Implementation Roadmap

Realizing the Trusted Access solution completely is not something you turn on overnight. Depending on your organization's size and complexity, it can take quite some time and effort to design, plan, and implement these changes.

However, you can follow the suggested phased approach to help enchance your data security and enhance hybrid working.

Phase 1: Establish Ubiquitous Device Management and Strong User Identity

The Trusted Access journey begins by enrolling as many company-owned and personally-owned devices into the appropriate form of device management. This serves as the foundation to identify your organization's sanctioned devices from all other devices in the world.

In the first phase, your organization must have also adopted a cloud-based identity provider (even if it is federated with an on-premises identity authority or directory service) with Multi-factor Authentication (MFA).

• Deploy device-wide management for your company-owned macOS devices via Jamf Pro.
• Deploy user enrollment via Jamf Pro for your iOS/iPadOS personally owned devices.
• Deploy Android Enterprise for your Google Android fleet:
  • Work Profile for Employee Owned Devices
  • Work Profile for Mixed Use Company Owned Devices
• Deploy Windows devices using Windows Modern Device Management.
• Have a production deployed identity provider with MFA enabled globally that is configured as your identity provider for on-boarding within Jamf Pro and ideally your other MDM tools as well.
• Have deployed essential endpoint security policies such as:
  • Passcode enforcement
  • Disk encryption
  • Firewall enforcement

Phase 2: Deploy Endpoint Security, Identity, and Private Access

Once your organization's devices are managed, the next phase involves ensuring your endpoints are protected from threat, compliant with policies, and adequately monitored for risk. Jamf Private Access is deployed to provide basic risk-based access control to applications. It is also where you bring cloud identity to your macOS devices.

• Deploy Jamf Protect, including Network Threat Prevention, for all macOS devices.
• Deploy Jamf Trust device-wide for all company-owned macOS, iOS/iPadOS, Android, and Windows devices.
• On BYO devices, deploy Jamf Trust as a managed app on User Enrolled iOS/iPadOS and Android Enterprise Work Profile devices.
• Configure appropriate security policies, SIEM/XDR logging, and compliance baselines in Jamf Protect and Jamf Security Cloud.
• Deploy a suitable endpoint protection tool to your company-owned Windows devices (e.g. Microsoft Defender)
• Deploy Jamf Connect to your macOS devices and integrate it with your identity provider.
• Deploy private IPSec inteconnects between the Jamf Security Cloud and private cloud and on-prem infastructure.
• Configure a combination of explict and "wildcard" Access Policies for Jamf Connect, enabling "easy" VPN replacement without inhibiting existing workflows.
• Define Risk-based Access Controls for sensitive apps available via Jamf Connect.

Phase 3: Implement Advanced ZTNA and Conditional Access

With devices full managed and security baselines established, the next step is to enable more granular and secure access to company resources.

• Remove or reduce the "wildcard" scope of Jamf Connect polices, replacing them with more well-defined app-level policies.
• Configure partner conditional access integrations to enable more granular access controls for macOS devices that are connecting to cloud-based resources.
• Close all inbound ports from the open internet to applications via your firewalls (e.g. Static NATs, Port Forwarding) and use Jamf Connect for those apps instead.
• Remove or restrict "internal routing" that allows devices to freely communicate with each other across networks and offices without any brokered access controls. Use Jamf Connect for these connections instead.

Phase 4: Secure Organizational Data to Trusted Users and Devices Only

The final phase to realize Trusted Access is to leverage all of the work in the previous phases to only allow access to sensitive data resources from sanctioned devices and users. This means preventing use of these resources from all other devices.

• Learn about and plan for App and Infrastructure Cloaking in your environment.
• Restrict Access for Anonymous Devices for applications that both need to be protected from attack and used as a "carrot" for employees to stay compliant. Typical apps include:
  • Email Communications (Exchange, Gmail)
  • Chat Communications (Slack / Teams)
  • File Sharing (Box / Dropbox)
  • Source code and software development management systems (Github, JIRA)
  • HR and Payroll data systems (Workday, Gusto, ADP)
  • ERP/CRM systems (SAP, Salesforce)