnel.

DNS Traffic is Always Routed

Regardless of your Access Policy configuration, the visionOS DNS requests are routed and resolved via Jamf Security Cloud when the Jamf Trust VPN interface is enabled on the device. The user may simply disable the VPN to disable this behavior as desired.

For more details, see the Network Engineer's Guide to Jamf Connect ZTNA.

1. In the Jamf Security Cloud console, configure one or more Access Policies that define how and what traffic should be routed via the Jamf Security Cloud.

   1. For enabling Microsoft Office/365 logins for IdP-based authentication, be sure to select the Microsoft Authentication SaaS app template. Do the same for Okta and Google if they are your IdP and configure customized hostnames accordingly.

   2. Define policy details, such as group-based and risk-based (using Security Policies) access limits, as required for your use case and application.

   3. On the Routing tab, select the egress you created in the previous step.

2. You can monitor connections to your access policies using the Reports > Access page in Jamf Security Cloud.

Step 4: Permit Logins on your IdP from Jamf Security Cloud

The market's three leading IdPs support defining sign-on access policies that consider source IP address as a criteria for being able to login to a given IdP-protected application.

Using this criteria, you can use the dedicated IP addresses created in your Jamf Security Cloud tenant as a way to identify if an incoming login originated from an authorized Vision Pro device. An unauthorized Vision Pro device – one without Jamf Trust successfully activated – will not present a source IP belonging to the Jamf Security Cloud, and will therefore be blocked by the IdPs access policy.

Meeting MFA Requirements via Source-Based IPs

It is important to call out that only devices that have activated Jamf Trust through a successful authentication exchange with your organization’s Identity Provider may use these IP addresses. If Identity-based provisioning is disabled, you further require an additional knowledge factor in the form of a URL that is unique to your environment, and may be paused or revoked at any time.

Combined, you may have high assurance that only users that have strongly authenticated themselves on the target device – directly with the IdP – are able to utilize the Source IPs that have been allocated to your organization.

There is no way for any device to use these IPs without authenticating with your identity provider successfully.

Use the appropriate configuration guide based upon your organization’s Identity Provider:

• Okta: Restricting Login Access

• Azure AD / Entra: Restricting Login Access

• Google Workspace: Restricting Login Access

Step 5: Deploy Jamf Trust to Vision Pro devices

Steps for Managed Vision Pro Devices

The instructions below are applicable to unmanaged Vision Pro devices.

If using Jamf Pro to manage your Vision Pro devices, you can instead push and configure Jamf Trust from the App Store as a mobile app that is scoped to your Vision Pro devices. Be sure to deploy and scope the mobile configuration profiles and app configs provided from within your Jamf Security Cloud Activation Profile as well!

Doing so will require the user to simply open the Jamf Trust app and login as prompted: no shareable links or URLs required!

At this point, you are ready to enroll your Vision Pro test devices so that they may access the authorized resources you’ve configured in the steps above!

1. Either obtain the Jamf Trust app directly from App Store, or

2. Send the Activation Profile URL obtained from Step 1 to the user of the Vision Pro device.

   1. You may iMessage, email, or AirDrop the Activation Profile URL string to the Vision Pro.

3. Open the Activation Profile URL on the Vision Pro by opening the provided link using a look-and-pinch gesture.

4. Safari will open and will redirect visionOS to the App Store listing for Jamf Trust.

5. Install Jamf Trust then use the Open button in the App Store to launch Jamf Trust once it has installed on the device.

6. The activation process should start immediately, prompting for IdP credentials from the linked Identity Provider.

   1. If the process fails for some reason, quit the Jamf Trust app and re-invoke the Activation Profile URL. It will automatically re-open Jamf Trust and re-start the activation process.

   2. Note: The “Sign in with Google/Okta/Microsoft” button will not work if you disabled “Identity-based Provisioning” in Step 1.

7. Login to your IdP providing credentials and MFA challenge responses as configured by your IdP.

8. Upon successful authentication, you will be prompted to allow Notifications and install a VPN. Be sure to Allow both, providing your Vision Pro device passcode when prompted to install the VPN configuration.

Congratulations!

You have now fully provisioned your Apple Vision Pro with Jamf Security Cloud!

Now, you should be able to open any browser or native app and all traffic that is defined in your Access Policies will be routed via Jamf Security Cloud.

All access requests that match a policy will appear in Jamf Security Cloud > Reports > Access.

If you are having any problems connecting to your resources after completing the above steps, review the Validating and Testing Connectivity guide or contact your Jamf account team.

Troubleshooting

Having trouble activating Jamf Trust? Try these steps:

• Force Quit Jamf Trust by pressing and holding the Digital Crown and Camera physical buttons on top of the headset simultaneously. Once the “Force Quit” dialog appears, select Jamf Trust, then Force Quit. Try your activation again.

• If you receive an error indicating an enrollment error or authentication module error has occurred, restart Vision Pro to resolve. This appears to be an intermittent visionOS bug that inhibits an authentication session in a web view from occurring correctly.

• If you have previously enrolled and are having problems re-enrolling, open Safari an navigate to https://reset.wandera.com and select Jamf Trust as the app to reset.

If you are having any problems connecting to your resources after completing the above steps, review the Validating and Testing Connectivity guide or contact your Jamf account team.

Next Steps

With this configuration in place, you can also enroll and activate macOS, iOS, iPadOS, Android and Windows devices for additional testing.