Help

Jamf Protect Behavior on BYOD Devices

_aDiedericks
Contributor

‎10-16-2024 03:30 PM - edited ‎10-16-2024 03:30 PM

Hi everyone,

During our testing, we've encountered an alarming issue with Jamf Protect on BYOD devices. Even though we've configured the Jamf Trust app to route only specific domains through the Jamf Protect gateway, it's logging all web activity—regardless of whether it matches the routing policy or not.

This presents a serious privacy concern, as it feels like an unnecessary overreach into user browsing data. While there is an option to anonymize user details, this feels more like a workaround than a solution.

Ideally, we should be able to implement split-tunneling, where traffic that doesn’t match the company’s routing policy is treated as regular traffic and exits through the device’s standard WiFi interface (iOS/Android). Has anyone else experienced this or found a better way to manage this?

0 Kudos
Reply
2 REPLIES 2

AJPinto
Esteemed Contributor

Posted on ‎10-17-2024 04:24 AM

MacOS does not have the same containerization that iOS/iPadOS has. The main difference between BYOD and Org Owned for macOS is what MDM commands you can use, and what Configuration Profile payloads will function. Anything run by a MDM like Jamf, or a Security Tool like Jamf Protect is run as root and can see everything on a Mac.

 

TL;DR you don't BYOD macOS.

0 Kudos
Reply

_aDiedericks
Contributor
In response to AJPinto

‎10-17-2024 05:29 AM - edited ‎10-17-2024 05:31 AM

Thanks for your response. The Jamf Trust activation profile that is deployed to BYO devices are entirely different from MDM managed deployments that offer the additional controls of Jamf Protect with the ZTNA functionality of Jamf Security that you are making mention of.

 

You may be conflating the two but what I'm referring to is the Jamf Trust functionality with ZTNA and VPN specifically and its behaviour on a BYO activation profile (not MDM configuration profile) only relating to iOS and Android.

 

The Jamf Trust app's behaviour on iOS and Android is recording ALL traffic of BYO even though the additional Jamf Protect related (not Jamf Security/ZTNA) network diagnostic addon is disabled in the BYO activation profile.

 

In a general sense the above logic is unacceptable in every scenario one could conceive of it would make logical sense that only tunnelled data should get reported but not data that does not match the criteria of the policy based routing configurations done in the Jamf Security portal within a demilitarized context like the BYO activation profile. 

 

0 Kudos
Reply