Implementation Roadmap
  • 09 Mar 2023
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Implementation Roadmap

  • Dark
    Light
  • PDF

Article summary

Realizing the Trusted Access solution completely is not something you turn on overnight. Depending on your organization's size and complexity, it can take quite some time and effort to design, plan, and implement these changes.

However, you can follow the suggested phased approach to help enchance your data security and enhance hybrid working.

Phase 1: Establish Ubiquitous Device Management and Strong User Identity

The Trusted Access journey begins by enrolling as many company-owned and personally-owned devices into the appropriate form of device management. This serves as the foundation to identify your organization's sanctioned devices from all other devices in the world.

In the first phase, your organization must have also adopted a cloud-based identity provider (even if it is federated with an on-premises identity authority or directory service) with Multi-factor Authentication (MFA).

Phase 2: Deploy Endpoint Security, Identity, and Private Access

Once your organization's devices are managed, the next phase involves ensuring your endpoints are protected from threat, compliant with policies, and adequately monitored for risk. Jamf Private Access is deployed to provide basic risk-based access control to applications. It is also where you bring cloud identity to your macOS devices.

Phase 3: Implement Advanced ZTNA and Conditional Access

With devices full managed and security baselines established, the next step is to enable more granular and secure access to company resources.

  • Remove or reduce the "wildcard" scope of Jamf Connect polices, replacing them with more well-defined app-level policies.
  • Configure partner conditional access integrations to enable more granular access controls for macOS devices that are connecting to cloud-based resources.
  • Close all inbound ports from the open internet to applications via your firewalls (e.g. Static NATs, Port Forwarding) and use Jamf Connect for those apps instead.
  • Remove or restrict "internal routing" that allows devices to freely communicate with each other across networks and offices without any brokered access controls. Use Jamf Connect for these connections instead.

Phase 4: Secure Organizational Data to Trusted Users and Devices Only

The final phase to realize Trusted Access is to leverage all of the work in the previous phases to only allow access to sensitive data resources from sanctioned devices and users. This means preventing use of these resources from all other devices.

  • Learn about and plan for App and Infrastructure Cloaking in your environment.
  • Restrict Access for Anonymous Devices for applications that both need to be protected from attack and used as a "carrot" for employees to stay compliant. Typical apps include:
    • Email Communications (Exchange, Gmail)
    • Chat Communications (Slack / Teams)
    • File Sharing (Box / Dropbox)
    • Source code and software development management systems (Github, JIRA)
    • HR and Payroll data systems (Workday, Gusto, ADP)
    • ERP/CRM systems (SAP, Salesforce)

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.