Posted on 01-25-2018 02:11 PM
I feel like I'm playing whack-a-mole with these but our students with macbook airs are finding ways to get around everything I have in place and still managing to install VPNs
Students have a standard account
I have a profile in place to prevent adding chrome extensions
I have the App Store set to updates only
Student devices have Securly at home filtering set up
The latest VPN they have is StarVPN it doesn't show up as running, the only way to see it (so far that i've noticed) is it adds a network service, which they shouldn't even be able to do without admin permissions.
any suggestions on preventing this further? We are being forced to hold off on device collection until the last day of school and are worried that VPNs will prevent us from locking computers that aren't returned.
Posted on 01-25-2018 03:22 PM
@mecklind Where is this application installing? Could you create a smart group what looks for apps containing the name vpn? This is something I have done in Meraki.
Maybe a script that looks to see if a VPN is running and then alert you?
Posted on 01-25-2018 04:04 PM
@jared_f the problem with that is once they have it installed and running it can't talk to the JSS so it has to be something to prevent it from even installing. The one I have to check out has one VPN installed in the application's folder. I created a restricted software rule to kill the process but if they're quick they can still get it running.
I tested on this laptop with the restricted process rule active, I was able to get the VPN configured and connected before the process was killed. I've used this same method on a few others(betternet, Hotspot Shield/VPN) and it was able to kill the process before they connected.
I'm not sure if there is a way to force the vpn configuration to require admin credentials?
Posted on 01-25-2018 04:23 PM
@mecklind Are you restricting access to the network pane in System Preferences. Even though my users still have to connect to WiFi they just do it via the menu bar. Obviously you know your environment more, but there should be no need for them to have access to that pane if they are just needing to join wifi. If your devices cannot talk to the JSS you should consider setting up a group that looks for devices who have not checked in.
Hope this helps somewhat... these types of users keep you on your toes!
Jared
Posted on 01-25-2018 04:32 PM
I agree, I don't have network restricted. I'll have to test to see if that can stop it.
I have a group set up to check for those that aren't checking in but I'd rather try and stop it to prevent the work in the future.
Posted on 01-25-2018 05:24 PM
I've had similar things happen except we were able to add it to Restricted Software and it worked blocking the apps.
But anyway a way to prevent it maybe...maybe, just a thought so far.
Create a LaunchDeamon that runs watching the file /Library/Preferences/SystemConfiguration/preferences.plist for changes. If that changes it'll immediately trigger a script.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.school.removevpn (whatever you wanna call it)</string>
<key>ProgramArguments</key>
<array>
<string>sh</string>
<string>-c</string>
<string>LOCATION TO YOUR SCRIPT</string>
</array>
<key>WatchPaths</key>
<array>
<string>/Library/Preferences/SystemConfiguration/preferences.plist</string>
</array>
</dict>
</plist>
Then the script could search for VPN, if that's found....maybe either just replace the preferences.plist with a known good one, or have the script remove the parts that add the VPN. I think the first idea may be easier than the second idea.
Posted on 01-26-2018 06:30 AM
That may work, I'm just worried about conflicts with the Hostname, The script would have to create a backup of the macbook's existing preferences.plist and I would need a way to trigger that backup if we needed to change the hostname.
I'm wondering if there is a plist that can be altered to require the adding of VPN configurations to require an admin password. Similar to previously that was used to force free apps from the app store to require an admin password after apple removed that.
Posted on 01-26-2018 06:36 AM
Maybe write the hostname early on to a file hidden somewhere. Then when the script runs it checks to see if the machines hostname matches that. Or have a hostname script run once a day or something.
Posted on 01-26-2018 10:40 AM
There was similar discussion on this just a few days ago. We too had to fight this with some of our developers...
We used the following script to remove all but our standard VPN
#!/bin/sh
# Detects all network hardware & creates services for all installed network hardware
/usr/sbin/networksetup -detectnewhardware
IFS=$'
'
# Loops through the list of network services containing VPN
for service in $(/usr/sbin/networksetup -listallnetworkservices | grep VPN | grep -v "VPNNOTTOREMOVE" ); do
/usr/sbin/networksetup -removenetworkservice "${service}"
done
exit 0
We had a standard name for our VPN represented here as "VPNNOTTOREMOVE" that way I could remove any VPN that was not created/approved by us.
Posted on 01-26-2018 11:50 AM
that may work, couple of questions.
Posted on 01-26-2018 12:09 PM
Yes, I had it running with check in. You could possibly set up an Extension Attribute that lists all Network Services and then anyone that has more than just WiFi could go in a smart group that has that run. That way you are not applying it to everyone. I just had a static group of my "problem" users.
Posted on 01-26-2018 12:20 PM
This EA here by @scott.mielke should do the trick to make a smart group.
Posted on 05-17-2023 09:14 PM
I recently revisited this, as we did have a script that would remove any vpn connection from the preferences.plist but it now longer works, I found that VPN that are added as an extension to an app, or added in other specific ways it would appear wouldn't store or list against
networksetup -listallnetworkservices
I worked with AI to try and generate a script that would delete connections that weren't from a list of trusted connections, however it couldn't remove some as they weren't showing in the list. All method I have investigated, have been broken through security advancement in Ventura.