Hey BCPeteo,

When you deploy the updated version, macOS should recognize that the payload UUID is the same as before, and the computer will just install the new payloads. The VPN connection should remain active during the update since that payload itself isn’t changing, but as always, I would highly suggest testing this on a device or two before doing a full production release. 

​@BCPeteo I can confirm what ​@micah.coyle says regarding an existing Configuration Profile being updated on a payload change as opposed to removed and re-installed as I went through the same question for our auto updating User ID certificate profile which includes the Wi-Fi 802.1x network configuration which requires that certificate and it stays connected during the update.

This is a really good opportunity to test and see what happens.

Configuration Profiles install in /Library/Managed Preferences and have the same name as the profile does in Jamf. You can view them with spotlight if you have xcode installed or any code editor. Target your device with a new configuration profile, watch what happens, then update it and save and watch what happens.

What you should expect to see. As ​@micah.coyle said, the existing profile on the mac will update when everything refreshes. When this refresh happens, you will see ALL the configuration profiles go away for a moment and respawn. Application continues working normally while this is happening and will update settings once everything has finished refreshing.

As far as will the VPN tunnel stay active, that really depends on what the developer wants the behavior to be. All the network security clients I have worked with don’t tear down the tunnel for configuration updates but do usually need to be restarted for the updates to apply. However, here is where you absolutely want to test, test and test again.