You can use custom applications to define and manage the applications that are not available already predefined in Jamf Security Cloud. Custom applications can be used for access policies and reports.

  1. In Jamf Security Cloud, navigate to Policies > Access > Access policy.
  2. Click Create policy.
  3. Under Custom app, click Define app.
  4. Enter a Name and select a Category for the application.
  5. Click Next.
  6. In the Application hostnames field, enter a hostname or paste a line-separated list of hostnames in use by the application.

    • These hostnames should be in fully qualified domain name (FQDN) format and resolvable either publicly or privately using any configured Custom DNS Zones. Examples of an FQDN are app.company.com or app2.domain.corp. For more information, see Custom DNS in the Jamf Security Cloud Setup Guide.

    • You can use short names if you configured a search domain when configuring Custom DNS Zones. Examples include app or files, where the domain will be automatically appended by Zero Trust Network Access.

    • Wildcards are supported. It is possible to create an entry such as *.company.com to route all traffic from all subdomains via the access policy. This is useful to capture a large amount of traffic, enabling you to define more granular policies over time.

    • If you enter a hostname that is already defined in one of your existing pre-defined apps, this newly created application will take precedence over the pre-defined app during policy evaluation.
    Note:

    • All network security filters are currently bypassed with this configuration as all access policies are inherently treated as "trusted" traffic.

    • This rule serves as a catch all, with all other access policies taking precedence over this one.

    • Thoroughly test that your applications function properly while using this configuration as some services don't permit traffic originating from data centers. If this happens, you may define access policies for those destinations to route them as required (for example, via a private gateway or directly from the device).

  7. Click Add.
  8. If a hostname is not available, add the IPv4 addresses or subnets used by the application in the Direct IPs and subnets area.
    Note:

    The use of IPv4 addresses or subnets requires installation of the Jamf Trust app on the relevant devices.

  9. Click Next.
  10. If you want to limit app access to certain device groups, under Device group permissions, select Selected device groups, select one or more groups from the menu, and click Add.
  11. Click Next.
  12. Define the Security requirements that must be met to allow a user to access this application on their device.
    Note: You need a

    Jamf Protect

    license to define these requirements.
    • Access requires device to be managedEnable this feature to prevent unmanaged devices from accessing the application. When enabled, you can configure a push notification to inform users of unmanaged devices why their access was denied. The device management state is determined by your configuration's UEM Connect synchronization. Devices actively enrolled in the connected UEM are considered managed, as long as they have checked in with the UEM in the last 72 hours. All other devices are considered unmanaged. If UEM Connect is not configured or fails, your device management state may be inaccurate.
    • Access requires device risk validationEnable this feature to prevent devices with a specified risk level (or higher) from accessing the application. When enabled, you can set the risk level and configure a push notification to inform the user when and why their access is denied.
      Note:

      This option is only available for managed Apple devices with a Network Threat Protection profile.

    • Access requires Jamf Trust to be enabledEnable this feature to continuously enforce the access rules for an application. When enabled, the user cannot access the application on their device while the Jamf Trust app is disabled.
  13. Click Next.
  14. Choose a routing method to specify how the application should be reached by the Zero Trust Network Access service, then click Next.
    • Encrypt and route via ZTNA

      The application traffic should be encrypted from the device to the Jamf Security Cloud then routed forward via the selected network gateway.

    • Default device routing

      For users that are authorized to access the application, route the application traffic directly to the hostname without encrypting it via Zero Trust Network Access.

  15. Expand the Routing mode section and select the routing mode for apps on end-user devices.
    • Standard traffic routing (recommended)
      For apps compatible with IPv6.
      Note:
      If your users install the Firefox browser on their devices, this can cause DNS performance issues with IPv6 compatible apps. To overcome this, your users should disable Happy Eyeballs support for Firefox in their config settings as follows:
      about:config → network.http.fast-fallback-to-IPv4=false
    • Legacy routing

      For apps that are not compatible with IPv6.

  16. Click Next.
  17. Review the application configuration, and then click Save and create app.

The application should be ready to use by devices that meet the defined access policy conditions.