Jamf Nation Community

JChesnutwood · ‎04-25-2022

I am looking for information on how to have jamf run a command on a machine once the machine connects to VPN (L2TP) to apply routing due to split tunneling. I believe that this can be done with scripting but I'm not certain on how to get the Mac to run the script only after the VPN connection is connected

Hugonaut · ‎04-26-2022

@JChesnutwood Off the cuff concept here, I've never had to do this but this is how I think i'd do it. Someone else has most likely done what you're asking & might have a better solution but here we go!

1. Create an extension attribute that reads the Network Status & results in either "VPN Connected" or "VPN Not Connected".

You should be able to accomplish this by reading your VPN app/plist or running a native macos command to read network info & results in either "VPN Connected" or "VPN Not Connected".

Step 2. Create a smart computer group with the with the Criteria resulting from the Extension attribute mentioned in Step 1 with the result of "VPN Connected".

Step 3. Create a policy scoped to all computers, set the trigger for "Network State Change", an execution frequency of "Ongoing" & performing an "Inventory Update".

Step 4. Create a policy scoped to the smart group stated in step 2. set the trigger for "recurring check-in" & whatever execution frequency you need. Include your command/script in this policy to target the vpn connected devices.

________________
Looking for a Jamf Managed Service Provider? Look no further than Rocketman
________________

Virtual MacAdmins Monthly Meetup - First Friday, Every Month

JChesnutwood · ‎04-28-2022

Thank you for this, I will be testing this next week. I appreciate your time to share that!

ITHELPERLONDON · ‎05-01-2022

I am a newbie on the jamf setup, but we are coming from Profile manager / Munki setup and gradually moving all our setup over to Jamf - we edit/created ip-up and ip-down so that it set the routes sensibly - I set the routes based on a search of vpn setup name so ORGVPN-Username or somesuch - searched on ORGVPN* and then set the route/destroyed the route accordingly - ip-up/ip-down are just shell scripts as far as i can see. Plenty of examples about.

https://superuser.com/questions/4904/how-to-selectively-route-network-traffic-through-vpn-on-mac-os-...

ITHELPERLONDON · ‎05-01-2022

Apologies. actually, i seem to have done it based on IP but the DNS on vpn name.

#!/bin/bash
#
# /etc/ppp/ip-up
#
# A program or script which is executed when the link is
# available for sending and receiving IP packets (that is, IPCP has
# come up). It is executed with the parameters:
#
# The pppd man page states the arguments are:
#
# $1 $2 $3 $4 $5 $6
# interface-name tty-device speed vpn-server-ip vpn-gateway-addr regular-gateway

variables="/etc/ppp/variables-for-ppp.txt"

echo "$1" > "$variables"
echo "$2" >> "$variables"
echo "$3" >> "$variables"
echo "$4" >> "$variables"
echo "$5" >> "$variables"
echo "$6" >> "$variables"

case "$5" in
# Based on which vpn-server we are connected to, set the route and dns search
10.255.255.0)
/sbin/route add -net 192.168.9.0/24 -interface $1
/sbin/route add -net 192.168.3.0/24 -interface $1
/sbin/route add -net 10.0.30.0/24 -interface $1
# set the search path for this connection.
ORGVPNINT="$(/usr/sbin/networksetup -listnetworkserviceorder | grep -i ORGVPN | awk '{print $2}')"
# this relies on the format of the VPN name to be ORGVPN-AUSER - this COULD
# be improved upon but is the way i have done it for now
#
# uncomment the following item if you need to debug
#say the connection to CR is on $ORGVPNINT
/usr/sbin/networksetup -setsearchdomains "$ORGVPNINT" tlc.org
# Reset the DNS server cache
/usr/bin/killall -HUP mDNSResponder
#
#uncomment the following item when debugging
#say All Connected Now
;;
*)
esac
exit 0

JChesnutwood · ‎05-10-2022

I still have some questions around this. I have the script to apply the routes, I'm just not certain how to have JAMF look for "VPN Connected" to trigger this.

Jamf Nation Community

VPN routes