Deploying NetBird's with Jamf Pro

Integrating NetBird with Jamf Pro's robust device management capabilities creates a scalable system for secure access management across your entire Apple ecosystem.

This comprehensive tutorial guides you through deploying NetBird on Apple devices using Jamf Pro, covering:

  1. Setting up NetBird Access Policies for Team-Specific Permissions
  2. Creating a Jamf Pro Policy for Automated NetBird Deployment
  3. Verifying the Automated Provisioning Process

By following these steps, you'll establish an automated pipeline that:

  • Streamlines network security management
  • Minimizes manual configuration errors
  • Ensures appropriate access levels for each team in your organization

This integration enhances your organization's security posture while simplifying remote access management for your Apple devices.

Prerequisites

Before beginning the integration process, make sure you have the following:

These requirements are essential for successfully implementing NetBird-Jamf Pro integration and managing your Apple devices securely.

Setting Up NetBird Access Policies for Team-Specific Permissions

NetBird's Access Control Policies are essential to this integration, allowing you to define and enforce specific permissions for different user groups. This ensures that team members can only access the resources necessary for their roles.

For this tutorial, we'll create a policy that allows the Support team to access the Servers group:

  • Log in to your NetBird dashboard.
  • Navigate to Access Control > Policies and click Add Policy.
  • Set the source group to Support and the destination group to Servers.
  • Configure the appropriate protocol and port settings (e.g., TCP 22 for SSH access).

Access control policy for the support team

Give the policy a descriptive name (e.g., "Support team remote access") and click Save to create the policy.

Access control policies list

With this policy in place, any device assigned to the Support group will gain access to the Servers group as defined in the Access Control Policy.

Now that NetBird is configured, let's proceed to the next step: setting up Jamf Pro to deploy NetBird on support team devices.

Creating Jamf Pro Policy for Automated NetBird Deployment

To deploy NetBird using Jamf Pro, you need to upload the NetBird package to Jamf and then configure a policy that includes the package.

Uploading NetBird Package

Navigate to Settings > Computer management > Packages and click + New.

In the General tab:

  • Enter a descriptive Display name (e.g., NetBird_vX.XX_Support_Team, where X.XX is the current NetBird version).
  • Optionally, assign a Category (e.g., VPN).
  • Upload or drop the package file in the Filename field. This tutorial uses the Apple Silicon package you can download here.
  • Optionally, add Info and Notes.

In the Options tab:

  • Set a Priority (default is 10).
  • The priority determines the order in which packages are installed when multiple packages are included in a policy. Lower numbers indicate higher priority (e.g., 1 is a higher priority than 10). Use this to ensure critical packages are installed before NetBird if needed.

Click Save to finish. If you see the message "Availability pending", click Refresh to update the package status.

Uploading NetBird package

Creating a Policy for NetBird

Go to Computers > Computer management > Policies and click + New to create a new policy for the NetBird app.

In the General section of the Options tab:

  • Provide a descriptive name in the Display Name field (e.g., NetBird Apple Silicon)

In the Trigger options, check the following boxes:

  • Startup: Installs NetBird when the computer starts up.
  • Enrollment Complete: Ensures NetBird is installed immediately after the device is enrolled in Jamf Pro.
  • Recurring Check-in: Allows periodic checks to ensure NetBird is installed and up-to-date.

These trigger selections ensure NetBird is installed promptly and remains current on all managed devices. Leave the remaining options as default.

Jamf Pro policies, general section

In the Packages section, click Configure and add the corresponding NetBird package:

Jamf Pro policies, packages section

Accept the default values for Distribution Point and Action

Jamf Pro policies, packages section

In the Scope tab, specify the target computers (all computers, specific computers or groups, etc.). For simplicity in this example, use All Computers.

Jamf Pro policies, target computers

Optionally, in the User Interaction tab:

  • Enter messages to display before and after the policy runs.
  • This can help inform users about the installation process.

Jamf Pro policies, user interaction

Click Save to finish.

NetBird policy

This configuration ensures NetBird is installed as soon as any machine enrolls, maintaining security across your device fleet.

It's worth mentioning that for first-time devices when NetBird is launched after installation, it automatically triggers the Single Sign-On (SSO) login flow. This seamless process combines connection setup and authentication, establishing both network connectivity and user verification in one streamlined step.

The SSO flow works as follows:

  1. When users open NetBird for the first time, they will be prompted to authenticate.
  2. The user will be redirected to your organization's identity provider (IdP) login page.
  3. After successful authentication, the user is automatically connected to the NetBird network.
  4. NetBird then configures itself with the appropriate permissions based on the user's identity and group memberships.

This approach ensures secure and efficient user authentication by integrating with your organization's identity management system. It eliminates the need for separate VPN credentials, simplifying the user experience while maintaining robust security.

Throughout the process, NetBird logs its actions, which can be useful for troubleshooting purposes. Upon successful completion of the SSO flow and network connection, NetBird is fully operational, marking the end of a smooth, automated deployment and configuration process.

Verifying the Automated Provisioning Process

After setting up NetBird deployment policy in Jamf Pro, it's crucial to verify that the automated provisioning process is working correctly. Follow these steps to confirm the successful installation of NetBird:

  • In Jamf Pro, navigate to Computers > Search Inventory.
  • Click Search to display all enrolled machines.
  • Select a newly enrolled machine from the list.
  • In the device details, go to the Management tab and locate the Policies section.
  • Look for the NetBird policy in the list of applied policies.

Jamf Pro, confirming NetBird is installed

If you see the NetBird policy listed, that would indicate that NetBird has been successfully installed on the device.

To further verify the integration, check that the machine has been added to your NetBird network:

  • Log into a NetBird account with administrative privileges.
  • Go to the Peers section.
  • Look for the newly enrolled machine in the list of peers.

If you can see the new machine listed as a peer in NetBird, this confirms that the automated provisioning process is working correctly and the device has been successfully added to your NetBird network.

By following these verification steps, you can ensure that your Jamf Pro policy is effectively deploying NetBird to your managed devices and integrating them into your secure network infrastructure.

This tutorial taught you how to seamlessly integrate NetBird's VPN solution with Jamf Pro for Apple devices. By configuring NetBird Access Policies, creating a Jamf Pro policy for automated deployment, and verifying the provisioning process, you've established a solid system for managing secure network access across your organization.