Keeping your organization’s VPN always connected is crucial—especially with Zero Trust Network Access (ZTNA) frameworks like Jamf Trust. One of the challenges with Jamf Trust is that it does not automatically open or reconnect on startup or login by default. However, with a combination of Jamf Pro policies, a custom script, and an extension attribute, you can ensure your users stay securely connected.
This guide outlines how to do exactly that.
Why This Matters
Disconnected VPNs mean lost productivity, increased support tickets, and security risks. Jamf Trust provides a seamless VPN experience when connected—but if users forget to open it, it defeats the purpose.
Jamf Support clarified the following:
“Jamf Trust by default will not open automatically after deployment, startup, or login. However, you can leverage policies in Jamf Pro to auto-launch Jamf Trust at login and auto-enable ZTNA Service.”
Part A: Auto-Launch Jamf Trust App
This policy ensures that Jamf Trust launches at user login.
Steps:
- In Jamf Pro, go to
Policies > Newand configure the General payload:- Name: Jamf Trust Auto Launch
- Trigger: Login
- Execution Frequency: Once every day
- Add the Files and Processes payload:
- Execute Command:
open -a "Jamf Trust" com.jamf.trust://?action=open
- Execute Command:
-
Add target machines under Scope.
- Click Save.
This will open the app—but note, users will still need to authenticate manually.
Part B: Automatically Enable the VPN (ZTNA)
This policy takes it a step further: automatically enabling the VPN service.
Steps:
- In Jamf Pro, go to
Policies > Newand configure the General payload:- Name: Jamf Trust Auto Enable
- Trigger: Login
- Execution Frequency: Once every day
- Add the Files and Processes payload:
- Execute Command:
open -a "Jamf Trust" "com.jamf.trust://?action=enable_vpn"
- Execute Command:
-
Scope it to your test or target devices.
- Click Save and log into the machine to test.
Bonus: Prompt Users When VPN Disconnects
Step 1: Create an Extension Attribute to Detect VPN Disconnection ✅
Before you can remediate devices, you need a way to detect when Jamf Trust VPN is not running. Here’s how to create an Extension Attribute to help with that.
Extension Attribute Script
-
In Jamf Pro, go to:
Settings > Computer Management > Extension Attributes - Click New and configure:
- Name:
Jamf Trust VPN Status - Data Type: String
- Inventory Display: General
- Input Type: Script
- Name:
-
Paste this script:
#!/bin/bash if /usr/bin/pgrep "Jamf Trust" > /dev/null; then echo "<result>Connected</result>" else echo "<result>Disconnected</result>" fi - Save the Extension Attribute.
Step 2: Build a Smart Group 🎯
This Smart Group identifies machines where Jamf Trust is disconnected.
- Go to
Computers > Smart Computer Groups > New - Name the group:
VPN Not Connected - Add criteria:
- Jamf Trust VPN Status is Disconnected
- Save the group.
Step 3: Deploy the VPN Reconnect Script via Policy 🛠️
Now that Jamf Pro can detect disconnected machines, use the following script to prompt users and reconnect VPN. This should be scoped only to the VPN Not Connected Smart Group.
What It Does
- Prompts the user with a GUI message
- Offers a button to reconnect VPN
- Automatically reconnects
- Cleans up Jamf Protect extension attributes
- Runs
jamf reconto update inventory
Reconnect Script
#!/bin/bash
currUser=$(/usr/bin/stat -f%Su /dev/console)
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
msgtitle="JAMF Trust Not Connected"
heading="Jamf Trust VPN Access"
description="Looks Like Jamf Trust VPN has stopped running!
You should always be on the VPN.
Open the JAMF Trust app to reconnect to the VPN automatically."
button1="Ok"
button2="Connect VPN"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ToolBarInfo.icns"
userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description" -button1 "$button1" -button2 "$button2" -icon "$icon")
/usr/bin/open -a "Jamf Trust" "com.jamf.trust://?action=enable_vpn"
sudo jamf reconPolicy Setup
-
Trigger: Recurring Check-In
-
Execution Frequency: Ongoing
-
Scope: VPN Not Connected Smart Group
-
Payload: Scripts (use the script above via the script payload)
Conclusion
Maintaining a stable and always-on VPN connection with Jamf Trust can be challenging out of the box, but with a few well-structured Jamf Pro policies, extension attributes, and scripts, you can create a reliable and self-healing solution. This guide helps ensure your organization maintains security compliance, reduces user disruption, and proactively remediates disconnected clients. Thanks to contributions from the Jamf community and direct guidance from Jamf Support, it’s now easier than ever to build robust workflows that keep Jamf Trust connected and users protected.
Sources
-
Jamf Support – Direct communication provided implementation guidance for auto-launching and auto-enabling Jamf Trust via login-triggered policies.
-
Jamf Community Forums – Special thanks to user Trevor for outlining the original challenge and proposed solution in this Jamf Nation thread, which inspired this blog post.
-
Jamf Documentation – Referenced Jamf Trust macOS URL Scheme documentation for policy scripting. JAMF Trust Documentation
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.43 · Moderate AI Influence
Summary
This guide outlines how to ensure your users stay securely connected with Jamf Trust by creating policies, extension attributes, and scripts that auto-launch and auto-enable the VPN service.
Related Posts
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
The Day I Unmanaged a Mac Into a Corner
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
Keeping Jamf Security Cloud Current for Microsoft 365: Updated Routing Policies
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN. This straightforward objective remains unchanged, as the complexities of network configurations can often lead to frustrating issues that hinder productivity.
Cleaning House in Jamf Pro: A Friendly Auditor Script for Real-World Hygiene
There’s a tipping point in every Jamf Pro environment where the policy list begins to feel like a junk drawer. Everyone means well. Nobody deletes anything. And then, months later, you’re trying to answer simple questions like: *Which policies are actually scoped? What’s no longer referenced? Why are there five versions of the same script?* This post covers a small, practical script I wrote to help you **see** what’s stale, **explain** why it’s stale, and (optionally) **park** it safely out of the way—without deleting a thing.
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
The Power of Scripting App Updates Without Deploying Packages
Keeping macOS environments up-to-date in a seamless, efficient, and low-maintenance way has always been a challenge for IT admins. Traditional package deployment workflows can be time-consuming, prone to versioning issues, and require extensive testing and repackaging. This can lead to frustration and wasted resources as IT teams struggle to keep pace with the latest updates and patches. But there's another way—a more elegant, nimble approach: scripting.
Detecting Invalid Characters and Long Paths in OneDrive on macOS
Microsoft OneDrive is widely used for syncing documents across devices, but on macOS, it can silently fail to sync certain files if they violate Windows filesystem rules — like overly long paths or invalid characters. This creates frustrating experiences for end users who don’t know why files aren’t syncing.
