You can configure and manage the predefined applications used by your organization. Once configured, these applications are used for defining policy and visibility in reporting.

Important:

Predefined applications require all hostnames to be publicly resolvable.

If you need to define an application that uses hostnames that are only privately resolvable (for example, split-brain DNS), or would like to override the public DNS response for a given hostname, create an custom app instead.

  1. In Jamf Security Cloud, navigate to Policies > Access > Access policy.
  2. Click Create policy.
  3. Under Predefined app, click Select app.

    Pre-defined applications versus custom applications

    A pre-defined app includes all the usual traffic classification criteria (for example, hostnames) required for Jamf Connect's Zero Trust Network Access capabilities to associate traffic from devices to the named application. In most cases, this means you do not need to define any additional hostnames unless you are using a custom domain for the app.

    A custom application requires you to specify at least one hostname, IPv4 address, or subnet to classify the application's traffic. If you do not, traffic will not be matched against this access policy.

  4. Select an app from the list.
  5. Click Next.
  6. Select a Category for the application.
  7. Click Next.
  8. (Optional) In the Application hostnames field, enter a hostname or paste a line-separated list of hostnames in use by the application, then click Add.
    Note: Skip this step if you are using a pre-defined app, unless you need to apply a custom hostname to it.

    • Each hostname must be a fully qualified domain name (FQDN) and resolvable either publicly or privately using a configured Custom DNS Zone. Examples of an FQDN are app.company.com or app2.domain.corp. For more information, see Custom DNS Zones in the Jamf Security Cloud Setup Guide.

    • You can use short names after configuring a search domain in a Custom DNS Zone. Examples include app or files, where the domain will be automatically appended.

    • Wildcards are supported, such as *.company.com to route all traffic from all subdomains via this access policy. This policy is useful to capture a large amount of traffic, enabling you to define more granular policies over time.

    • By setting the hostname to an asterisk (*), you can route all traffic that uses DNS via Zero Trust Network Access. This resembles a traditional full tunnel VPN, but does not capture traffic that uses IP addresses directly to connect over the network.

      Note:

      • All network security filters are currently bypassed with this configuration as all access policies are inherently treated as "trusted" traffic.

      • This rule serves as a catch all, with all other access policies taking precedence over this one.

      • Thoroughly test that your applications function properly while using this configuration as some services don't permit traffic originating from data centers. If this happens, you may define access policies for those destinations to route them as required (for example, via a private gateway or directly from the device).

    • If you enter a hostname that is already defined in one of your existing pre-defined apps, this newly created application will take precedence over the pre-defined app during policy evaluation.

  9. If a hostname is not available, add the IPv4 addresses or subnets used by the application in the Direct IPs and subnets area.
    Note:

    • The use of IPv4 addresses or subnets requires installation of the Jamf Trust app on the relevant devices.

    • Direct IP traffic is not currently logged in any access reports in Jamf Security Cloud.

  10. Click Next.
  11. If you want to limit app access to certain device groups, under Device group permissions, select Selected device groups, select one or more groups from the menu, and click Add.
  12. Click Next.
  13. Define the Security requirements that must be met to allow a user to access this application on their device.
    Note: You need a

    Jamf Protect

    license to define these requirements.
    • Access requires device to be managedEnable this feature to prevent unmanaged devices from accessing the application. When enabled, you can configure a push notification to inform users of unmanaged devices why their access was denied. The device management state is determined by your configuration's UEM Connect synchronization. Devices actively enrolled in the connected UEM are considered managed, as long as they have checked in with the UEM in the last 72 hours. All other devices are considered unmanaged. If UEM Connect is not configured or fails, your device management state may be inaccurate.
    • Access requires device risk validationEnable this feature to prevent devices with a specified risk level (or higher) from accessing the application. When enabled, you can set the risk level and configure a push notification to inform the user when and why their access is denied.
      Note:

      This option is only available for managed Apple devices with a Network Threat Protection profile.

    • Access requires Jamf Trust to be enabledEnable this feature to continuously enforce the access rules for an application. When enabled, the user cannot access the application on their device while the Jamf Trust app is disabled.
  14. Click Next.
  15. Choose a routing method to specify how the application should be reached by Zero Trust Network Access, then click Next.
    • Encrypt and route via ZTNA

      Encrypt application traffic from the device to the Jamf Security Cloud cloud and then routed forward via the selected network gateway.

    • Default device routing

      For users that are authorized to access the application, route the application traffic directly to the hostname without encrypting it via Zero Trust Network Access.

  16. Expand the Routing mode section and select the routing mode for apps on end-user devices.
    • Standard traffic routing (recommended)

      For apps compatible with IPv4 and IPv6

    • Legacy routing

      For your users' devices or apps that are incompatible with IPv6

  17. Click Next.
  18. Review the application configuration, then click Save and create app.

The application is ready to use by devices that meet the defined access policy conditions.