The Problem: Standard Routing Policies Need Fixing
As a fairly new administrator of JAMF Security Cloud, it was the ease of which its administered that admittedly drew me in. Quite an elegant solution for securing the various apps on business workstations with premade app based VPN routing rules built right in, I was hooked. The concept is simple. Turn on the policies, create your enrollment and deploy and your done.
The problem is that each rule is made up of allowed subnets, and domains that change. This is problematic because if Microsoft or Slack introduces a new content delivery network or domain into their app, and the policy is not allowing this new traffic the user experience is less than ideal, and you as the administrator are left trying to figure out whats going on.
Is this an app issue? Is this a network issue? Did the developer just push out a bad update? Its not a fun position to be in.
Ruling Out Avenues
It was one such app that started giving me issues, Microsoft Teams for iOS. I have almost never had any issues with iOS, typically they are rock solid as they are vetted at least in some part by Apple and most developers tend to push regular updates, patches and fixes in most cases weekly.
However, when a new version of Teams made its way onto our BYOD devies it spelled trouble for my fleet. Users started experiencing strange issues. Now we use app based VPN in JAMF Pro and we ensure that JAMF Trust is setup and works on every device. So the question really was, was this issue related to a Teams service issue? It certainly seemed plausible. At the exact time the issue started being reported there was a known minor Teams outage on their status tracker.
Was this a VPN issue? Looking at JAMF Security cloud all systems seemed like it was a go. Not all elements in the app were malfunctioning, some features worked fine while others just seemed slow and unresponsive.
Maybe it was just a bad update as I mentioned before. I opened support tickets with all of the usual suspects. Apple, Microsoft and JAMF.
Digging in Deep
While the Apple and Microsoft tickets led to the usual places. Have you tried removing the app? Have you tried clearing the cache? Have you tried resetting your phone? Have you tried a different network? Of course nothing helped.
JAMF referred me to their security team and they started digging in. Looks like the policy was not including all the domains and subnets that were documented in a recent update in Microsofts URL allow list article for Microsoft Teams.
After two weeks of solid testing we finally got to the bottom of all the URLs that were part of the built in policy and which ones needed to be added.
Allowed & Required URLs for Jamf Security Cloud App VPN Policy (Microsoft Services)
| Category | URLs / Subnets |
|---|---|
| Prebuilt Policy (Default) | *.adl.windows.com |
| *.mediaservices | |
| windows.net | |
| *.msecnd.net | |
| *.msteams | |
| *.sfbassets.com | |
| *.skvne.com | |
| *.skvneforbusiness.com | |
| *.adl.windows.com | |
| *.mediaservices.windows.net | |
| *.msecnd.net | |
| *.mstea.ms | |
| *.sfbassets.com | |
| *.skype.com | |
| *.skypeforbusiness.com | |
| * teams.microsoft.com | |
| skype.com | |
| skypeforbusiness.com | |
| teams.microsoft.com | |
| Additional Required Entries | *.lync.com |
| *.resources.office.net | |
| *.static.microsoft | |
| *.teams.cloud.microsoft | |
| *.usercontent.microsoft | |
| *.users.storage.live.com | |
| compass-ssl.microsoft.com | |
| join.secure.skypeassets.com | |
| mamservice.manage.microsoft.com | |
| mlccdnprod.azureedge.net | |
| resources.office.net.edgekey.net | |
| 52.122.0.0/15 | |
| 52.244.160.207/32 | |
| 52.238.119.141/32 |
Conclusion
Almost immediately once the policy was updated things returned to normal. Its a good reminder that you can’t assume any company is always working to update and test changes in your ecosystem. At the end of the day its your responsibility to maintain it and understand where the weaknesses are. JAMF posted back that they will update these URLS into their default prebuilt policy but it was clear that they also are not always aware of underlying changes at the app level.
If you found this post useful, Follow me and comment with questions, or feedback. As always here are the sources I referenced throughout this blog post.
Sources
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.23 · Moderate AI Influence
Summary
The problem with standard routing policies in JAMF Security Cloud is that they can be outdated and not include all the necessary domains and subnets, leading to issues like slow or unresponsive features.
Related Posts
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
The Day I Unmanaged a Mac Into a Corner
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
Keeping Jamf Security Cloud Current for Microsoft 365: Updated Routing Policies
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN. This straightforward objective remains unchanged, as the complexities of network configurations can often lead to frustrating issues that hinder productivity.
Cleaning House in Jamf Pro: A Friendly Auditor Script for Real-World Hygiene
There’s a tipping point in every Jamf Pro environment where the policy list begins to feel like a junk drawer. Everyone means well. Nobody deletes anything. And then, months later, you’re trying to answer simple questions like: *Which policies are actually scoped? What’s no longer referenced? Why are there five versions of the same script?* This post covers a small, practical script I wrote to help you **see** what’s stale, **explain** why it’s stale, and (optionally) **park** it safely out of the way—without deleting a thing.
Turn Jamf Compliance Output into Real Audit Evidence
Most teams use Apple’s macOS Security Compliance Project (mSCP) baselines because they scale and they’re repeatable. Jamf’s tooling makes deployment straightforward and the Extension Attribute (EA) output is a convenient place to capture drift. What you don’t automatically get is the artifact an auditor will accept on a specific date—an actual document you can file that shows which endpoints are failing which items, plus a concise roll-up of failure counts you can act on. Smart Groups answer scope; they don’t produce evidence.
The Power of Scripting App Updates Without Deploying Packages
Keeping macOS environments up-to-date in a seamless, efficient, and low-maintenance way has always been a challenge for IT admins. Traditional package deployment workflows can be time-consuming, prone to versioning issues, and require extensive testing and repackaging. This can lead to frustration and wasted resources as IT teams struggle to keep pace with the latest updates and patches. But there's another way—a more elegant, nimble approach: scripting.
Detecting Invalid Characters and Long Paths in OneDrive on macOS
Microsoft OneDrive is widely used for syncing documents across devices, but on macOS, it can silently fail to sync certain files if they violate Windows filesystem rules — like overly long paths or invalid characters. This creates frustrating experiences for end users who don’t know why files aren’t syncing.
