Service Capabilities

Available capabilities depend on which security products your organization subscribes to and may include all or some of the following:

Network access
Provides secure access to your organization's resources using Jamf Connect's Zero Trust Network Access
Content controls
Manages network activity using Jamf Protect's internet content filtering and usage controls
Network security
Protects your network connections from cyber threats
Employee Badge
Enables mobile devices to act as passes for accessing offices and other locations. For more information, see Technical Paper: Deploying Employee Badge for Jamf Trust.
Device identity
Enables requirements that devices must meet to access the organizations resources. For more information, see Technical Paper: Integrating AWS Verified Access with Jamf Device Identity.

Traffic Vectoring

Traffic vectoring determines how data collected by enrolled devices is routed. Available options depend on which service capabilities are selected in your activation profile.

Enable network compatibility mode
Allows you to deploy the on-device content filter without Secure DNS.
Use cloud proxy instead of DNS
Allows you to choose between cloud proxy or DNS. DNS is used by default for all supported platforms. Cloud proxy is only supported for iOS or iPadOS devices.
Enable cloud proxy on Wi-Fi
Allows you to use cloud proxy when devices are connect to Wi-Fi. Cloud proxy is disabled by default and only supported for iOS or iPadOS devices.

Keep the following in mind:

  • If you select Network access, WireGuard VPN is automatically used.

  • If you select both Network access and Content controls, this does not support per-site data usage MB reporting, the ability to cap data, or separate the policy for WiFi versus cellular usage. Jamf recommends that you deploy these capabilities using Cloud proxy vectoring if you require them.

  • If you select network access alone or alongside network security or content controls, you can use managed device attestation with network relay.

  • If you select Enable network compatibility mode, on-device content filtering will be active, but DNS-based threat prevention features (e.g., enforcement for Google Safe Search and YouTube Restricted Mode) will be disabled. Ensure your existing DNS security solutions provide adequate threat protection before using this option.

For more information about traffic vectoring concepts, see Traffic Vectoring Options with Jamf Security Cloud.

Authentication

Authentication settings determine how users authenticate with the Jamf Trust app and how they display in the Jamf Security Cloud portal.

User credentials (SSO)

Users are prompted to sign in with your organization's cloud IdP. This option requires a linked identity provider in Jamf Security Cloud. If you are deploying Jamf Connect's Zero Trust Network Access or MAM-WE, IdP authentication is required.

Managed device attestation
Users enroll without authenticating with your organization's cloud IdP. Jamf recommends this option for the ease of deploying and activating Jamf Trust to your devices.

You can also choose between two different ways to create the device name for devices enrolled with the Jamf Security Cloud:

  • Assign random identifier

    This method does not require user identification details. User profiles are generated using artificial and anonymous device details. These users can identify themselves using the About section in Jamf Trust.

  • Ask user to submit name and email

    Users are prompted to submit a name, email, or both.

Note:

If devices are managed with UEM or MDM solution that is synced via UEM Connect, these values are overwritten with inventory information from the UEM or MDM solution during the next UEM Connect sync.

Advanced settings

Advanced settings vary based on which service capabilities are selected in the activation profile.

Display in-app secure DNS control

Determine if users are allowed to enable and disable secure DNS on their device in the Jamf Trust app. This setting applies to:

  • Devices with iOS, iPadOS, or Android operating systems

  • Activation profiles with the Network security service capability selected and secure DNS as the traffic vectoring option.

Enable Jamf customizable block pages
Displays the data block page to users when they attempt to access blocked content via an HTTP or HTTPS connection on their device.
Important:

On Apple devices, the block page cannot display in Safari if iCloud Private Relay is enabled. To disable iCloud Private Relay using an MDM or UEM solution, see Restricting iCloud Private Relay for Supervised Apple Devices.

  • If you enable this setting, you must deploy the activation profile via a UEM or MDM solution. This ensures the root certificate, which is included in the activation profile when downloaded in .mobileconfig format, is also installed on target devices.

  • If you want to enable this setting on already enrolled devices, you can download the following configuration profile with only the certificate payload and deploy it via UEM or MDM solution: https://block.jamf.com/certificate/BlockPage.mobileconfig.

    Alternatively, you can download the certificate file: https://block.jamf.com/certificate/JamfSecurityCA.crt.

Expiration date

No expiration date allows an activation profile to be used indefinitely. Alternatively, use the date selector to choose when the activation profile expires. Jamf recommends setting an expiration date.

Determine device location

Determine how a device's country information is collected. This setting applies to:

  • Devices with iOS, iPadOS, or Android operating systems

  • Activation profiles with the Content controls service capability selected

The following methods are available for determining location:

SettingDevice SensorsLocale Deduction
Best effort
Location services
Disabled

The techniques used to determine a user's location at a country level work as follows:

  • Device Sensors

    Uses the device's location services frameworks, which usually rely on location sensing technologies such GPS, Wi-Fi, and cellular tower triangulation.

    Note:

    Access to location services requires user approval on most operating systems.

  • Locale Deduction

    Uses metadata about the device to make a best-effort deduction of the device's location.

Note:

If you choose to disable the location collection for an activation profile, Jamf Security Cloud will apply domestic policies and display the portal's home country as the current location for devices that are enrolled with the activation profile.

Naming and grouping

Name
The activation profile's name in Jamf Security Cloud portal.
Device group
The group in Jamf Security Cloud portal that devices are added to after they enroll. This allows you to control which Jamf Security Cloud policy settings are applied to devices at the group-level.
Note:

If your UEM Connect is configured, this setting is overwritten during a the next UEM Connect sync. For more information about syncing groups with UEM Connect, see UEM Connect