10.6 Cisco VPN and SelfService

Ok here it is; I have sent this to over 20 people on this list. It works
just fine for 10.6 built-in CiscoVPN. Also attached the script and the
logo for Self Service.

Enjoy
Cem

#!/bin/sh

# This script configures built-in VPN (Cisco IP Sec) for logged in user.
Server, Shared Secret, DNS Search Domains and Web Proxy
# Requires JAMF framework and "yourcompany VPN.networkConnect" package to
be installed to the "/Applications/Utilities/" first. This file will be
removed after.
# To edit this script, do "command - F" from your keyboard and use
"Replace & Find" function from your favourite text editor.
# Simply replace "yourcompany" to your company name and replace
"yourcompany.com" to your company domain, also "yourproxyserver" and "80"
to your Web Proxy
# # Configure "yourcompany VPN" settings with shared secret and server
details from the network system preference;
# Action->Export Configuration->"Export the default configuration" and
be sure to check "Include items from the system keychain"
# Then just edit the file (it's XML) and delete the value(s) in the
XAuthName and XAuthPassword (if applicable) keys
# Use Composer to package "yourcompany VPN.networkConnect" from this
path "/Applications/Utilities/"
# If you change the name "yourcompany VPN.networkConnect" or path
"/Applications/Utilities/" make sure change them from the script too.
# # There are few changes to the original 2 scripts from Casper Resources
Kit and few additions
# Partly written, edited & compiled 3 scripts (tested with 10.6)
#
# Cem Baykara - 10/2010
#

###########################################################################
#########################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
are met:
# Redistributions of source code must retain the above
copyright
# notice, this list of conditions and the following
disclaimer.
# Redistributions in binary form must reproduce the above
copyright
# notice, this list of conditions and the following
disclaimer in the
# documentation and/or other materials provided with the
distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or
promote products
# derived from this software without specific prior
written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
###########################################################################
#########################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's
Resource Kit team. For more
# information or support for the Resource Kit, please utilize the
following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this
application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
###########################################################################
#########################
#
# ABOUT THIS PROGRAM
#
# NAME
# importVPN.sh -- Import VPN Settings.
#
# SYNOPSIS
# sudo importVPN.sh
# sudo importVPN.sh <mountPoint> <computerName> <currentUsername>
<vpnFilePath> <vpnInterfaceName>
#
# DESCRIPTION
# This script will import a .networkConnect file that has been packaged
and deployed to a # system.
#
# Prior to running this script, the VPN should be configured on a machine,
and a
# configuration should be created. Once a VPN has been configured,
navigate to the
# Network pane within the System Preferences application and highlight the
VPN service you
# wish to export. Then click the settings button near the "+" and "-"
icon and select
# "Export Configurations". Save the file to a location like the Desktop.
Finally, create a
# package of this file using Composer.
#
# When deploying the package, ensure that this script has been edited so
that the
# "vpnFilePath" parameter properly points to the location of the
.networkConnect file as it
# was packaged. Deploy the package, and run the script with a priority of
"After" to import
# the VPN settings for the user. Please note that a user does need to be
logged in while this
# script is run. We recommend running it via a policy triggered by
"login" or "Self Service."
#
# The VPN network interface name will remain generic unless the
"vpnInterfaceName" variable is
# specified. Please note that the .networkConnect file does not contain
the name of the
# inteface.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1.0
#
# - Created by Nick Amundsen on May 10th, 2010
# ###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

# HARDCODED VALUES SET HERE

vpnFilePath="/Applications/Utilities/yourcompany VPN.networkConnect" #
Set this parameter to the path where the .networkConnect file will end up
on the system. # Example: "/Library/Application Support/JAMF/vpn.networkConnect"

vpnInterfaceName="yourcompany VPN" # Set this parameter to the name that
should be set for the VPN in the System Preferences pane. # Example: "Company VPN"

# CHECK TO SEE IF A VALUE WERE PASSED IN FOR PARAMETERS $4 AND, IF SO,
ASSIGN THEM
if [ "$4" != "" ] && [ "$vpnFilePath" =
"/Applications/Utilities/yourcompany VPN.networkConnect" ]; then vpnFilePath=$4
fi

if [ "$5" != "" ] && [ "$vpnInterfaceName" == "yourcompany VPN" ]; then vpnInterfaceName=$5
fi

###########################################################################
#########################
# # VARIABLE VERIFICATION FUNCTION
#
###########################################################################
#########################

verifyVariable () {
eval variableValue=$$1
if [ "$variableValue" != "" ]; then echo "Variable "$1" value is set to: $variableValue"
else echo "Variable "$1" is blank. Please assign a value to the variable." exit 1
fi
}

###########################################################################
#########################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
###########################################################################
#########################

# Verify Variables

verifyVariable vpnFilePath

# If vpnInterfaceName is left blank, then it will not get renamed.

#Unlock the system.preferences privilege to allow this script to apply VPN
network adapter
/usr/libexec/PlistBuddy -c "Set rights:system.preferences:class allow"
/etc/authorization

#Ensure assistive device access is enabled
if [ -f /private/var/db/.AccessibilityAPIEnabled ];then echo "Assistive Device Access is already enabled." else echo "Enabling Access for Assistive Devices for Script to Properly
Run..." /usr/bin/touch /private/var/db/.AccessibilityAPIEnabled
fi

#Import .networkConnect file
echo "Importing Network Adapter..."
/usr/bin/open "$vpnFilePath"

#Click the "Apply" button for the user
/usr/bin/osascript << EOF > /dev/null 2>&1

tell application "System Events" tell process "System Preferences" tell window "Network"

click button "Apply" click button "Show VPN status in menu bar" end tell end tell
end tell

EOF

#Rename the interface if the variable was specified
if [ "$vpnInterfaceName" != "" ]; then echo "Renaming the VPN interface to $vpnInterfaceName..." /usr/sbin/networksetup -renamenetworkservice "VPN (IPSec)"
"$vpnInterfaceName"
fi

#Lock the system.preferences privilege
/usr/libexec/PlistBuddy -c "Set rights:system.preferences:class user"
/etc/authorization

#Quit System Preferences
/usr/bin/osascript << EOF > /dev/null 2>&1

tell application "System Events" tell application "System Preferences" to quit
end tell

EOF

#Return all network adapters
echo "The following network adapters are present after the
import: $(/usr/sbin/networksetup -listallnetworkservices)"

/bin/sleep 5 #allow some time

# This script configures built-in VPN (Cisco IP Sec) 'search doamins'
# (tested with 10.6)
# Written by Cem Baykara 2010

sudo networksetup -setsearchdomains 'yourcompany VPN' 'yourcompany.com'

/bin/sleep 5 #allow some time

###########################################################################
#########################
#
# Copyright (c) 2010, JAMF Software, LLC. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
are met:
# Redistributions of source code must retain the above
copyright
# notice, this list of conditions and the following
disclaimer.
# Redistributions in binary form must reproduce the above
copyright
# notice, this list of conditions and the following
disclaimer in the
# documentation and/or other materials provided with the
distribution.
# * Neither the name of the JAMF Software, LLC nor the
# names of its contributors may be used to endorse or
promote products
# derived from this software without specific prior
written permission.
#
# THIS SOFTWARE IS PROVIDED BY JAMF SOFTWARE, LLC "AS IS" AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE
# DISCLAIMED. IN NO EVENT SHALL JAMF SOFTWARE, LLC BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
###########################################################################
#########################
#
# SUPPORT FOR THIS PROGRAM
#
# This program is distributed "as is" by JAMF Software, LLC's
Resource Kit team. For more
# information or support for the Resource Kit, please utilize the
following resources:
#
# http://list.jamfsoftware.com/mailman/listinfo/resourcekit
#
# http://www.jamfsoftware.com/support/resource-kit
#
# Please reference our SLA for information regarding support of this
application:
#
# http://www.jamfsoftware.com/support/resource-kit-sla
#
###########################################################################
#########################
#
# ABOUT THIS PROGRAM
#
# NAME
# setWebProxy.sh -- Configure a web proxy for a specified network interface
#
# SYNOPSIS
# sudo setWebProxy.sh
# sudo setWebProxy.sh <mountPoint> <computerName> <currentUsername>
<networkInterface>
# <proxyAddress> <port>
#
# If the $networkInterface parameter is specified (parameter 4), this is
the Netowrk Interface for
# which the search domains will be set. The expected values for the
$networkInterface parameter can
# be found by running the command:
#
# networksetup -listallnetworkservices
#
# If the $proxyAddress parameter is specified (parameter 5), this is the
proxy address that will
# be set.
#
# If the $port parameter is specified (parameter 6), this is the port to
which the proxy traffic
# be passed.
#
# If no parameters are specified for parameters 4, 5 or 6, the hardcoded
value in the script will be
# used.
#
# DESCRIPTION
# This script will configure the web proxy on the specified network
interface.
#
###########################################################################
#########################
#
# HISTORY
#
# Version: 1.1
#
# - Created by Nick Amundsen on July 11th, 2008
# - Modified by Nick Amundsen on August 5th, 2008
#
###########################################################################
#########################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
###########################################################################
#########################

# HARDCODED VALUES ARE SET HERE
networkInterface="yourcompany VPN"
proxyAddress="yourproxyserver"
port="80"

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO
"networkInterface"
if [ "$4" != "" ] && [ "$networkInterface" == "yourcompany VPN" ];then networkInterface=$4
fi

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 5 AND, IF SO, ASSIGN TO
"proxyAddress"
if [ "$5" != "" ] && [ "$proxyAddress" == "yourproxyserver" ];then proxyAddress=$5
fi

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 6 AND, IF SO, ASSIGN TO
"port"
if [ "$6" != "" ] && [ "$port" == "80" ];then port=$6
fi

###########################################################################
#########################
# # SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
###########################################################################
#########################

if [ "$networkInterface" == "" ]; then echo "Error: No network interface has been specified." exit 1
fi

if [ "$proxyAddress" == "" ]; then echo "Error: No proxy address has been specified." exit 1
fi

if [ "$port" == "" ]; then echo "Error: No port was specified." exit 1
fi

OS=`/usr/bin/defaults read /System/Library/CoreServices/SystemVersion
ProductVersion | awk '{print substr($1,1,4)}'`

if [[ "$OS" < "10.5" ]]; then echo "Setting web proxy for OS $OS..." /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Suppor
t/networksetup -setwebproxy "$networkInterface" "$proxyAddress" "$port"
else echo "Setting web proxy for OS $OS..." /usr/sbin/networksetup -setwebproxy "$networkInterface" "$proxyAddress"
"$port"
fi

#remove config file
rm /Applications/Utilities/yourcompany VPN.networkConnect

#Display Dialog
/usr/sbin/jamf displayMessage -message "VPN Imported" -background


Excellent! Thanks for this, saves me doing it!

Not the answer to that, but this is much simpler..

http://anders.com/guides/native-cisco-vpn-on-mac-os-x/

The Cisco client is a mess, doesn't work with thunderbolt or 10.7

Built in has to be simpler.. And there are JAMF scripts that can help with
the config of this...

do you mean via the cisco VPN client? or just IPsec. If your using the client, you can push the pcf profiles to the /private/etc/opt/cisco-vpnclient/Profiles/ folder.

Brendon Cunningham
Senior Technical Analyst
Desktop Engineering

508-390-5620
brendon_cunningham at tjx.com

Gimme a few hours & I'll post a method a script to setup the internal VPN client silently.

Regards,

Ben.

if you use the profile manager on lion server you can create vpn profiles
there, then download them and put them in
/var/db/ConfigurationProfiles/Setup
they need to be owned by root:wheel and 644 permissions then they will
import on first boot
or if you need to add to a running system
profiles -I -F /pathto/profile.mobileconfig

-- Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

Yeah, I'm using a mobileconfig profile (since it can store the
sharedsecret in encrypted form) along with an applescript that installs
the profile, then configures the proxy bypass string- I got the profile to
set up the proxies, but could not get it to do the bypass string.
nick
-- Nick Kalister
Desktop Engineering

Hitachi Data Systems
Office: 408.970.4316

750 Central Expressway
Building 32 : M/S 3240
Santa Clara, CA 95050

as promised i posted it: http://macmule.com/2011/12/22/how-to-silently-setup-vpn-on-10-6-10-7/

It allows the Cisco IPSec connections to be setup silently.. NOT my work though.. but reached out to author & mentioned them in the post.

There's a Resource Kit script to do this. You can export your VPN configuration, then package up the .networkConnect file using Composer (i.e. put it in /tmp), then use the Resource Kit script as an "after" script to deploy it.
On Dec 22, 2011, at 7:57 AM, Bartels, Holger wrote:

Caveats:

1) After exporting, I edited the .networkConnect file (using vi) to remove my username
2) The script had a bug where it assumed VPN (L2TP), may have to change this to VPN (IPSec) - not sure if JAMF ever fixed it
3) May want to remove the .networkConnect file from /tmp after being imported

Works like a charm, been doing this for over a year now.

--Robert

Wow, you guys are awesome. Thanks for your inspiration.

Holger

Hi Cem

Nice script! works a treat

quick question, how easy would it be to add the following additional proxy
settings

FTP proxy
HTTPS proxy

Thanks

Abz

The below works for auto proxy URL, so just look at the networksetup man page & get the write verbs.

http://macmule.com/2011/09/09/how-to-change-the-automatic-proxy-configuration-url-in-system-preferences-via-a-script/

Regards,

Ben.

Thanks Cem! This is working great so far for us on 10.6.x systems. On Lion, we seeing permission errors around the /etc/authorization lines. Have you had any luck with this on Lion? I'm guessing there have been some changes under the hood.

Hi Tom,

FYI the method I posted works on 10.6 & 10.7.

Thanks Ben, will take a look. The original problem I had was an ill placed line break (doh!) but I'm looking at a couple of other things too. And I'm sure it's from something stupid that I'm doing.