We’re excited to share that Jamf's Network Relay service - our Jamf solution for transforming the network connectivity experience on Apple devices, is now available as a Release Candidate (RC) for production use on Apple mobile platforms (iPhone, iPad, Apple TV, Vision Pro) and Mac devices.
Built on Apple native technologies - including MASQUE and Managed Device Attestation, and powered by Jamf’s global private mesh network and conditional access engine, Jamf's Network Relay service is a next-generation remote access solution that delivers pervasive, policy-driven connectivity from the moment a device boots, all configured via MDM and completely invisible to the end user.
Ready to Try It?
We’re offering limited access during this Release Candidate phase to ensure a great customer experience as we continue scaling the service.
👉 If you're interested in enabling Network Relay for your production Apple mobile and Mac fleet, please fill out this short survey outlining your use case and deployment size.
Our Product team will review your request and follow up to confirm whether we’re able to provide access at this time.
Why It Matters
Whether supporting a frontline workforce with shared iPads or enabling executives to stay connected during international travel, modern Apple deployments demand more flexible, secure remote network access. Traditional VPNs and generic ZTNA tools often fall short when it comes to Apple-specific workflows.
Network Relay changes that, giving Jamf customers a device-native, Apple-first way to route private traffic securely and reliably, even in restrictive network environments.
Key Features
- Strong device identity verification: Utilizes Apple Managed Device Attestation for robust device identity verification.
- Device-level encrypted micro-tunnels: Establishes encrypted, domain-specific tunnels utilizing modern transport and encryption protocols, available as early as device onboarding.
- Compatibility: Works seamlessly alongside other user-based VPN or ZTNA solutions.
Key Use Cases for Mobile and Mac
Mobile Use Cases:
- Traveling employees who need consistent, secure network access to their work application from wherever they connect from in the world, across global cellular and Wi-Fi networks and restricted captive portals (e.g., hotel or airport networks).
- Passwordless Access on Shared iPads: Enable zero-touch, policy-based access on shared iPads - no logins, no VPNs, no compromise on security or compliance.
- Zero-Touch Onboarding for userless purpose-built devices: Securely provision and connect headless devices at scale with automatic, out-of-the-box network connectivity.
Mac Use Cases:
- Enterprise Mac onboarding flows that require early access to AD, LDAP, or licensing servers during device setup.
- Layered Security for Critical Cloud Communications: Add an extra layer of protection for IdP and SaaS traffic by routing it through encrypted, attested tunnels, ensuring only trusted devices connect to high-value cloud services.
- Fallback network access for critical work applications like ServiceNow in case of primary VPN outage or disaster recovery scenarios.
How It Works
Jamf's Network Relay service configures an Apple OS platform tunneling mechanism, routing traffic that matches designated enterprise domains (“Match Domains”) through encrypted micro-tunnels over HTTP/3. This traffic is securely routed via Jamf’s global Network Relay infrastructure, with access policies enforced in the cloud. If access via HTTP/3 isn’t available, the tunnel automatically falls back to HTTP/2, ensuring resilient, high-availability connectivity even in challenging and restrictive environments.
Only devices that are company-managed, and hardware-attested using Apple’s Managed Device Attestation can connect to protected resources.
To explore how to configure Jamf Network Relay in your environment, or to review current known issues and limitations, check out the official documentation here: