Jamf Trust Configuration Changes for iOS 15.6 and Later

As of iOS 15.6, Apple introduced changes to how iOS and iPadOS handle Per-App VPN and Proxy traffic. Jamf Trust and Wandera utilize Apple Per-App VPN triggers for Cloud Proxy configurations, enabling devices to report their statuses and send device data to Jamf Security Cloud.

Most customers do not need to take any action—Jamf added custom routing rules for the default domains included in the Jamf Trust and Wandera (legacy) apps.

However, if you modified your configuration profile to include additional Safari domains to trigger the Per-App VPN, you need to take the following steps to ensure network connectivity isn't interrupted for your users:

  1. Checking the Safari domains in your configuration profile

  2. Entering new rules in RADAR, if required

Step 1: Checking the Safari Domains in Your Configuration Profile

This step checks if your configuration profile contains Safari domains other than the default domains and determines whether further action is required.
  1. In your UEM solution, such as Jamf Pro, locate your Jamf Trust configuration profile (e.g., "Jamf Trust" or "Wandera") that is applied to your supervised devices.
  2. In the configuration profile, check for the following default domains under Safari Domains:
    • ep.wandera.com

    • clients1.google.com

      The following is an example of the default Safari domains shown in Jamf Pro.

      A screenshot of the Safari Domains screen in Jamf Pro, showing the default domains, ep.wandera.com and clients1.google.com.

If your Safari domains list only contains the default domains above, no further action is required.

If there are any other domains in the Safari domains list, proceed to step 2.

Step 2: Entering New Rules in RADAR

If there are any non-default domains in your Safari domains list, you must add rules in RADAR to bypass these domains and ensure uninterrupted service.

  1. In RADAR under Settings > Service Controls > Dynamic Routing > Routing Controls click the Advanced Routing button.
  2. Click the Add Rule button and add the first non-default Safari domain from your configuration profile (i.e., any domain other than ep.wandera.com and clients1.google.com). Repeat this step for any additional non-default Safari domains.
    The Advanced Routing screen in RADAR with a green square highlighting the Domain field where you'll paste your non-default domains.
  3. Next to each domain you entered, ensure that the Bypass Gateway toggle is turned on and the Conditions are set to Always.
  4. Click the Save button to save your new rules.
All devices will synchronize with these settings so that service is not interrupted.