Jamf Connect ZTNA Quick Start Guide
  • 12 Mar 2024
  • 6 Minutes to read
  • Dark
    Light
  • PDF

Jamf Connect ZTNA Quick Start Guide

  • Dark
    Light
  • PDF

Article Summary

Following the simple steps in this guide will allow you to set up Jamf Connect ZTNA on test devices. Once configured, you can expand the configuration to add more apps and capabilities as needed.

After completing this guide, you will:

  1. Link an identity provider for user authentication
  2. Configure an activation profile to enroll devices
  3. Setup your first ZTNA test app
  4. Activate one or more test endpoints
  5. Access the ZTNA test app from your test device

Prerequisites

Before we get started, make sure you can meet the following prerequisites:

Haven't Logged into Jamf Security Cloud / RADAR?

Check your email for a "Welcome to Jamf" message from no-reply@wandera.com that will guide you through setting up your Jamf account.

Don't have one? Contact your Jamf account rep for assistance.

  • Access to an Identity Provider (IdP) that is compatible with Jamf Security Cloud.
    • Don't have one? Follow "Option 2: Using a testing identity provider" when linking your identity provider.
  • Access to your organization's IdP portal or to someone that does.

Jamf Connect ZTNA uses your existing Identity Provider to serve as your authoritative users database.

This allows you to centrally manage and secure user accounts while providing a streamlined and familiar login experience for end users.

You can learn more about IdP integration with the Jamf Security Cloud if desired.

For the purposes of this quick start guide, you can proceed using your production identity provider or a new testing identity provider.

Option 1: Using your production identity provider

You can easily enable Jamf Trust (the endpoint application for Jamf's ZTNA services) to activate using single sign-on via your identity provider.  Adding Jamf Trust is just like adding other apps your organization uses for SSO today.

Admin versus End User SSO
End user SSO configuration is completely different than administrator SSO configuration into the Jamf Security Cloud admin portal. This guide is focused on the End User SSO configuration and experience.  

Follow these steps based upon your Identity Provider:

Option 2: Using a testing identity provider

If you are not in a position to configure your production identity provider to support Jamf Trust yet, both Okta and Azure AD offer free accounts that may be used for lab testing purposes.

This is great if you want to kick the tires with Jamf Connect ZTNA, and it is easy to add and switch over to a production account later.

  1. Create a free Okta developer account or Azure AD lab account with credentials of your choosing.  No custom domain is required.
  2. Follow the guide above in the "production identity provider" section to configure your newly created test environment.

Step 2: Configure an Activation Profile

Now we are going to configure your Jamf Security Cloud account to allow users to activate within the Jamf Trust app via the "Sign in with Microsoft" or "Sign in with Okta" buttons.

An activation profile is used by the Jamf Security Cloud to enable users in your domain to activate Jamf Trust using the identity provider established in the previous step.

  1. Using your Jamf Security Cloud administrator credentials, navigate to Devices > Activation profiles in RADAR.
  2. Click Create Profile > Jamf Trust App.
  3. Specify a Name for the activation profile, such as "My Testing Activation Profile". Click Next.
  4. In the Capabilities and Routing section, under Service Capabilities select Zero Trust Network Access. Click Next.
    1. You may select other Service Capabilities based upon your licensing and testing, but be aware of the platforms that are supported with the selected combination when doing so.
  5. In the User Identification section, under User Identification select Authenticated by Identity Provider then select the Identity Provider configuration you defined in Step 1. Click Next.
  6. Modify Advanced Settings as desired, otherwise click Next.
  7. Confirm your settings then click Save and Create.
  8. Back on the Activation Profiles page, you should see your newly created activation profile.  Click the Identity-based Provisioning tab above the table.
  9. If not already activated, Enable the switch next to the activation profile you created, and be sure to define Everyone.

With this step finished, any user with valid company domain credentials will be able to activate Jamf Trust using valid credentials in the linked identity provider account.  We'll get to activating an endpoint with these credentials in Step 4.

The next step is to set up your first Connect ZTNA application.

Step 3: Publish a Sample SaaS Application

Next, we will configure a demo application that you can use to verify Jamf Connect ZTNA services are working properly.

This application simply shows the geo-location of the data center your device is using when routed through the Jamf ZTNA infrastructure.

  1. Navigate to Policies > Access > Access Policy in RADAR.
  2. Click New App Policy then under SaaS App, click Create policy.
  3. Select My IP on a Map and click Next in the lower-right of the window.
  4. Click Next on all subsequent screens to use default settings, then click Save and Create App to complete the policy definition.
Explore the power of Software Defined Routing! 🌎

On the Routing configuration step, select a region-specific Shared IP Pool to force traffic to egress to the Internet via a specific data center.  The map will load to indicate the defined region.

If you subsequently change this configuration during the testing, be aware it takes up to 60 seconds for the new routing to take effect.

Nice! You have just configured your very first Jamf Connect ZTNA application and policy!

Finally, let's enroll a test device to try it out!

Step 4: Activate Jamf Trust on an Endpoint

To activate a device (using credentials from your linked identity provider) and test the new application policy works in a web browser.

  1. Download the client to one (or more) of your test devices from the sources below:
iOS/iPadOSAndroidWindows 10/11macOS
appStoreiOS.svgen_badge_web_generic.pngDownloadmacAppStoreiOS.svg
  1. Launch the Jamf Trust application and select Sign in with Microsoft or Sign in with Okta.
    1. If you are using another identity provider that is federated with Azure AD, select Sign in with Microsoft.
  2. Log in with credentials that are associated with the link identity provider, which was authorized in a previous step.
  3. Follow all prompts to Enable Access until you see a screen confirming "You're all set".
  4. Open a web browser and navigate to https://map.wandera.com
  5. If you see a map, you're all set! This is the IP address and region based upon your routing configuration defined when setting up the app.
Are you seeing "Forbidden" instead?

Make sure the Jamf Trust app indicates "You're all set" and you are not running any other VPN or proxy software.

Still not working? Contact your Jamf account rep or Jamf support and we'll help.

Step 5: View Access Reports

Now that you have successfully routed traffic from your test device(s) to My IP on a Map, you can use Jamf Security Cloud's powerful reporting functions to see the details of your connections.

Navigate to Reports > Access and select the report you'd like to view.

  • Applications: Provides a view of connections by application access policy.
  • User Activity: Provides a breakdown of access by user to access policies.
  • Routing Analytics: Provides a (super cool) visualization of access between devices and applications.
  • Event Log: Provides connection-level logging for every access request, with filtering and visibility into  each and every 

What's Next?

Congratulations, you are on your way to becoming a Jamf Connect ZTNA pro!

With the Jamf Trust configured and your first app running through the service, you can continue to take your experience to the next level.  Here are a few ideas:


Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.