Keeping Jamf Security Cloud Sharp for O365
When I first wrote about troubleshooting Standard Routing Policies in Jamf Security Cloud, the goal was simple: help admins keep Microsoft Teams and Microsoft 365 traffic flowing smoothly through Jamf Trust + App-Based VPN.
Fast-forward, Microsoft has added additional IP ranges and hostnames — and if you’re relying solely on Jamf’s built-in policy, you’re eventually going to feel the pain when Teams, Outlook, or SharePoint suddenly stop behaving.
This post updates the original allow-list to ensure full functionality with Microsoft 365 services, including Teams calling, media, authentication, and content delivery.
As before — we don’t remove anything. We only add what’s required and label what’s New.
Updated Allowed & Required URLs for Jamf Security Cloud App VPN Policy (Microsoft Services)
✅ Default Jamf Policy URLs (Unchanged)
| Category | URLs / Subnets |
|---|---|
| Prebuilt Policy | *.adl.windows.com |
| *.mediaservices | |
| windows.net | |
| *.msecnd.net | |
| *.msteams | |
| *.sfbassets.com | |
| *.skvne.com | |
| *.skvneforbusiness.com | |
| *.adl.windows.com | |
| *.mediaservices.windows.net | |
| *.msecnd.net | |
| *.mstea.ms | |
| *.sfbassets.com | |
| *.skype.com | |
| *.skypeforbusiness.com | |
| *.teams.microsoft.com | |
| skype.com | |
| skypeforbusiness.com | |
| teams.microsoft.com |
✅ Required Custom Hostnames (Original + New)
| Hostname | Status |
|---|---|
| *.lync.com | Required |
| *.resources.office.net | Required |
| *.static.microsoft | Required |
| *.teams.cloud.microsoft | Required |
| *.usercontent.microsoft | Required |
| *.users.storage.live.com | Required |
| compass-ssl.microsoft.com | Required |
| join.secure.skypeassets.com | Required |
| mamservice.manage.microsoft.com | Required |
| mlccdnprod.azureedge.net | Required |
| resources.office.net.edgekey.net | Required |
| aadcdn.msftauth.net | New |
| autodiscover.office365.com | New |
| cdn.office.net | New |
| cdn.office365.com | New |
| config.office.com | New |
| exchange.microsoft.com | New |
| *.akadns.net | New |
| *.azureedge.net | New |
| attachments.office.net | New |
✅ Required IP Ranges (Original + New)
| IP Range / Address | Status |
|---|---|
| 52.122.0.0/15 | Required |
| 52.244.160.207/32 | Required |
| 52.238.119.141/32 | Required |
| 40.64.0.0/10 | New |
| 131.253.0.0/16 | New |
| 52.96.0.0/14 | New |
| 20.190.128.0/18 | New |
| 104.146.0.0/16 | New |
| 204.79.197.0/24 | New |
| 13.107.0.0/16 | New |
What Changed?
Microsoft is rapidly expanding delivery and authentication networks to support:
- Teams AV media & recording services
- CDN-accelerated Office 365 content
- Exchange and Outlook authentication shifts
- Azure AD / Entra traffic delivery upgrades
- Regional cloud & edge expansion
Jamf’s default routing list still doesn’t always catch everything — so the safest path is periodic manual validation against the Microsoft service endpoint list.
👉 https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges
Conclusion
Once again — the minute these new entries were added, end-user friction disappeared. Teams behaved, Outlook synced, and Microsoft 365 returned to the smooth experience we expect.
Key takeaway:
Even with platform vendors automating routing intelligence, cloud environments evolve faster than policy libraries. Review, validate, test, and stay ahead — or your users will alert you the hard way.
If you found this helpful, follow me on LinkedIn and feel free to drop questions or lessons you’ve learned in your environment.
Stay secure, stay curious, and keep Jamf sharp. 🔐💪
Sources
Ready to take your Apple IT skills and consulting career to the next level?
I’m opening up free mentorship slots to help you navigate certifications, real-world challenges, and starting your own independent consulting business.
Let’s connect and grow together — Sign up here
AI Usage Transparency Report
AI Era · Written during widespread use of AI tools
AI Signal Composition
Score: 0.29 · Moderate AI Influence
Summary
Updated Allowed & Required URLs for Jamf Security Cloud App VPN Policy (Microsoft Services)
Related Posts
Jamf Was My Mac Evidence Layer for CMMC
How Jamf Compliance helped support the Mac portion of a CMMC assessment, and why I added a small read-only CSV summary script for auditor-ready failed-result evidence.
Adobe in Jamf: To Package or Not to Package
A Jamf Pro workflow for deciding when Adobe software should be deployed as a manual Adobe package and when the Jamf App Catalog path is the better fit.
Updating Jamf Pro Compliance Baselines from the macOS Security Compliance Project
How to update an existing Jamf Pro Compliance benchmark when new macOS Security Compliance Project baseline content becomes available.
The PPPC Profile I Check Before I Blame the App
PPPC profiles are one of those Mac administration tools that look simple until a real deployment exposes the edge cases. This walkthrough uses Zoom screen sharing and Backblaze Full Disk Access to show three practical paths: a manual plist, Jamf Pro natively, and Jamf PPPC Utility.
Ranking Jamf Extension Attributes by Smart Group Usage
I built a read-only Python script for Jamf Pro that ranks computer extension attributes by how often they are referenced in Smart Computer Groups and writes JSON and HTML reports for review.
Automating JAMF Pro Email Notifications with SendGrid (Smart Group Driven Workflows)
Modern device management isn't just about enforcing policies—it's about communicating effectively with users at the right time. In JAMF Pro, Smart Groups give you powerful visibility into device state, but they don't natively solve the problem of proactive, automated user communication. Whether you're trying to prompt users to restart their machines, complete updates, or take action on compliance issues, bridging that gap requires a flexible and scalable notification system.
The Day I Unmanaged a Mac Into a Corner
There are a few kinds of mistakes you make as a Mac admin. There are the ones that cost you time, the ones that cost you sleep, and then there are the ones that leave you staring at a perfectly good laptop thinking, “How did I possibly make this *less* manageable by touching it?” These mistakes often stem from a lack of understanding or experience with macOS, but they can also be the result of rushing through tasks or not taking the time to properly plan and test.
Updating Safari on macOS with Jamf Pro: Three Practical Strategies
Keeping Safari updated is one of the simplest ways to harden a macOS fleet. Apple ships security fixes for Safari frequently, and those patches often land before a full macOS point release. This means that by keeping Safari up-to-date, you can ensure your users have access to the latest security protections without having to wait for a major operating system update. If Safari is lagging behind, your users are browsing the web with a larger attack surface than necessary.
Hunting Down Jamf Profile Payloads with Python
If you've spent enough time living inside Jamf Pro, you eventually run into the same problem: someone set a configuration somewhere, sometime, and nobody remembers where. It might be something obscure – a certificate payload, a conditional SSO predicate, or that one security preference quietly misbehaving on three machines in accounting. And when you have dozens of configuration profiles, each with multiple payloads, nested keys, and XML-wrapped values, finding that setting can feel like forensic archaeology.
