Blocking VPN OSX

mecklind
New Contributor III

I feel like I'm playing whack-a-mole with these but our students with macbook airs are finding ways to get around everything I have in place and still managing to install VPNs

Students have a standard account
I have a profile in place to prevent adding chrome extensions
I have the App Store set to updates only
Student devices have Securly at home filtering set up

The latest VPN they have is StarVPN it doesn't show up as running, the only way to see it (so far that i've noticed) is it adds a network service, which they shouldn't even be able to do without admin permissions.

any suggestions on preventing this further? We are being forced to hold off on device collection until the last day of school and are worried that VPNs will prevent us from locking computers that aren't returned.

12 REPLIES 12

jared_f
Valued Contributor

@mecklind Where is this application installing? Could you create a smart group what looks for apps containing the name vpn? This is something I have done in Meraki.

Maybe a script that looks to see if a VPN is running and then alert you?

mecklind
New Contributor III

@jared_f the problem with that is once they have it installed and running it can't talk to the JSS so it has to be something to prevent it from even installing. The one I have to check out has one VPN installed in the application's folder. I created a restricted software rule to kill the process but if they're quick they can still get it running.

I tested on this laptop with the restricted process rule active, I was able to get the VPN configured and connected before the process was killed. I've used this same method on a few others(betternet, Hotspot Shield/VPN) and it was able to kill the process before they connected.

I'm not sure if there is a way to force the vpn configuration to require admin credentials?a499693e2e8d448d8f5422ecc6178933
546de15e834d4defa28e4c214e14e1b9

jared_f
Valued Contributor

@mecklind Are you restricting access to the network pane in System Preferences. Even though my users still have to connect to WiFi they just do it via the menu bar. Obviously you know your environment more, but there should be no need for them to have access to that pane if they are just needing to join wifi. If your devices cannot talk to the JSS you should consider setting up a group that looks for devices who have not checked in.

Hope this helps somewhat... these types of users keep you on your toes!
Jared

mecklind
New Contributor III

I agree, I don't have network restricted. I'll have to test to see if that can stop it.

I have a group set up to check for those that aren't checking in but I'd rather try and stop it to prevent the work in the future.

boberito
Valued Contributor

I've had similar things happen except we were able to add it to Restricted Software and it worked blocking the apps.

But anyway a way to prevent it maybe...maybe, just a thought so far.

Create a LaunchDeamon that runs watching the file /Library/Preferences/SystemConfiguration/preferences.plist for changes. If that changes it'll immediately trigger a script.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>com.school.removevpn (whatever you wanna call it)</string>
    <key>ProgramArguments</key>
    <array>
        <string>sh</string>
        <string>-c</string>
        <string>LOCATION TO YOUR SCRIPT</string>
    </array>
    <key>WatchPaths</key>
    <array>
        <string>/Library/Preferences/SystemConfiguration/preferences.plist</string>
    </array>
</dict>
</plist>

Then the script could search for VPN, if that's found....maybe either just replace the preferences.plist with a known good one, or have the script remove the parts that add the VPN. I think the first idea may be easier than the second idea.

mecklind
New Contributor III

That may work, I'm just worried about conflicts with the Hostname, The script would have to create a backup of the macbook's existing preferences.plist and I would need a way to trigger that backup if we needed to change the hostname.

I'm wondering if there is a plist that can be altered to require the adding of VPN configurations to require an admin password. Similar to previously that was used to force free apps from the app store to require an admin password after apple removed that.

boberito
Valued Contributor

Maybe write the hostname early on to a file hidden somewhere. Then when the script runs it checks to see if the machines hostname matches that. Or have a hostname script run once a day or something.

ammonsc
Contributor II

There was similar discussion on this just a few days ago. We too had to fight this with some of our developers...

Removing Network Service

We used the following script to remove all but our standard VPN

#!/bin/sh

# Detects all network hardware & creates services for all installed network hardware
/usr/sbin/networksetup -detectnewhardware

IFS=$'
'

# Loops through the list of network services containing VPN
for service in $(/usr/sbin/networksetup -listallnetworkservices | grep VPN | grep -v "VPNNOTTOREMOVE" ); do
    /usr/sbin/networksetup -removenetworkservice "${service}"
done

exit 0

We had a standard name for our VPN represented here as "VPNNOTTOREMOVE" that way I could remove any VPN that was not created/approved by us.

mecklind
New Contributor III

that may work, couple of questions.

  1. Do you have this running on a regular schedule?
  2. In theory could this be done to just remove anything that isn't "Wi-Fi" as we don't use any VPN anything that isn't Wi-Fi would be deemed not approved.

ammonsc
Contributor II

Yes, I had it running with check in. You could possibly set up an Extension Attribute that lists all Network Services and then anyone that has more than just WiFi could go in a smart group that has that run. That way you are not applying it to everyone. I just had a static group of my "problem" users.

ammonsc
Contributor II

This EA here by @scott.mielke should do the trick to make a smart group.

Network Service List

Malcolm
Contributor II

I recently revisited this, as we did have a script that would remove any vpn connection from the preferences.plist but it now longer works, I found that VPN that are added as an extension to an app, or added in other specific ways it would appear wouldn't store or list against 

networksetup -listallnetworkservices

 

I worked with AI to try and generate a script that would delete connections that weren't from a list of trusted connections, however it couldn't remove some as they weren't showing in the list. All method I have investigated, have been broken through security advancement in Ventura.