Zero-touch, zero-hassle: rethinking secure access for Apple fleets

At JNUC 2025, Jamf’s Craig Donovan, Senior Enterprise Customer Success Engineer, and Iulia Arghir, Senior Product Manager, took the stage to showcase how organizations can provide secure, zero-touch remote onboarding and access without relying on legacy VPNs. By leveraging Apple’s Managed Device Attestation and Network Relay features, Jamf now enables passwordless, application-specific access for any Apple device, including shared iPads, headless systems and Mac computers for remote work. This modern approach embeds trust directly into the hardware, ensuring that only genuine, managed devices can connect to corporate resources from anywhere.

Key points:

• Secure from the start: Enable out-of-the-box network connectivity for zero-touch onboarding.

• Passwordless access: Provide secure access for shared, unattended or mobile devices without user credentials.

• Hardware-attested trust: Ensure every connection originates from a genuine, company-managed Apple device.

What is changing in access and identity management?

The traditional model of enterprise security was built around a secure perimeter, where a firewall or VPN stood guard in front of internal resources. This approach is no longer sufficient. Today, resources are distributed across public and private clouds, and users need access from anywhere in the world. This new landscape, combined with the persistent threat of attackers spoofing user credentials, has accelerated the shift toward a Zero Trust Network Access (ZTNA) framework.

A zero-trust model redefines access security by focusing on granular, resource-specific permissions rather than wide-open networks. It operates on the principle of "never trust, always verify," continuously evaluating trust for every access request. A critical component of this evaluation is identity, for both the user and the device itself. As user credential theft remains a primary attack vector, establishing strong, verifiable device identity has become more important than ever for building a secure access architecture.

How does Managed Device Attestation establish hardware-based trust?

For IT and security teams, Managed Device Attestation (MDA) provides cryptographic proof that a device connecting to your resources is a genuine, managed Apple device that has not been tampered with, creating a foundational layer of trust. This Apple platform security feature leverages the Secure Enclave to generate a hardware-bound cryptographic key. This key is used to obtain an attestation certificate from Apple's servers, which verifies the device's identity and core properties.

The magic happens through the Automatic Certificate Management Environment (ACME) protocol, delivered via a configuration profile from a Mobile Device Management (MDM) solution like Jamf Pro. When the profile is installed, the device uses its hardware-bound key to request a client certificate from an ACME server. The server challenges the device to prove its identity with Apple, and upon successful validation, it issues a client certificate that binds the hardware-attested identity to the device. This certificate can then be used to establish a trusted, mutual TLS connection with other servers in your organization, ensuring they are communicating with a legitimate, company-managed device.

What is Jamf's network relay service and how does it work?

Jamf’s network relay service is an OS-native proxy that tunnels traffic for specific enterprise applications without requiring a separate VPN client or any user interaction, streamlining secure access for managed Apple devices. Built on Apple's Network Relay framework for macOS, iOS, and iPadOS, it uses the modern MASQUE protocol to securely route traffic. This is the same underlying technology that powers iCloud Private Relay, but it is designed exclusively for enterprise use cases.

Unlike a traditional VPN that grants broad network access, Jamf’s network relay service creates secure micro-tunnels for specific applications and services defined by the administrator. When a user on a managed device attempts to access a predefined corporate resource, the operating system automatically routes that specific traffic through the network relay service to the Jamf Security Cloud. Because the connection is authenticated using the hardware-backed certificate from Managed Device Attestation, access is granted seamlessly and securely, without the user ever needing to launch an app, log in or take any action at all.

How do Managed Device Attestation and Jamf's network relay service deliver zero-touch access?

By deploying a single configuration profile from Jamf Pro, administrators can activate both Managed Device Attestation and Jamf’s network relay service, enabling devices to automatically and securely connect to authorized applications based on hardware-level identity. The process is entirely seamless for the end user. Once the MDM profile lands on the device, the ACME exchange occurs in the background, provisioning the hardware-attested client certificate. From that moment on, the OS knows exactly what to do.

As Donovan demonstrated, a device that was previously blocked by conditional access policies and unable to reach internal websites could instantly access those same resources after the profile was installed. When the device attempted to connect to a protected service like Office 365, the network relay service automatically tunneled the traffic through the Jamf Security Cloud. The connection was instantly trusted because of the device's hardware attestation, and the user was logged in without any interaction.

What are the primary use cases for Jamf's network relay service?

This solution is ideal for scenarios where user-based authentication is impractical or adds friction, such as with shared devices, headless systems or remote workers needing instant, secure connectivity. Because trust is established at the device level, access is no longer dependent on a user manually logging into a VPN client. This unlocks several key use cases:

• Shared devices: In retail, hospitality or healthcare settings, staff can pick up any shared iPad and immediately access the apps they need for their work.

• Headless devices: Purpose-built devices like point-of-sale systems or digital signage can be provisioned with out-of-the-box network connectivity without requiring manual configuration.

• Remote workers: Traveling employees or remote staff get ubiquitous, secure network access from wherever they are, without the hassle of initiating a VPN connection.

• Zero-touch onboarding: During device setup, the network relay service can provide the necessary connectivity to reach critical internal resources, streamlining the onboarding process for new Mac computers and mobile devices.

How are Jamf customers using this today?

Fellow IT and security leaders are already leveraging Jamf's network relay service to simplify the user experience and enhance security for their mobile and Mac fleets. During the session, Esteban Marine, a network security architect at VEG, and Henk Codfried, a Mac admin at UMC Utrecht, joined the stage to share their experiences.

For VEG, a 24/7 emergency service, the primary driver was user experience. "Our leadership was asking us for a much easier user experience to use a network VPN," Marine explained. "Network Relay was perfect because it's just set it and forget it."

At UMC Utrecht, Codfried is building a proof-of-concept for shared iPads used by medical staff. He highlighted the efficiency gains, noting, "users don't have to register their credentials in order to get the connection to the network. It's really easy to do... they can then take an iPad from a wall and be productive when they need it."