Jamf's network relay service for mobile

Photo by Yan Krukau

In today’s enterprise, mobile devices are no longer peripheral, they’re central to how work gets done. Whether shared in retail environments, purpose-built for specific tasks or carried by traveling employees, mobile Apple devices must remain secure, compliant and always connected to the apps and services that matter most.

And yet, traditional MDM and UEM tools fall short when it comes to delivering the kind of secure, seamless network connectivity that modern mobile workflows demand.

That’s why Jamf's network relay service for mobile exists.

Built on Apple’s native support for MASQUE and Managed Device Attestation (MDA), and integrated with Jamf’s conditional access engine, Jamf's network relay service is a next-generation remote access solution that delivers everything mobile needs — pervasive connectivity delivered via MDM and invisible to the end user.

A one-stop solution for secure mobile access

Jamf's network relay service for mobile enables:

• Zero-touch deployment via MDM and Apple Business Manager
• Domain-specific encrypted tunnels using MASQUE, restricted to Apple-attested, company-managed devices
• Tamper-proof conditional access policies that can’t be bypassed by users
• Resilience across any network environment, including captive portals and restrictive firewalls
• Compatibility with existing VPN and ZTNA solutions

Whether it’s an iPhone in a hospital, a shared iPad in retail or a supervised iOS device in the field, Jamf's network relay service provides the secure networking access layer mobile has always needed — without prompts, VPN toggles or inconsistent connections.

Common network relay use cases

Seamless connectivity for the remote mobile workforce

For employees on the go or on the frontline, mobile devices must “just work,” anywhere in the world.

Jamf's network relay service establishes resilient, encrypted tunnels using modern transport protocols — primarily HTTP/3 over QUIC, with automatic fallback to HTTP/2 for high availability. Designed for performance, even on unstable or restricted networks, it ensures consistent and reliable remote access in challenging environments like hotels, airports and in-flight Wi-Fi.

Since tunnel access is tied to hardware-based device attestation and enforced by Jamf’s conditional access engine, IT teams can secure mobile traffic with confidence, without adding complexity for end users.

Wherever your employees work, your mobile workforce stays connected and protected, without needing to toggle a VPN or ask for help.

Passwordless access on shared iPads in healthcare

Hospitals and clinics increasingly rely on shared iPads and mobile devices for nurses and clinical staff to manage patient care, for patients to access educational content or entertainment, and for intake forms. But shared device usage raises an important question: how do you securely connect to sensitive systems without constant logins, shared credentials, VPN apps or critical infrastructure exposure?

With Jamf's network relay service, devices are automatically provisioned via Jamf Pro with the required remote connectivity to only the approved healthcare systems and services. There’s no need for users, staff or patients to open a VPN app or change settings.

Only admin-defined, policy-bound traffic is securely tunneled through the network relay; everything else accesses the internet directly. The result is a passwordless, zero-touch experience where clinicians can confidently share devices across shifts. Patients can use those same devices safely and securely, without compromising compliance or the access and integrity of critical data.

Zero-touch onboarding for point-of-sale devices

Retail organizations are increasingly deploying Mac minis as point-of-sale (POS) terminals — headless, purpose-built devices that require secure access to backend systems across hundreds of locations.

With Jamf's network relay service, devices can be drop-shipped to stores and enrolled via Apple Business Manager. During provisioning, they automatically receive network relay and ACME payloads. Once attested and verified, the Mac mini establishes a secure tunnel to backend services, no local configuration or user intervention required.

This removes the need for static IPs, on-site VPN appliances or inbound port exceptions. Instead, each device boots up securely and is ready to operate out of the box.

Ready for what mobile needs most

Jamf's network relay service for mobile delivers secure, seamless and scalable network access, extending Apple management to where it’s needed most: the mobile workforce, shared devices and purpose-built workflows.

Now available for production use as a Release Candidate (RC) on Apple mobile platforms, Jamf’s network relay service continues to evolve, remaining in beta for Mac devices as we refine broader support.

If you’re a mobile Apple admin looking to simplify provisioning, enforce trusted access and protect critical data across your mobile fleet, this is the network solution built for you.