Jamf Connect's Zero Trust Network Access operates on a "Per-Application" basis via its Zero Trust Network Access policies. This means that users and their devices may only access network-based applications—and their data—if they are authorized. These policies are defined by destination hostnames (for example, sharepoint.company.com), whereby permitted devices can access those hostnames from any native app or browser.

Per-App VPN, however, refers to a client-side VPN capability that allows administrators to lock a VPN interface to specific managed source applications. Apps that have not been authorized to use the Per-App VPN operate as if the VPN isn't installed on the device, even when trying to reach a hostname that is authorized for that device in an Access Policy in Jamf Security Cloud.

Important:

When deploying Zero Trust Network Access via Per-App VPN, only traffic from authorized applications is sent to Jamf Security Cloud cloud by definition. This means that some device-wide network security capabilities—like anti-phishing and content filtering—are not available across the other applications and browsers installed on the device when Per-App VPN is used.

If you want to apply device-wide protection, consider the following options:

  • Do not deploy any Per-App VPN configurations. This forces Zero Trust Network Access to operate in a device-wide/profile-wide mode.
  • Deploy Jamf Security Cloud's Cloud Proxy to the device in addition to the Per-App VPN, to pick up and inspect all non-VPN traffic.