Encrypting Jamf Security Cloud Proxy Traffic
- Last UpdatedOct 14, 2025
- 3 minute read
You can route all Jamf Security Cloud proxy traffic via the device's Zero Trust Network Access-encrypted VPN tunnel.
When deploying Jamf Connect's Zero Trust Network Access in combination with Jamf Security Cloud's cloud-based proxy service, the proxy-bound traffic is not routed via the Zero Trust Network Access VPN tunnel by default. However, in some cases it may be useful to route proxy traffic via Zero Trust Network Access. For example:
To hide all web traffic generated on the device from intermediate network operators
To add an additional layer of transport security (encryption) for all cloud and web traffic to guard against advanced TLS interception and monitoring
To maximize network interoperability by routing all traffic through a single UDP port. For more information, see Endpoint Agent Traffic for Zero Trust Network Access.
To obfuscate web traffic for users traveling in "high risk" regions, where personal and data security is of heightened concern
When adding encryption to Jamf Security Cloud proxy traffic, all traffic will appear to come from the device's Wi-Fi network interface. If you require network interface-aware policies, you cannot use this configuration.
If your organization requires both encrypted proxy traffic as well as interface-aware policies, contact Jamf Support.
Jamf Security Cloud automatically routes traffic that is explicitly defined in an access policy via the encrypted Zero Trust Network Access tunnel, but that traffic will not be sent to the Jamf Security Cloud proxy in this configuration.
Target devices must be deployed using an activation profile configured with both Jamf Connect's Zero Trust Network Access and cloud proxy service capabilities.
Devices must be able to reach Jamf Security Cloud's cloud edge via the required ports. These ports are the same for all global Jamf Security Cloud-enabled devices. For more information, see Endpoint Agent Traffic for Zero Trust Network Access.
Within a few minutes, all devices defined to use this policy will begin to route their proxy traffic via Jamf Connect's Zero Trust Network Access.
In Jamf Security Cloud, navigate to and check the report for activity to confirm that traffic is now routed correctly.
When a device is unable to route traffic via Jamf Connect's Zero Trust Network Access secure tunnel for any reason, Jamf recommends that you allow the device to "fail open". This allows the device to continue to operate and keeps the user productive, albeit without security protections or policies for general internet traffic.
The tunnel may fail to work properly for many reasons, which includes restrictive firewalls/networks or temporary service interruptions.
You may configure the device's networking to "fail close", which requires the device to always route traffic via Zero Trust Network Access. If the Jamf Security Cloud proxy cannot be reached, app and browser connections will be forced to fail.