Always On VPN Configuration

dtmille2
Contributor III

Hello, can anyone point me to some type of guide or instruction for getting Always On VPN configured for Macs via Jamf? We've been using the AnyConnect app for now but need to upgrade.

7 REPLIES 7

ajfunk
Contributor

Here's a config i've been messing with in sandbox for a while, seems to work pretty well. The idea is to target your company's DNS IP address - the config will try to contact the IP address. If success, no VPN connection is needed. If it can't ping your DNS, a VPN connection attempt is made. Note that there is no key set up for ethernet connections, but it's not hard to add.

 <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<key>OnDemandEnabled</key>
        <integer>1</integer>
 <key>OnDemandRules</key>
        <dict>
            <key>Action</key>
            <string>Disconnect</string>
            <key>DNSServerAddressMatch</key>
            <array>
                <string>***</string>
                <string>***</string>
            </array>
            <key>InterfaceTypeMatch</key>
                <string>WiFi</string>
            <key>SSIDMatch</key>
                <array>
                    <string>***</string>
                </array>
        </dict>
        <dict>
            <key>Action</key>
                <string>Connect</string>
        </dict>

dtmille2
Contributor III

Thanks @ajfunk , that looks like it could be a helpful piece of the puzzle.

dtmille2
Contributor III

Can anyone that has implemented "Always On VPN" with their Macs via Jamf share their steps?

Here is where I am at so far. Our networking department gave me a couple of certificates that need to be installed on the client machines that will have the Always On VPN service enabled.

I think that I need to enable my Jamf Pro server as a SCEP proxy so I can get the two certificates in on the Macs. OR, can I just put the certificates in my VPN profile, like we do with our Network profiles for SSIDs?

Next, I believe I need to create a VPN configuration profile. Here is screenshot(s) of where I am with that so far:
e0e2303f6093431784c6639c5449beb3

eb22945ef2eb4055a40dbf833221b036

merps
Contributor III

If you're already using certificate authentication with AnyConnect I would look at using the AlwaysOn capability built into what you already have deployed.

dlondon
Valued Contributor

Hi @dtmille2 - the screen you showed above seems to be for iOS.  I thought you were trying to do AoVPN for Mac's?

I too am trying to figure out how to do this for Mac's - did you get anywhere?

dtmille2
Contributor III

Hi @dlondon , we ended up using the AnyConnect app and a two factor authentication protocol.

dlondon
Valued Contributor

Thanks @dtmille2  - Jamf Support pointed out my mistake - had to change to User profile in General section.

I'll check out AnyConnect but we will be doing machine auth using a Certificate