Always on VPN for MacOS

dlondon
Valued Contributor

I'm looking for clues on whether AoVPN using IKEv2 can be done and how.  I can see that IKEv2 is available as a protocol for iOS in the VPN Configuration Profile settings but not for MacOS in the corresponding VPN Configuration Profile settings.

There are hints here and there in Jamf Nation but mostly with 3rd party solutions.

If anyone can point me at some info that could help I would really appreciate that

8 REPLIES 8

dlondon
Valued Contributor

I wasn't even finding the IKEv2 entry in Jamf Pro under Computers > Configuration Profiles   when making a new config profile.  Jamf Support put me on the right track as it is a User Level Config Profile not the default Computer Level Config Profile and that is set under General in the Config Profile.

There doesn't look to be an Always On field though.  I see there is a feature request for that.

This looks to be different to how our Windows machines do AoVPN using IKEv2 - it's on even before the user logs in so it means the computer is authenticating off our domain

 

petestanley
New Contributor III

Thanks @dlondon for the info around setting the CP to User Level. Was about to put a support ticket in myself around not being able to find the IKEv2 option.

dlondon
Valued Contributor

Strangely though - iMazing Profile Editor has IKEv2 available for VPN in a System (Computer) configuration profile

dpv13
New Contributor II

Hello.

As far as I know Always-On VPN is a concept that does not exist on Mac, and solutions that put it in place make their magic happen by using ploy... 

😉

JamieG
New Contributor III

Glad to see more people asking for this

Please upvote this if you haven't already; https://ideas.jamf.com/ideas/JN-I-15714

I would love to see this on macOS implemented as well as it is in iOS, with all the captive portal detection etc.

As you have highlighted already, it is a bit all over with it's implementation as it's user-targeted, so you wouldn't be able to do it for pre-logon authentication (even though it can use machine certs).

I've tried a few ways to get it to work, like using the VPN on-demand settings (but effectively identifying all traffic that I'd expect) but haven't had success with this yet.

 

JamieG
New Contributor III

Managed to get this working somewhat with On-Demand VPN settings. Does the job. No captive portal detection etc but I guess we're a little of the way there...

dlondon
Valued Contributor

Hi @JamieG Any chance you can share what you've done with the AoVPN or On-Demand VPN?

MarkG
New Contributor

Care to share what you did?