Jamf Connect ZTNA Quick Start Guide

Following the simple steps in this guide will allow you to set up Jamf Connect ZTNA on test devices. Once configured, you can expand the configuration to add more apps and capabilities as needed.

After completing this guide, you will:

1. Link an identity provider for user authentication
2. Configure an activation profile to enroll devices
3. Setup your first ZTNA test app
4. Activate one or more test endpoints
5. Access the ZTNA test app from your test device

Prerequisites

Before we get started, make sure you can meet the following prerequisites:

• A working administrator login for a Jamf Security Cloud RADAR account that has been licensed with Jamf Connect.

• Access to an Identity Provider (IdP) that is compatible with Jamf Security Cloud.
  • Don't have one? Follow "Option 2: Using a testing identity provider" when linking your identity provider.
• Access to your organization's IdP portal or to someone that does.

Step 1: Link your Identity Provider

Jamf Connect ZTNA uses your existing Identity Provider to serve as your authoritative users database.

This allows you to centrally manage and secure user accounts while providing a streamlined and familiar login experience for end users.

You can learn more about IdP integration with the Jamf Security Cloud if desired.

For the purposes of this quick start guide, you can proceed using your production identity provider or a new testing identity provider.

Option 1: Using your production identity provider

You can easily enable Jamf Trust (the endpoint application for Jamf's ZTNA services) to activate using single sign-on via your identity provider.  Adding Jamf Trust is just like adding other apps your organization uses for SSO today.

Follow these steps based upon your Identity Provider:

• Okta
• Microsoft Entra ID (formerly Azure AD)
• Google Workspace
• Other Identity Providers
  • Follow these simple steps to verify compatibility.

Option 2: Using a testing identity provider

If you are not in a position to configure your production identity provider to support Jamf Trust yet, both Okta and Azure AD offer free accounts that may be used for lab testing purposes.

This is great if you want to kick the tires with Jamf Connect ZTNA, and it is easy to add and switch over to a production account later.

1. Create a free Okta developer account or Azure AD lab account with credentials of your choosing.  No custom domain is required.
2. Follow the guide above in the "production identity provider" section to configure your newly created test environment.

Step 2: Configure an Activation Profile

Now we are going to configure your Jamf Security Cloud account to allow users to activate within the Jamf Trust app via the "Sign in with Microsoft" or "Sign in with Okta" buttons.

An activation profile is used by the Jamf Security Cloud to enable users in your domain to activate Jamf Trust using the identity provider established in the previous step.

1. Using your Jamf Security Cloud administrator credentials, navigate to Devices > Activation profiles in RADAR.
2. Click Create Profile > Jamf Trust App.
3. Specify a Name for the activation profile, such as "My Testing Activation Profile". Click Next.
4. In the Capabilities and Routing section, under Service Capabilities select Zero Trust Network Access. Click Next.
   1. You may select other Service Capabilities based upon your licensing and testing, but be aware of the platforms that are supported with the selected combination when doing so.
5. In the User Identification section, under User Identification select Authenticated by Identity Provider then select the Identity Provider configuration you defined in Step 1. Click Next.
6. Modify Advanced Settings as desired, otherwise click Next.
7. Confirm your settings then click Save and Create.
8. Back on the Activation Profiles page, you should see your newly created activation profile.  Click the Identity-based Provisioning tab above the table.
9. If not already activated, Enable the switch next to the activation profile you created, and be sure to define Everyone.

With this step finished, any user with valid company domain credentials will be able to activate Jamf Trust using valid credentials in the linked identity provider account.  We'll get to activating an endpoint with these credentials in Step 4.

The next step is to set up your first Connect ZTNA application.

Step 3: Publish a Sample SaaS Application

Next, we will configure a demo application that you can use to verify Jamf Connect ZTNA services are working properly.

This application simply shows the geo-location of the data center your device is using when routed through the Jamf ZTNA infrastructure.

1. Navigate to Policies > Access > Access Policy in RADAR.
2. Click New App Policy then under SaaS App, click Create policy.
3. Select My IP on a Map and click Next in the lower-right of the window.
4. Click Next on all subsequent screens to use default settings, then click Save and Create App to complete the policy definition.

Nice! You have just configured your very first Jamf Connect ZTNA application and policy!

Finally, let's enroll a test device to try it out!

Step 4: Activate Jamf Trust on an Endpoint

To activate a device (using credentials from your linked identity provider) and test the new application policy works in a web browser.

1. Download the client to one (or more) of your test devices from the sources below:

iOS/iPadOS	Android	Windows 10/11	macOS
		Download

2. Launch the Jamf Trust application and select Sign in with Microsoft or Sign in with Okta.
   1. If you are using another identity provider that is federated with Azure AD, select Sign in with Microsoft.
3. Log in with credentials that are associated with the link identity provider, which was authorized in a previous step.
4. Follow all prompts to Enable Access until you see a screen confirming "You're all set".
5. Open a web browser and navigate to https://map.wandera.com
6. If you see a map, you're all set! This is the IP address and region based upon your routing configuration defined when setting up the app.

Step 5: View Access Reports

Now that you have successfully routed traffic from your test device(s) to My IP on a Map, you can use Jamf Security Cloud's powerful reporting functions to see the details of your connections.

Navigate to Reports > Access and select the report you'd like to view.

• Applications: Provides a view of connections by application access policy.
• User Activity: Provides a breakdown of access by user to access policies.
• Routing Analytics: Provides a (super cool) visualization of access between devices and applications.
• Event Log: Provides connection-level logging for every access request, with filtering and visibility into  each and every 

What's Next?

Congratulations, you are on your way to becoming a Jamf Connect ZTNA pro!

With the Jamf Trust configured and your first app running through the service, you can continue to take your experience to the next level.  Here are a few ideas:

• Integrate with your private infrastructure.
• Add more SaaS apps in Access Policies to experience just how seamlessly Jamf handles all traffic types.
• Try the Jamf Trust app and experience on another device platform.
• Get a few colleagues to join the fun having them download and activate the Jamf Trust app on their device.
• Deploy the Jamf Trust app and other configuration profiles via your MDM to experience just how streamlined the experience can get. 
• Learn how to configure your infrastructure to allow access to trusted devices while blocking access for anonymous devices.
• Really geek out and learn exactly how Jamf Connect ZTNA operates under the hood.