Skip to main content
Question

Jamf Protect Behavior on BYOD Devices

  • October 16, 2024
  • 2 replies
  • 29 views
_aDiedericks
Forum|alt.badge.img+8

Hi everyone,

During our testing, we've encountered an alarming issue with Jamf Protect on BYOD devices. Even though we've configured the Jamf Trust app to route only specific domains through the Jamf Protect gateway, it's logging all web activity—regardless of whether it matches the routing policy or not.

This presents a serious privacy concern, as it feels like an unnecessary overreach into user browsing data. While there is an option to anonymize user details, this feels more like a workaround than a solution.

Ideally, we should be able to implement split-tunneling, where traffic that doesn’t match the company’s routing policy is treated as regular traffic and exits through the device’s standard WiFi interface (iOS/Android). Has anyone else experienced this or found a better way to manage this?

    2 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • October 17, 2024

    MacOS does not have the same containerization that iOS/iPadOS has. The main difference between BYOD and Org Owned for macOS is what MDM commands you can use, and what Configuration Profile payloads will function. Anything run by a MDM like Jamf, or a Security Tool like Jamf Protect is run as root and can see everything on a Mac.

     

    TL;DR you don't BYOD macOS.

    _aDiedericks
    Forum|alt.badge.img+8
    • _aDiedericks
    • Author
    • Contributor
    • October 17, 2024

    MacOS does not have the same containerization that iOS/iPadOS has. The main difference between BYOD and Org Owned for macOS is what MDM commands you can use, and what Configuration Profile payloads will function. Anything run by a MDM like Jamf, or a Security Tool like Jamf Protect is run as root and can see everything on a Mac.

     

    TL;DR you don't BYOD macOS.


    Thanks for your response. The Jamf Trust activation profile that is deployed to BYO devices are entirely different from MDM managed deployments that offer the additional controls of Jamf Protect with the ZTNA functionality of Jamf Security that you are making mention of.

     

    You may be conflating the two but what I'm referring to is the Jamf Trust functionality with ZTNA and VPN specifically and its behaviour on a BYO activation profile (not MDM configuration profile) only relating to iOS and Android.

     

    The Jamf Trust app's behaviour on iOS and Android is recording ALL traffic of BYO even though the additional Jamf Protect related (not Jamf Security/ZTNA) network diagnostic addon is disabled in the BYO activation profile.

     

    In a general sense the above logic is unacceptable in every scenario one could conceive of it would make logical sense that only tunnelled data should get reported but not data that does not match the criteria of the policy based routing configurations done in the Jamf Security portal within a demilitarized context like the BYO activation profile. 

     

    Terms & ConditionsCookie settingsAccessibility statement