Jamf Trust in action: American Airlines’ mobile security strategy

How American Airlines secures its mobile fleet by converging mobility and cybersecurity with Jamf

In their JNUC 2025 talk, Jamf Trust, Danielle Howes, Principal Mobility Architect, and Chad Hamilton, Manager Mobility Enterprise at American Airlines, detailed their strategy for securing their fleet of mobile devices by breaking down silos between their mobility and cybersecurity teams. Using Jamf Protect, they unified policy enforcement, gained deep visibility into their device fleet and enabled a proactive, data-driven security posture for their frontline workers.

Key points:

• Mobile is a primary target, with over half of organizations experiencing a mobile-related attack annually.

• American Airlines uses Jamf Protect to bridge the gap between mobility and security, turning device compliance into a real-time security signal.

• The initiative led to tool consolidation, improved incident response and data-driven decisions on app usage and cellular spend.

Why does mobile security require a dedicated strategy?

For security specialists, treating mobile devices like laptops overlooks unique threat vectors — from app-based risks to public Wi-Fi — that require a mobile-first security approach designed for cloud-native, always-on endpoints. Howes and Hamilton emphasized that a dedicated strategy is essential because these devices operate differently than traditional endpoints. As Hamilton noted, "you either drive change or you're driven by change."

Key differences they highlighted include:

1. Always on, always connected: Mobile devices rarely power down and connect to various networks (cellular, public Wi-Fi, home), expanding the attack surface far beyond the corporate perimeter.

2. OS architecture and update cadence: Mobile operating systems have unique vulnerabilities and frequent updates. The speakers noted the importance of ensuring the fleet is keeping up with the latest operating systems to mitigate risk.

3. App-centric vs. file-centric risk: Mobile risk is primarily app-based. The focus must be on the application itself: "How secure is that app? What is that app doing on that device?"

4. BYOD and privacy boundaries: The line between personal and corporate use is blurred. This is especially true for unmanaged devices, which account for 80-90% of ransomware attacks when they access company data.

5. Network and location-aware threats: Devices are exposed to location-specific threats, like rogue Wi-Fi hotspots, which end users may connect to without considering the risk.

6. Integrated identity and access: Mobile security is increasingly tied to user identity to enable modern authentication and Zero Trust Network Access (ZTNA), ensuring only trusted users on trusted devices can access resources.

7. Lightweight, cloud-native security tools: Heavy agents impact battery life and performance. Mobile security requires lightweight, cloud-native tools that work efficiently without user friction.

How did American Airlines bridge the gap between mobility and cybersecurity?

For IT administrators, gaining stakeholder buy-in requires a new model. American Airlines championed a "convergence" strategy, creating a shared responsibility model that gives security teams the visibility they need while giving mobility teams the control to ensure a smooth user experience. This approach moves beyond traditional Mobile Device Management (MDM) to create a true security partnership.

The model is simple: the mobility team manages the endpoints, including the OS, apps and policy deployment. Cybersecurity, in turn, manages incident response and defines the high-level policy frameworks (such as those from NIST). This division of labor allows each team to focus on its core strengths while working toward the same goal. The key was finding a tool to act as the central data bridge.

Jamf Protect became that bridge. It feeds real-time device compliance data — such as OS version, security configurations, app reputation and overall device health — directly into the security team's Security Information and Event Management (SIEM) and Zero Trust enforcement workflows. This shared visibility is critical. As Hamilton stated, "It's not just cyber seeing something, but mobility seeing something, and we can work together on that." This collaborative approach ensures that security and usability are not competing priorities but balanced components of a unified strategy.

What was the process for getting executive team and stakeholder buy-in?

Security stakeholders can be won over by focusing on data. For American Airlines, a proof of concept (POC) that revealed previously unseen risks and compliance gaps was more effective than a theoretical pitch. The process began with a large-scale POC using Jamf Trust to gather comprehensive data on device behavior and security posture.

They presented this data to various teams, including the cyber incident response team, and network and security leadership, to show them what they were missing with their current tools. This data-driven approach opened eyes and started conversations. As Howes explained, the data was the key to getting security on board. "Data was 100% the motivator," she stated. With executive sponsorship secured, the team was able to showcase the "art of the possible," demonstrating how data policies could also be used to manage cellular spend and make smarter app investments.

What are the key outcomes and benefits of this unified approach?

For IT admins and security specialists, this converged model leads to faster, more effective incident response, better compliance enforcement and significant tool consolidation. At American Airlines, the benefits were clear and immediate.

• Faster incident response: With shared visibility, the mobility team can now quickly quarantine a compromised device while the cybersecurity team investigates the incident, minimizing impact.

• Tool consolidation: They replaced multiple point solutions — including separate tools for Mobile Threat Defense, DNS threat protection and proxy — with the single, lightweight Jamf Protect agent. This improved device performance, reduced complexity and lowered costs.

• Data-driven decisions: The team gained deep insights into application usage, allowing them to justify development costs and create policies to control cellular data spend.

• Proactive security: The solution enabled a ZTNA strategy. By continuously monitoring device health, Jamf Protect ensures that only healthy and compliant devices can access corporate resources.

Key Takeaways

• Mobile security is not incidental; it requires a purpose-built strategy and tools.

• Converging mobility and security teams around a shared data platform breaks down silos and improves response times.

• Data is the most powerful tool for gaining buy-in from leadership and security stakeholders.

• A unified solution like Jamf Protect can deliver security, management and cost-saving benefits simultaneously.