Skip to main content

Since we couldn't reliably do VPN only when offsite, we have Always-On VPN always-on for students, even when on-site.



This has achieved many (but not all) of our objectives so far on managed devices - in terms of ensuring that internet traffic is always passing through the firewall.



Enter Apple Classroom. Our firewall vendor (Cyberhound) uses strongswan. Even if we put a teacher on the same IKEv2 JSS-configured Always-VPN, they can't see each other.



Any ideas? Could we have done something on the (or a..) VPN server to make VPN clients bridged to a common network? Is that even possible with IKEv2 VPN?



Thanks

We've investigated On-Demand VPN, but despite the rules, users can still disabled these connections, so unfortunately, this is no good for us.
The only restrictions available that we've seen is to prevent users from adding / editing VPN connections. Does nothing to block use of this button:
Connect on Demand button not restricted for users
Link to larger image

We need something like this for On Demand VPN:



setting for Always On VPN to (allow/prevent) users from disabling the connection
Link to larger image

Many years later, we're still constrained by this issue, implementing all sorts of workarounds like blocking most of the internet, because kids can't be controlled in class with devices on their desks.

Another thing we were doing was dropping the VPN during the day, which will reward anyone who is absent or has a hotspot with unfiltered internet access.

 

 

Reply


Terms & ConditionsCookie settings