VPN routes

New Contributor

I am looking for information on how to have jamf run a command on a machine once the machine connects to VPN (L2TP) to apply routing due to split tunneling. I believe that this can be done with scripting but I'm not certain on how to get the Mac to run the script only after the VPN connection is connected


Valued Contributor II

@JChesnutwood  Off the cuff concept here, I've never had to do this but this is how I think i'd do it. Someone else has most likely done what you're asking & might have a better solution but here we go!


1. Create an extension attribute that reads the Network Status & results in either "VPN Connected" or "VPN Not Connected".

You should be able to accomplish this by reading your VPN app/plist or running a native macos command to read network info & results in either "VPN Connected" or "VPN Not Connected".


Step 2. Create a smart computer group with the with the Criteria resulting from the Extension attribute mentioned in Step 1 with the result of "VPN Connected".


Step 3. Create a policy scoped to all computers, set the trigger for "Network State Change", an execution frequency of "Ongoing" & performing an "Inventory Update".


Step 4. Create a policy scoped to the smart group stated in step 2. set the trigger for "recurring check-in" & whatever execution frequency you need. Include your command/script in this policy to target the vpn connected devices.

Looking for a Jamf Managed Service Provider? Look no further than Rocketman

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

New Contributor

Thank you for this, I will be testing this next week. I appreciate your time to share that!

New Contributor

I am a newbie on the jamf setup, but we are coming from Profile manager / Munki setup and gradually moving all our setup over to Jamf - we edit/created ip-up and ip-down so that it set the routes sensibly - I set the routes based on a search of vpn setup name so ORGVPN-Username or somesuch - searched on ORGVPN* and then set the route/destroyed the route accordingly - ip-up/ip-down are just shell scripts as far as i can see. Plenty of examples about.


New Contributor

Apologies. actually, i seem to have done it based on IP but the DNS on vpn name.

# /etc/ppp/ip-up
# A program or script which is executed when the link is
# available for sending and receiving IP packets (that is, IPCP has
# come up). It is executed with the parameters:
# The pppd man page states the arguments are:
# $1 $2 $3 $4 $5 $6
# interface-name tty-device speed vpn-server-ip vpn-gateway-addr regular-gateway


echo "$1" > "$variables"
echo "$2" >> "$variables"
echo "$3" >> "$variables"
echo "$4" >> "$variables"
echo "$5" >> "$variables"
echo "$6" >> "$variables"

case "$5" in
# Based on which vpn-server we are connected to, set the route and dns search
/sbin/route add -net -interface $1
/sbin/route add -net -interface $1
/sbin/route add -net -interface $1
# set the search path for this connection.
ORGVPNINT="$(/usr/sbin/networksetup -listnetworkserviceorder | grep -i ORGVPN | awk '{print $2}')"
# this relies on the format of the VPN name to be ORGVPN-AUSER - this COULD
# be improved upon but is the way i have done it for now
# uncomment the following item if you need to debug
#say the connection to CR is on $ORGVPNINT
/usr/sbin/networksetup -setsearchdomains "$ORGVPNINT" tlc.org
# Reset the DNS server cache
/usr/bin/killall -HUP mDNSResponder
#uncomment the following item when debugging
#say All Connected Now
exit 0


New Contributor

I still have some questions around this. I have the script to apply the routes, I'm just not certain how to have JAMF look for "VPN Connected" to trigger this.