Keeping your organization’s VPN always connected is crucial—especially with Zero Trust Network Access (ZTNA) frameworks like Jamf Trust. One of the challenges with Jamf Trust is that it does not automatically open or reconnect on startup or login by default. However, with a combination of Jamf Pro policies, a custom script, and an extension attribute, you can ensure your users stay securely connected.
This guide outlines how to do exactly that.
Why This Matters
Disconnected VPNs mean lost productivity, increased support tickets, and security risks. Jamf Trust provides a seamless VPN experience when connected—but if users forget to open it, it defeats the purpose.
Jamf Support clarified the following:
“Jamf Trust by default will not open automatically after deployment, startup, or login. However, you can leverage policies in Jamf Pro to auto-launch Jamf Trust at login and auto-enable ZTNA Service.”
Part A: Auto-Launch Jamf Trust App
This policy ensures that Jamf Trust launches at user login.
Steps:
- In Jamf Pro, go to
Policies > Newand configure the General payload:- Name: Jamf Trust Auto Launch
- Trigger: Login
- Execution Frequency: Once every day
- Add the Files and Processes payload:
- Execute Command:
open -a "Jamf Trust" com.jamf.trust://?action=open
- Execute Command:
-
Add target machines under Scope.
- Click Save.
This will open the app—but note, users will still need to authenticate manually.
Part B: Automatically Enable the VPN (ZTNA)
This policy takes it a step further: automatically enabling the VPN service.
Steps:
- In Jamf Pro, go to
Policies > Newand configure the General payload:- Name: Jamf Trust Auto Enable
- Trigger: Login
- Execution Frequency: Once every day
- Add the Files and Processes payload:
- Execute Command:
open -a "Jamf Trust" "com.jamf.trust://?action=enable_vpn"
- Execute Command:
-
Scope it to your test or target devices.
- Click Save and log into the machine to test.
Bonus: Prompt Users When VPN Disconnects
Step 1: Create an Extension Attribute to Detect VPN Disconnection ✅
Before you can remediate devices, you need a way to detect when Jamf Trust VPN is not running. Here’s how to create an Extension Attribute to help with that.
Extension Attribute Script
-
In Jamf Pro, go to:
Settings > Computer Management > Extension Attributes - Click New and configure:
- Name:
Jamf Trust VPN Status - Data Type: String
- Inventory Display: General
- Input Type: Script
- Name:
-
Paste this script:
#!/bin/bash if /usr/bin/pgrep "Jamf Trust" > /dev/null; then echo "<result>Connected</result>" else echo "<result>Disconnected</result>" fi - Save the Extension Attribute.
Step 2: Build a Smart Group 🎯
This Smart Group identifies machines where Jamf Trust is disconnected.
- Go to
Computers > Smart Computer Groups > New - Name the group:
VPN Not Connected - Add criteria:
- Jamf Trust VPN Status is Disconnected
- Save the group.
Step 3: Deploy the VPN Reconnect Script via Policy 🛠️
Now that Jamf Pro can detect disconnected machines, use the following script to prompt users and reconnect VPN. This should be scoped only to the VPN Not Connected Smart Group.
What It Does
- Prompts the user with a GUI message
- Offers a button to reconnect VPN
- Automatically reconnects
- Cleans up Jamf Protect extension attributes
- Runs
jamf reconto update inventory
Reconnect Script
#!/bin/bash
currUser=$(/usr/bin/stat -f%Su /dev/console)
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
msgtitle="JAMF Trust Not Connected"
heading="Jamf Trust VPN Access"
description="Looks Like Jamf Trust VPN has stopped running!
You should always be on the VPN.
Open the JAMF Trust app to reconnect to the VPN automatically."
button1="Ok"
button2="Connect VPN"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/ToolBarInfo.icns"
userChoice=$("$jamfHelper" -windowType utility -title "$msgtitle" -heading "$heading" -description "$description" -button1 "$button1" -button2 "$button2" -icon "$icon")
/usr/bin/open -a "Jamf Trust" "com.jamf.trust://?action=enable_vpn"
sudo jamf reconPolicy Setup
-
Trigger: Recurring Check-In
-
Execution Frequency: Ongoing
-
Scope: VPN Not Connected Smart Group
-
Payload: Scripts (use the script above via the script payload)
Conclusion
Maintaining a stable and always-on VPN connection with Jamf Trust can be challenging out of the box, but with a few well-structured Jamf Pro policies, extension attributes, and scripts, you can create a reliable and self-healing solution. This guide helps ensure your organization maintains security compliance, reduces user disruption, and proactively remediates disconnected clients. Thanks to contributions from the Jamf community and direct guidance from Jamf Support, it’s now easier than ever to build robust workflows that keep Jamf Trust connected and users protected.
Sources
-
Jamf Support – Direct communication provided implementation guidance for auto-launching and auto-enabling Jamf Trust via login-triggered policies.
-
Jamf Community Forums – Special thanks to user Trevor for outlining the original challenge and proposed solution in this Jamf Nation thread, which inspired this blog post.
-
Jamf Documentation – Referenced Jamf Trust macOS URL Scheme documentation for policy scripting. JAMF Trust Documentation
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.43 · Moderate AI Influence
Summary
This guide outlines how to ensure your users stay securely connected with Jamf Trust by creating policies, extension attributes, and scripts that auto-launch and auto-enable the VPN service.
Related Posts
Jamf Was My Mac Evidence Layer for CMMC
How Jamf Compliance helped support the Mac portion of a CMMC assessment, and why I added a small read-only CSV summary script for auditor-ready failed-result evidence.
Adobe in Jamf: To Package or Not to Package
A Jamf Pro workflow for deciding when Adobe software should be deployed as a manual Adobe package and when the Jamf App Catalog path is the better fit.
Updating Jamf Pro Compliance Baselines from the macOS Security Compliance Project
How to update an existing Jamf Pro Compliance benchmark when new macOS Security Compliance Project baseline content becomes available.
The PPPC Profile I Check Before I Blame the App
PPPC profiles are one of those Mac administration tools that look simple until a real deployment exposes the edge cases. This walkthrough uses Zoom screen sharing and Backblaze Full Disk Access to show three practical paths: a manual plist, Jamf Pro natively, and Jamf PPPC Utility.
Ranking Jamf Extension Attributes by Smart Group Usage
I built a read-only Python script for Jamf Pro that ranks computer extension attributes by how often they are referenced in Smart Computer Groups and writes JSON and HTML reports for review.
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
The Day I Unmanaged a Mac Into a Corner
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.