Jamf Blog
March 31, 2022 by Jesus Vigo

New product series: Getting to know Jamf Private Access

Safely connecting workers to the apps, data and services they need to be productive. Enable secure connections based on Zero Trust Network Access across your entire fleet, regardless of where users are physically located and on any network connection for the utmost protection, leveraging application-based microtunnels and integration with cloud-based identity services for an identity-centric solution that enforces access to only the resources users need, on any device, when they need it — anywhere.

The global pandemic was the catalyst that caused countless organizations to scramble their processes to adapt to a remote or hybrid work environment to facilitate business continuity.

Several years into it and the migration efforts toward remote/hybrid environments are still in full swing at a time when many businesses are slowly moving back into the traditional centralized office model. Yet, they’re cognizant of the real-world benefits of investing in employee choice programs, providing them with mobile devices and pairing corporate resources with cloud-based access models, giving employees the ability to work from where they feel most comfortable.

The technology that has had the biggest impact on making remote work possible is arguably the ability to secure network connections over untrusted networks. And while VPN was – and still is – a major player in this, the antiquated protocol ironically introduces a number of security issues compared to the number of concerns it addresses.

Simply put, modern computing requires a more adaptable approach. One that is not only capable of securing all connection types but works on all the endpoints employees may be using. This includes corporate-owned and personally owned devices running various supported (and potentially unsupported) OS’, while granting access to only what employees need, when it’s needed and nothing more, since anything else is little more than a vulnerability waiting to be exploited by threat actors.

The above are just the basic, modern day computing requirements. VPN doesn’t touch upon support for cloud-based apps and services, identity-based authentication and Single Sign-On (SSO) capability. Nor does it provide a modular approach to managing security, requiring IT and Security teams to effectively disable access to, well everything, when mitigating threats. So, what’s the answer, you’re thinking?

Introducing Jamf Private Access! The easy to use, cloud-based solution that is purpose-built for modern computing environments that secures access to corporate resources – both locally and remotely – by implementing a software-defined perimeter (SDP) to create secure, isolated connections for each app, while enforcing compliance through real-time device posture checks and granting access to each application only for a specific, authorized user.

The result? Users gain access to what they need, when they need it, from anywhere; and IT and Security teams can rest assured that access is granted through the least privilege for stronger security, enhanced manageability, made possible through an intuitive user experience.

Among the features included in Jamf Private Access, some of the key takeaways for enterprise protection are:

  • Modern cloud infrastructure means zero hardware to manage, support contracts to renew or complex software to configure.
  • Application-based microtunnels only connect users to apps they are authorized to access – nothing more.
  • The least privilege security model prevents access to unauthorized resources, preventing lateral network movements, unlike VPN which provides holistic access to networks, by default.
  • Integration with Identity Providers (IdP) enables user authentication through SSO, ensuring only authorized users can connect to business resources while keeping policy enforcement consistent across data centers, clouds and SaaS apps.
  • Risk-aware access policies enhance security by preventing access to resources from users and/or devices that may be compromised or do not meet minimum security requirements, such as devices determined to have been rooted or jailbroken.
  • Unified access spanning all hosting types: on-premises, private and public clouds, SaaS applications. Also, support for all modern operating systems is included.
  • Support for all management paradigms, including corporate-owned, personally owned or a mix of device ownership models (BYOD/CYOD/COPE).
  • Dynamic split tunneling technology ensures connections to business resources are secured, while personal applications (non-business) are routed directly to the Internet, preserving end-user privacy and optimizing network utilization.
  • The lightweight application is used to automatically establish and manage tunnels seamlessly to the user, while actively monitoring their status and reconnecting it if disrupted.
  • Next-generation protocols ensure that performance is a top priority, allowing users to connect fast to resources while offering the versatility of securing over any connection type: wired, Wi-Fi or cellular.
  • Session reporting enables real-time monitoring of active users and the resources they are using, providing insight into activity, session duration and/or bandwidth usage. Additionally, it allows admins to monitor for inappropriate usage, detect malware and identify data leaks.

No assembly required

As mentioned previously, Jamf Private Access is a cloud-based solution that eliminates the need for organizations to deploy or manage hardware, there are no device certificates to manage either nor manual traffic routes to configure.

“The number of devices connecting to risky hotspots per week doubled from 0.5% to 1%”Jamf Security 360: Annual Trends Report

As far as support is concerned, Jamf’s solution works with any app – on-premises, cloud-hosted or SaaS. Furthermore, all modern operating systems are supported, making them compatible with mobile devices, tablets and laptop computers from various manufacturers. Lastly, it works with any IdP solution that utilizes Azure AD federation, creating a fully cloud-based security solution for your mobile device fleet, whether local or remote.

Hopelessly devoted to you

A Zero Trust Network Access solution (ZTNA) does not implicitly trust devices or users outright. Rather it verifies that each request made from a user and/or device is authorized to access the resource being requested instead of generically granting “whole parcel” access to the entire network, as VPN was designed to do. According to Jamf Security 360, “in 2021, 5% of devices, or 20% of organizations, were impacted by risky device configurations.” The open network access granted by VPN married to lowered device security from weak configurations breeds an ideal environment for threat actors to be successful in their attack campaigns.

One benefit of ZTNA for organizations is the granular access that may be fine-tuned for additional control at both connection establishment and throughout active sessions. In this case, the microtunnels used by Jamf Private Access ensure that each device — and any apps running on it — are effectively “blind” to the network infrastructure. This ensures that devices only see the apps they’re authorized to access, limiting user interaction to the apps and data they are authorized to use – everything else is invisible and remains inaccessible, by default.

7% of work devices continued to access cloud storage services after being compromised in 2021


ZTNA and The Minority Report

In the titular movie, a hivemind of PreCogs – beings with the ability to see future events – are tasked with providing their policing unit, called “PreCrime”, with the name and crime that a person will commit in the future. This allows the unit’s officers to apprehend suspected criminals before they commit crimes.

Jamf Private Access has a similar gift, in that the monitoring and reporting features to work in tandem with risk-aware policies to deny access to a device and/or user that is determined to be compromised or a risk to the resource(s) being accessed. It is able to do this through regular device health checks, which look at various factors, such as missing patches, risky apps and configurations or indicators of compromise, then flagging the suspect device or user credential so that the risk-aware policy denies access automatically.

This provides a layer of protection for users, devices and organizations alike. Plus, in doing so dynamically, enforces compliance at all times. Given this dynamism, when a device or user account is remediated, the device check will occur again to query the object. If these risk(s) are found to have been mitigated, then access to the requested resource will be granted once again.

Securing network connections while protecting user and device access to corporate resources is exactly what Jamf Private Access does.

It minimizes the risk commensurate with managing a hybrid or remote mobile fleet, automating compliance with policies and enhancing device security posture and their communications – even when they must do so over unsavory networks.

Photo of Jesus Vigo
Jesus Vigo
Jesus is a Copywriter, Security focused on expanding the knowledge base of IT, Security Admins - generally anyone with an interest in securing their Apple devices - with Apple Enterprise Management and the Jamf solutions that will aid them in hardening the devices in the Apple ecosystem.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.