Use of Jamf Trust with additional corporate VPN

Hi dsmith-jamf,

You've hit a fundamental macOS limitation here. Apple only allows one active DNS proxy/content filter extension at a time on macOS. This is a platform constraint, not something specific to Jamf Trust or CrowdStrike.

The core issue: Both CrowdStrike Falcon and Jamf Trust use Network Extensions for DNS/content filtering. When CrowdStrike's filter is active, it blocks other DNS configurations from taking effect - which is exactly what you're seeing with the greyed-out DNS Settings.

Possible solutions:

1. Disable CrowdStrike's network filter component - If you're using CrowdStrike primarily for endpoint protection (EDR) rather than DNS filtering, you may be able to disable just the network filter portion while keeping the core protection active. Check with your CrowdStrike admin or support on how to deploy without the DNS/content filter component.
2. Use Jamf Trust for ZTNA only (without DNS filtering) - In Jamf Security Cloud, you can configure activation profiles to enable only ZTNA without content filtering. This may reduce the conflict since ZTNA primarily uses a WireGuard VPN tunnel rather than DNS interception for routing traffic to private resources.
3. Choose one product for DNS filtering - If both products need DNS-level filtering, you'll have to pick one. Decide whether CrowdStrike or Jamf Trust should own DNS filtering based on your security requirements.

Regarding your Ubiquiti VPN question: If you disable Jamf Trust's DNS component and only use ZTNA, you should be able to run a third-party VPN like Ubiquiti alongside it. ZTNA's per-app routing typically coexists better with traditional VPNs than full DNS-based filtering does.

I'd recommend contacting both Jamf and CrowdStrike support with your specific deployment scenario - they may have documented coexistence configurations for this exact situation.