- 17 Jan 2023
- 5 Minutes to read
Enabling Access for Trusted Devices
- Updated on 17 Jan 2023
- 5 Minutes to read
The Trusted Access solution calls for the use of Private Access, Jamf's cloud-native Zero Trust Network Access product, to faciliate high-performance and user-friendly connectivity while delivering advanced network security capabilities for any SaaS, private cloud, or on-prem application.
You may also use partner integrations that utilize API signaling to indicate a given device's management and compliance state. These intragrations only apply to a subset of applications, and may be used instead of or in addition to Private Access depending on your requirements.
Private Access should not be confused with other VPN and ZTNA products. While it does provide secure remote access to resources like a VPN, it uniquely enables Trusted Access in some very significant ways:
- It is cloud-native, utilizes next-generation Wireguard tunneling technology and adopts advanced identity integrations, which put together delivers a nearly invisible yet loved user experience.
- It is designed from the ground-up upon least privilege access principles, ensuring that authorized users can only access the data they need, not everything on the internal network.
- It integrates natively with Jamf management and security products to ensure only sanctioned and secure devices are able to access resources based upon your own risk-based policy definition.
As a result, use of a third-party VPN solution is unable to satisfy the requirements necessary to realize Trusted Access.
For macOS devices, you are able to further configure Partner Conditional Access via Jamf Pro to enable those partner services to allow or deny access based upon device compliance state (e.g. Smart Group membership).
Deploying Private Access
By deploying Private Access, you are creating a trusted and private network path between managed endpoints and all of your organization's applications.
You will need access to a Jamf Security Cloud RADAR account that is licensed for Private Access to complete these steps.
If you do not have an account, please contact your sales rep so they may spin up a free demo account up for you!
Follow these steps to get Private Access up and running in your environment to establish fast and secure connectivity:
- Review and understand the Private Access Architecture, or watch this 20-minute JNUC'21 video introducing you to it.
- Login to your RADAR account and link your identity provider to allow end users to activate Private Access via the Jamf Trust app using their corporate credentials.
- Create an Activation Profile that configures the Zero Trust Network Access and Data Policy and Threat Defense service capabilities and utilizes your identity provider for authentication.
- Make sure you disable Identity-based Provisioning for your newly created activation profile. This will ensure only managed devices may activate using it.
- You may create other activiation profiles that do use this feature to cover contractor devices or other devices that cannot be enrolled to MDM, but should only have very narrow access instead.
- Define device groups that will be used to map users and their devices to specific apps they should (or should not) be able to access (e.g. "Executives", "Engineering", "Sales")
- Configure integration with Jamf Pro.
- Establish secure access to your applications and data resources by configuring one or more private interconnect gateways between the Jamf Security Cloud and your data center(s) and private cloud(s).
- Configure Custom DNS zone(s) if you use an internal domain name server or split-brain DNS to reach internal resources.
- Configure Access Policies that define your organization's applications, their access policies, and reachability (either via the public internet or a configured private interconnect gateway).
- If the app you are definiting contains sensitive data, be sure to limit access to only the groups that need to access in the Users and Groups tab, and define the maximum tolerable risk level in the Security tab of the access policy.
- Note: you can customize the severity of each threat category that determines a device's risk score using RADAR's security policy configuration.
- Deploy Jamf Trust to Devices (the Private Access endpoint agent) using Jamf Pro or other applicable device managment tools for your enrolled devices' platforms.
- For BYOD iOS/iPadOS devices, be sure to follow the specific "Deploy Jamf Trust" instructions in the User Enrollment article.
When Private Access is properly deployed and configured, all enterprise application connectivity is encrypted to the Jamf Security cloud and subject to access policies that have been defined.
For a techical under-the-hood explanation of how Private Access works, check out our Network Engineer's Guide to Private Access.
Partner Management State Integrations
While Private Access is used to enable network-based connectivity and access control to any TCP or UDP application – including SaaS and private on-premise apps – it is possible to signal a device's management state and other metadata via integrations with select partners.
This allows the parter's platform to determine if a given device is managed by Jamf Pro and meets specific compliance requirements. It can also be used to signal the device's compliance state or risk level to drive Risk-based Access to company data. These signals are used to inform policies as defined in the partner's access platform.
Jamf's partner management integrations include:
- AWS Verified Access for macOS
- Integrating with Microsoft Intune to Enforce Compliance on Mac Computers Managed by Jamf Pro
- Google BeyondCorp Enterprise Integration with Jamf Pro
Enhancing Login Security and End User Experience
As the industry moves towards a password-less future, the foundations for more secure and seamless login capabilities are already here.
See Enhancing and Securing Logins to learn how to not only improve app login security, but dramatically improve user experience as well.
Restricting Access for Anonymous Devices
Upon implementing one or both of the above strategies to identify trusted devices, your next step is to configure applications to only allow connections from these "trusted" devices.
See Restricting Access for Anonymous Devices for details.