Many popular cloud services provide "business" and "personal" accounts. While you may use Google Workspace or Microsoft 365 as your organziation's productivity platform of choice, a user may have their own "personal" account on that same cloud platform.
This means that if you allow Google or Microsoft logins from an organization managed endpoint, you are implictly allowing login using both "business" and "personal" credentials.
SaaS tenancy control enables you to only allow login to admin-defined tenants within these types of cloud services on managed devices.
The native Jamf Security Cloud does not perform TLS decryption which is required to provide SaaS tenancy controls.
As a result, customers will need to deploy their own proxy infrastructure that is used in coordination with Jamf Security Cloud to achieve this service.
The below network diagram depicts the packet flow.
Note that this configuration is optimized for Network Relay-based deployments, where all device traffic for these specific login domains are automatically routed to your SaaS tenancy enforcement infrastructure from the moment the device is enrolled into management. It may also be configured to be tamper resistant.
Configuration
For the open source SaaS tenancy proxy infrastructure that is easily deployable via an AWS CloudFormation, see our SaaS Tenancy Jamf Concepts page.