Enable Enterprise Access for Vision Pro

The Apple Vision Pro is an exciting category of product, introducing the world to Spatial Computing.

Just like every other end user device, Vision Pro, running visionOS, needs secure access to organizational apps, data, and resources to be an effective tool at work.

This article will detail how you can use Jamf Connect’s Zero Trust Network Access (ZTNA), deployed via the Jamf Trust app from the App Store, to easily enable fast, seamless, and secure access to business resources without deploying any new hardware infrastructure. While not covered by this article, the Vision Pro also supports Jamf’s mobile threat defense, content filtering, anti-phishing, and network threat protection capabilities seamlessly on the device through one simple MDM-based deployment.

Mobile Device Management (MDM) for Vision Pro

Vision Pro’s may be deployed in two ways:

• Apple Business Manager Automatic Device Enrollment (recommended):  Like other Apple devices, company-owned Vision Pros are registered in Apple Business Manager and are enrolled into MDM during the device’s Setup Assistant process upon first-boot.  If a device is not already in Apple Business Manager, Vision Pros may be added to ABM using Apple Configurator.  See Automated Device Enrollment Integration for setup details.

• Account Driven User/Device Enrollments:  In this method, an already setup Vision Pro is enrolled into MDM using the organization’s Managed Apple Accounts.  This is useful and required for Vision Pro devices that are not registered in Apple Business Manager.  For setup, see Prepare for Account-Driven Enrollment with Managed Apple Accounts and Service Discovery

This article assumes your Vision Pros are managed by MDM.

For unmanaged use-cases, please contact you Jamf technical representative or partner.

Solution Overview

Without managed enterprise network connectivity, a user may not be able to connect to – or even login to – work resources from a Vision Pro due to the organization’s network firewall or conditional access policies and tooling. This solution enables visionOS to connect to these resources via Jamf’s Security Cloud in a way that is compatible with existing Conditional Access policies.

This solution provides:

• A zero-touch deployed, always-on, hardware-bound and native traffic vectoring mechanism to transmit sensitive data from the endpoint to an organization’s IdP and workloads.

• A highly available policy-based global traffic routing network that provides fast connectivity from any network anywhere in the world.

• Dedicated private global IP address Internet egress (source IPs) as well as private IPSec Site-to-Site tunnel connectivity to private resources.

The high level end-to-end experience includes:

1. An administrator configures a Network Relay deployment configuration, defines one or more network egresses (Internet IPs or IPSec Tunnels), and the definition of Access Policies.

2. The Vision Pro is enrolled in Jamf Pro using either of the methods called out above.

3. The Relay configuration is automatically deployed and activated on the device.  Device Attestation is performed with Apple’s servers and the device’s tenancy in Jamf Pro is cryptographically verified.  No user interaction or login is required.

4. Enterprise network traffic generated from browsers or apps on the Vision Pro is encrypted then cryptographically validated on Jamf’s Global Cloud Edge.  The device’s context and user’s identity is evaluated against Access Policies to verify access to the requested resource.

5. If access is permitted, the traffic generated by the device is routed forward via:

   1. A dedicated IP Internet Egress gateway. This uses NAT to present the visionOS traffic to appear to originate from one of two highly availability public (global) IP addresses.

   2. A dedicated IPSec tunnel. This uses a Site-to-Site IPSec VPN route to land the visionOS packets directly on the destination network. NAT is used to present devices with a source IP belonging to a private subnet configured on the LAN/DMZ/VPC.

6. The customer edge infrastructure is configured to allow packets arriving from the Jamf Security Cloud:

   1. Identity Provider: Conditional Access or App Access polices are updated to permit logins from devices that are using either of the customer-assigned IP addresses.  See below for specific configuration recommendations for this to work with existing Jamf Device Compliance Policies.

   2. Firewall: Access Control Lists (ACLs) or similar security policies are configured to allow packets arriving over the IPSec tunnel to route to permitted destination subnets or IP addresses.

For a technical deep dive into how Jamf’s ZTNA routing architecture works to provide least-privilege, micro-tunnel based access to specific resources only – without exposing internal IPs or subnets to visionOS – see Network Engineer's Guide to Jamf Connect ZTNA.

“My IP on a Map” Sample App Configuration Steps

Thanks to Jamf’s cloud-native and integrated platform, setting all of this up is really easy!  We’ll first configure a sample SaaS application that is used to demonstrate end-to-end functionality of a Relay on your managed Vision Pro device.

With the appropriate access privileges and rights, this configuration can be completed within an hour.

Pre-Requisties

To configure this solution, you will need the following:

• Apple Vision Pro

  • Note: you can use an iOS, iPadOS, or macOS device to test configuration, for visionOS will work exactly the same.

• Vision Pro enrolled into Jamf Pro or Intune

  • These steps are specific to Jamf, but may be applied to Intune for deployment as well.

• Access to Jamf Pro and Jamf Security Cloud portals

  • A Jamf Pro administrator account with the ability to create an API client credential that can manage Mobile Devices, and Mobile Device Smart Groups.

  • A Jamf Security Cloud administrator account with Global Administrator or Access Administrator rights.

    • If you don’t have a Jamf Security Cloud environment, contact your Jamf representative or partner.

• Networked edge infrastructure policy administration.

  • Depending on how you will be connecting to your infrastructure (IdP and/or Firewall integration), an admin with appropriate policy or infrastructure configuration privileges will need to allow traffic from Jamf Security Cloud.

    • Note: You can fully configure device routing without this, but your access and capabilities will be inherently limited until these steps are completed.

Configure Jamf Pro

Step 1: Create a Vision Pro Smart Group in Jamf Pro

Creating this smart group will help simplify and assignment throughout this guide.  If you have already created a Smart Group that you would like to use for your devices, you may use that instead.

1. Log into Jamf Pro using your Jamf Account SSO or other credentials.

2. Navigate to Devices and select Smart Device Groups.

3. Click the + New button to create a new smart group.

4. Provide an appropriate Display Name, we’d recommend “Vision Pro Devices”. Provide a description as desired.

5. Select the Criteria tab at the top of the screen, then click + Add.

6. Locate Model and click Choose in the same row.

   1. Select Operator to “is”.

   2. Select the “…” button next to the field for Value. Locate Apple Vision Pro then select Choose.

7. Click Save to create the Smart Group.

Configure and Deploy a Network Relay Configuration

In this section, we configure the Jamf platform to setup and deploy a Network Relay configuration to managed Vision Pro devices.

Step 1: Configure UEM Connect in Jamf Security Cloud

This steps links Jamf Jamf Security Cloud with Jamf Pro to aid with deployment and on-going validation of device enrollment to ensure only managed devices with appropriate risk levels may use the Network Relay service.

1. Log into Jamf Security Cloud using your Jamf Account SSO or other credentials.

2. Navigate to Integrations and select UEM Connect.

3. Follow the steps in Configuring UEM Connect for Jamf Pro and verify the setup reports a successful connection.

   1. It is strongly recommended to complete the webhook configuration to ensure a seamless user experience immediately following new device enrollments.

Step 2: Configure a Network Relay Activation Profile

1. Navigate to Devices > Activation Profiles.  Select the Create profile button.

2. Select the Network access capability, then click Next.

   1. You may optionally deploy the Security (Network threat protection and mobile threat defense) an/or Content controls (category content filtering) capabilities, however those require added steps of deploying the Jamf Trust app that is not in scope of this document.

3. When prompted for Authentication, select Managed device attestation, then click Next.

   1. If you require always-on connectivity that the user cannot disable, select Locked-down.

4. Provide a Name for the activation profile for easy reference.  We’d suggest "Vision Pro Network Relay”

5. Define a Group to add the devices to that activate using this profile.  We’d suggest “Vision Pro Devices” unless you have an alternative device group policy already.  You can always change this later.  Click Next.

6. Review the configuration then select Save and Create.

Step 3: Deploy the Activation Profile to Vision Pro Devices

This steps requires that UEM Connect was configured successfully.

1. On the screen that appears, make sure the Jamf Pro and iOS/iPadOS/tvOS/visionOS buttons are selected.  Expand Configuration profiles.

2. Under UEM actions, select the UEM group pull down menu and select the Vision Pro smart group you created in Pro in a previous step.

   1. Note: if your group doesn’t appear when clicked, begin typing the name of the smart group, and it should appear.

   2. If you skip this step, you’ll need to manually scope the mobile configuration profile that is pushed to Pro to a smart group.

3. When ready, click Deploy to Jamf Pro.  This will deploy the Relay configuration to all devices matching the defined Smart Group’s criteria.

   1. Note: At this point, no access policies have been defined so while the Relay configuration will be pushed to the device, no traffic will be routed using it.  We’ll configure that next.

Configure a Sample Access Policy

In this section, we configure routing configuration and policies to route select enterprise traffic from the Vision Pro to an example SaaS destinations to validate routing is working properly on your Vision Pro.

This guide uses a “Shared Internet Gateway” for simplicity purposes to get Vision Pro Relay-based routing up and running.

For production use, it is strongly recommended to configure and use a Dedicated Internet Gateway or Dedicated IPSec gateway based upon your connectivity and security requirements.  Navigate to Integrations > Access gateways in Jamf Security Cloud to configure private gateways, which then may be easily used instead of a Shared Gateway as configured in this guide.

Step 1: Configure the My IP on a Map Access Policy

1. In Jamf Security Cloud, navigate to Policies > Access policy and click Create policy.

2. Select Predefined App, choose My IP on a Map from the available applications, then click Next.

3. Optionally define a Category, then click Next.

4. The sample hostnames for the My IP on a Map application are already defined.  Click Next to proceed.

5. Optionally select the device groups that should have access to this app, which must include the Vision Pro device group you may have defined earlier (if All is not selected).

6. Enable Access requires device to be managed then click Next.

   1. To simplify testing, we recommend leading risk validation disabled at this point.  Once deployment is validated and risk-based validation is well understood, it is a great feature to enable!

7. On the Application traffic routing screen, be sure that Encrypt and route via ZTNA: is selected, then select Nearest Data Center,

   1. For this specific My IP on a Map test app, we recommend not using a custom access gateway.

8. Leaving other configurations at their default settings, click Next.

9. Review the configuration then click Save and create app.

Step 2: Redeploy the Network Relay Access Policy

1. Navigate to Devices > Activation Profiles and select the activation profile you defined earlier.

2. Expand Configuration profiles then click Deploy to Jamf Pro.

Step 3: Confirm Relay Routing on the Device

1. On the Vision Pro, open Safari.

2. Navigate to map.wandera.com

3. If you see an IP address and a map, congratulations!  You’re relay configuration is working correctly.

   1. If you see “Forbidden”, re-check the above steps and make sure the Relay configuration is deployed to your device in the Settings visionOS app under VPN & Relays.

Microsoft Conditional Access: Using a Relay for Device Compliance

Microsoft Conditional Access policies are an important foundation of modern Zero Trust architecture.  By leveraging Microsoft’s Conditional Access Policies with Jamf’s Microsoft Device Compliance integration, Entra administrators may restrict login to SSO apps to only devices that are managed by Jamf.

However, the Device Compliance Integration  comes with two challenges on the Vision Pro:

1. At the current time, Microsoft Authenticator does not support Device Compliance on Vision Pro.  This means a properly MDM-managed Vision Pro is unable to access critical apps when it should be allowed to do so.

2. Setting up Device Compliance – even once Authenticator support it on visionOS – requires specific user steps to mark the device as complaint in Entra.  This adds user experience on-boarding friction and failure to follow these steps prevents a user from accessing critical apps on their device.

Using Jamf’s Relay service in combination with Microsoft Conditional Access policies, both of these challenges are eliminated. Instead of relying on marking the device as “Compliant” in Entra, that bit is left unset and a device’s compliance state is established via Jamf’s advanced Relay architecture instead.

How it Works

1. A managed devices is deployed a mobile configuration profile with Network Relay and ACME payloads.

2. Using Managed Device Attestation, the ACME certificate is issued to the device after the hardware is validated by Apple’s attestation servers.  The private key for the certificate is locked in the device’s Secure Enclave and can never be viewed or shared.

3. A mutual-TLS QUIC/HTTP3 (MASQUE) Relay tunnel is used to encapsulate all Microsoft Entra authentication traffic leaving the device.  This tunnel obfuscates all Entra traffic, protects it from Adversary in the Middle TLS attacks, and leverages QRC where supported.

4. Jamf’s relay service terminates the inbound MASQUE tunnel, verifying the integrity of the device’s identifier via the client TLS certificate while also verifying the device is enrolled into the customer’s linked Jamf Pro tenant and satisfies other compliance and access policies.  The Entra traffic is not decrypted or otherwise modified in this process!

5. Assuming all of those checks are passed, the Entra traffic is egressed to the Internet using tenant-dedicated global HA tenant-dedicated IP addresses.  In other words, only genuine Apple devices, that are actively enrolled and compliant in the customer’s linked Jamf Pro environment is able to use these dedicated Internet IP addresses.

6. These IP addresses are configured as Named Locations in Microsoft Conditional Access configuration.

7. These named locations are used to bypass the typical Jamf Device Compliance policy used for non-Vision Pro Jamf-managed devices.  The same Named Locations are used for a new Conditional Access policy that permits access from devices originating from the Named Location (IPs) without requiring Device Compliance.

The net effective is effectively the same: instead of sending the device compliance bit to Entra to determine Conditional Access policy, the compliance check is happening on the Jamf platform.  Only managed and compliant devices will ever be able to use the trusted IP / Named Location.  This approach also adds significant user experience improvements (no specific end user setup steps required) while greatly enhancing security by encapsulating and protecting Entra traffic over any trusted or untrusted network the device finds itself on.

Configuring Entra Conditional Access Policies to Support Vision Pro

Pre-Requisites

• You have successfully configured and deployed the My IP on a Map sample SaaS app.

• You – or a colleague you can work with – has access to configure Microsoft Conditional Access Policies.

Step 1: Create a Dedicated Internet Egress Gateway

In this step, you will create a pair of dedicate global (public) IP addresses that will be uniquely available to your organization and no one else.

1. In Jamf Security Cloud, navigate to Integrations > Access gateways.

2. Next to Dedicated internet gateway select Create Gateway.

3. Provide a Name for the gateway and define an Egress region of your choice.

   1. Note: you can create multiple dedicated internet gateways and then “group” them.  This enables the nearest egress gateway to be used for a user that may be connecting to a Jamf point-of-presence in that region.   This configuration is out of the scope of this document, contact Jamf Support if additional assistance is required.

4. Once create, take note of the two Public IPs that are returned.  These will be used in the Named Locations configuration in Microsoft Entra.

Step 2: Create a Microsoft Entra Access Policy using the Dedicated IP Gateway

1. In Jamf Security Cloud, navigate to Policies > Access Policies, then click Create Policy.

2. Select Predefined App, then select Microsoft Authentication from the list of apps that appear.

   1. Note:  It is not required to configure other Microsoft apps as shown in the access policies for Conditional Access controls to work.

3. Optionally define a Category, then click Next.

4. The hostnames for Microsoft Entra are already defined.  Unless you are using a very specialized Entra configuration, click Next to proceed.

5. Optionally select the device groups that should have access to this app, which must include the Vision Pro device group you may have defined earlier (if All is not selected).

6. Enable Access requires device to be managed then click Next.

   1. To simplify testing, we recommend leading risk validation disabled at this point.  Once deployment is validated and risk-based validation is well understood, it is a great feature to enable!

7. On the Application traffic routing screen, be sure that Encrypt and route via ZTNA: is selected, then select the Dedicated Internet Gateway you created in the previous step.

8. Leaving other configurations at their default settings, click Next.

9. Review the configuration then click Save and create app.

Step 3: Re-Deploy Relay Configuration and Validate on the Device

1. In Jamf Security Cloud, navigate to Devices > Activation Profiles and select the activation profile you defined earlier.

2. Expand Configuration profiles then click Deploy to Jamf Pro.

3. On the Vision Pro, open the Settings app and navigate to VPNs & Relays.  Select the “i” option next to the Network Relay and verify you see login.microsoftonline.com in the list of hostnames.

Step 4:  Create a Named Location is Microsoft Entra

1. Using an appropriately authorized Microsoft Entra credential, login to Microsoft Entra.

2. In the left-hand navigation under Entra ID, navigate to Conditional Access.

3. Under Manage, select Named locations.

4. Click + IP ranges location.

5. Define a Name, we’d suggest Jamf Relay-Compliant Devices and check the Mark as trusted location checkbox

6. Click the + button to add each IP address that you copied earlier from the Dedicated Internet Egress configuration in Jamf Security Cloud

   1. Be sure to append /32 to the end of each IP address that is entered.

7. When done click Create to create the Named Location.

Step 5: Exclude the Jamf Named Location from Device Compliance Conditional Access Policies

To avoid access lockouts or other end user impacts, be sure to follow these steps very carefully!

This step modified existing Conditional Access policies to exclude devices that have their traffic originating from your tenant’s dedicated Jamf IPs from being subject to conditional access policies that require device compliance to be set by Jamf (which is currently not supported by Microsoft).  In the next step, we’ll add a new policy to allow those devices to have access to these resources.

There will be no impact to non-Vision Pro devices and no unauthorized devices will gain access by following these steps,

1. In Entra > Conditional Access, navigate to Policies.

2. For each Conditional Access policy that requires device compliance but should be usable by a Vision Pro, do the following:

   1. Click the Policy name to open it.

   2. Under Assignments, select Network.

   3. If not already configured, set Configure to Yes.

      1. If not specifically configured before, be sure that Any network location under the Include tab is selected.

   4. Select the Exclude tab, and choose the Selected networks and locations option.

   5. Under Select, define the Named Location you created in the previous step.

   6. Click Save when

At this point, there will be no net impact to any device’s ability to access resources via Conditional Access.  Effective policy is exactly the same as before.

Step 6: Create a Vision Pro Conditional Access Policy

In this step, we’ll create the policy that will allow Vision Pro devices - with their traffic egressing via your tenant’s dedicated Jamf IPs – to access the apps and resources they are authorized to use.

1. In Entra > Conditional Access, navigate to Policies.

2. Click + New Policy

3. Provide a Name, we’d suggest Vision Pro Conditional Access

4. Select Users then select All users

   1. You can define more narrow users here, but since this policy will only apply to devices enrolled into Jamf Pro with the Relay profile deployed, this is usually not required.

5. Select Target resources then specify the resources/apps that users on Vision Pro devices should have access to.

6. Select Network then set Configure to Yes. Select Selected networks and locations, then select the Jamf Dedicated IPs Named Location you created earlier.

7. Under Conditions, optionally define User/Sign-in/Insider risk as appropriate.  Leave other settings Not configured.

8. Under Access controls > Grant, be sure Require device to be marked as compliant is NOT checked.  It is highly recommended to configure either Require multifactor authentication or Require authentication strength settings to leverage Microsoft Authenticator and Optic ID capabilities.

9. Unless there is a specific reason to do so, leave all settings unchecked in the Session settings of the policy.

10. Verify your settings, then sent Enable policy to On.  Click Create.

Step 7: Verify Conditional Access Policies with What If Tester

In this step, we are going to validate that all necessary conditional access policies have been adjusted for a Vision Pro to login to a given Entra app.

1. In Entra > Conditional Access, navigate to Policies.

2. Choose the What if button at the top of the screen

3. Under User, define a sample user that matched in the Vision Pro Conditional Access policy that was just created.

4. Under target resource, select an app/resource that matched in the Vision Pro Conditional Access policy that was just created.

5. Under device platform, select iOS.

6. Under Client app, select Modern apps and desktop clients - modern authentication clients

7. Under IP address, specify one of the Public IPs that were created for the Named Location in a previous step.

8. Under country, select a country that is near the IP address defined.

   1. This is a required step by the What if simulator

9. Click the What if button.

10. In the resulting policies, you should only see the Vision Pro Conditional Access policy created before.  If you see other policies:

    1. If the policy indicates it requires device compliance, edit that policy and add the Jamf Named Location as a Network exception per Step 5 above.

    2. If the policy does not require devices compliance, it does not need to bed modified, but the Vision Pro and its user will be subject to whatever additional policies are defined there.

Step 8: Login to Business App on the Vision Pro

With the above configuration in place, you are now ready to login to Microsoft resources on your Vision Pro!

1. (Optional but recommended) On the Vision Pro, login using a Company account in the Microsoft Authenticator visionOS app.

   1. Note:  It is highly recommended to configure Extensible Single Sign On with Microsoft Authenticator for a seamless Optic ID-based login user experience.

2. Open a native app (e.g. Teams) or a browser-based app that requires login with Entra.

3. Login with normal, following MFA prompts as required.

4. If everything works, you’ll be logged in!

   1. If you see “You can’t get there from here” error, there is a problem with your Conditional Access policies for the app you are trying to access.  Please double check configuration using Entra’s “What if” tool.

Step 9: Monitor Usage and Stream Access Events to SIEM (optional)

Now with your Vision Pros authenticating correctly, you can use Jamf Security Cloud to review access logs and stream access events to your SIEM for InfoSec visibility in their SOC.

1. Login to Jamf Security Cloud, navigate to Reports > Event Log.

2. All activity that routes via the service will appear here, including the device name risk posture, and routing disposition.

3. Navigate to Integrations > Data Streams and click New Configuration.

4. Select Network Traffic and specify your SIEM / data destination per our documentation.

Next Steps

With a sample app or IdP conditional access configurations in place, you can now configure additional access policies and access gateways to enable your Vision Pro to seamlessly access resources on private networks or locked behind IP-based firewall rules.

You can also enroll and activate macOS, iOS, iPadOS, Android and Windows devices using this established configuration to unlock seamless networking on those devices as well.