The Problem: Standard Routing Policies Need Fixing
As a fairly new administrator of JAMF Security Cloud, it was the ease of which its administered that admittedly drew me in. Quite an elegant solution for securing the various apps on business workstations with premade app based VPN routing rules built right in, I was hooked. The concept is simple. Turn on the policies, create your enrollment and deploy and your done.
The problem is that each rule is made up of allowed subnets, and domains that change. This is problematic because if Microsoft or Slack introduces a new content delivery network or domain into their app, and the policy is not allowing this new traffic the user experience is less than ideal, and you as the administrator are left trying to figure out whats going on.
Is this an app issue? Is this a network issue? Did the developer just push out a bad update? Its not a fun position to be in.
Ruling Out Avenues
It was one such app that started giving me issues, Microsoft Teams for iOS. I have almost never had any issues with iOS, typically they are rock solid as they are vetted at least in some part by Apple and most developers tend to push regular updates, patches and fixes in most cases weekly.
However, when a new version of Teams made its way onto our BYOD devies it spelled trouble for my fleet. Users started experiencing strange issues. Now we use app based VPN in JAMF Pro and we ensure that JAMF Trust is setup and works on every device. So the question really was, was this issue related to a Teams service issue? It certainly seemed plausible. At the exact time the issue started being reported there was a known minor Teams outage on their status tracker.
Was this a VPN issue? Looking at JAMF Security cloud all systems seemed like it was a go. Not all elements in the app were malfunctioning, some features worked fine while others just seemed slow and unresponsive.
Maybe it was just a bad update as I mentioned before. I opened support tickets with all of the usual suspects. Apple, Microsoft and JAMF.
Digging in Deep
While the Apple and Microsoft tickets led to the usual places. Have you tried removing the app? Have you tried clearing the cache? Have you tried resetting your phone? Have you tried a different network? Of course nothing helped.
JAMF referred me to their security team and they started digging in. Looks like the policy was not including all the domains and subnets that were documented in a recent update in Microsofts URL allow list article for Microsoft Teams.
After two weeks of solid testing we finally got to the bottom of all the URLs that were part of the built in policy and which ones needed to be added.
Allowed & Required URLs for Jamf Security Cloud App VPN Policy (Microsoft Services)
| Category | URLs / Subnets |
|---|---|
| Prebuilt Policy (Default) | *.adl.windows.com |
| *.mediaservices | |
| windows.net | |
| *.msecnd.net | |
| *.msteams | |
| *.sfbassets.com | |
| *.skvne.com | |
| *.skvneforbusiness.com | |
| *.adl.windows.com | |
| *.mediaservices.windows.net | |
| *.msecnd.net | |
| *.mstea.ms | |
| *.sfbassets.com | |
| *.skype.com | |
| *.skypeforbusiness.com | |
| * teams.microsoft.com | |
| skype.com | |
| skypeforbusiness.com | |
| teams.microsoft.com | |
| Additional Required Entries | *.lync.com |
| *.resources.office.net | |
| *.static.microsoft | |
| *.teams.cloud.microsoft | |
| *.usercontent.microsoft | |
| *.users.storage.live.com | |
| compass-ssl.microsoft.com | |
| join.secure.skypeassets.com | |
| mamservice.manage.microsoft.com | |
| mlccdnprod.azureedge.net | |
| resources.office.net.edgekey.net | |
| 52.122.0.0/15 | |
| 52.244.160.207/32 | |
| 52.238.119.141/32 |
Conclusion
Almost immediately once the policy was updated things returned to normal. Its a good reminder that you can’t assume any company is always working to update and test changes in your ecosystem. At the end of the day its your responsibility to maintain it and understand where the weaknesses are. JAMF posted back that they will update these URLS into their default prebuilt policy but it was clear that they also are not always aware of underlying changes at the app level.
If you found this post useful, Follow me and comment with questions, or feedback. As always here are the sources I referenced throughout this blog post.
Sources
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.23 · Moderate AI Influence
Summary
The problem with standard routing policies in JAMF Security Cloud is that they can be outdated and not include all the necessary domains and subnets, leading to issues like slow or unresponsive features.
Related Posts
Two PPPC Tools I Would Add After the Profile Looks Right
A follow-up on two tools worth adding to a PPPC troubleshooting workflow: PPPC_Analyser for inspecting app privacy requirements and QuickJamfDeploy for forcing the Jamf management framework into place during deployment.
Audit Jamf API Roles Before They Become Forgotten Access
A read-only Jamf Pro API role audit script that reports role privilege reach, write-capable access, review priority, and API client inventory without changing Jamf.
Review the Smart Group Before You Scope the Policy
Review your Smart Group before you ever scope a Jamf policy. Validate inventory, understand your signals, test exclusions, and prove the group works before it reaches production.
Build Jamf DDM Update Blueprints for macOS and iOS
How I set up Jamf software update blueprints for macOS and iOS using Declarative Device Management, staged scope, clear enforcement timing, and visible deployment progress.
Review the Package Before You Build the Policy
A Jamf-focused package review workflow for checking installer signing, package contents, scope, validation, and rollback before a policy reaches production Macs.
Jamf Was My Mac Evidence Layer for CMMC
How Jamf Compliance helped support the Mac portion of a CMMC assessment, and why I added a small read-only CSV summary script for auditor-ready failed-result evidence.
Adobe in Jamf: To Package or Not to Package
A Jamf Pro workflow for deciding when Adobe software should be deployed as a manual Adobe package and when the Jamf App Catalog path is the better fit.
Updating Jamf Pro Compliance Baselines from the macOS Security Compliance Project
How to update an existing Jamf Pro Compliance benchmark when new macOS Security Compliance Project baseline content becomes available.
The PPPC Profile I Check Before I Blame the App
PPPC profiles are one of those Mac administration tools that look simple until a real deployment exposes the edge cases. This walkthrough uses Zoom screen sharing and Backblaze Full Disk Access to show three practical paths: a manual plist, Jamf Pro natively, and Jamf PPPC Utility.
Ranking Jamf Extension Attributes by Smart Group Usage
I built a read-only Python script for Jamf Pro that ranks computer extension attributes by how often they are referenced in Smart Computer Groups and writes JSON and HTML reports for review.