Blocking VPN's on iOS

jared_f
Valued Contributor

Hello All!

We have successfully blocked VPN's on our mobile iOS devices by checking for restricted apps and then locking down the device. It obviously does not see a VPN if a user manually sets one up? Is there any criteria I could use to find if they manually setup a vpn (not with an app)? I may try to do this more at network level if I have to.

Thanks
Jared

7 REPLIES 7

WhippsT
Contributor

Did you ever find a solution at the device level? We have a need to block VPN as well, but not for all devices.

WhippsT
Contributor

Nevermind. I found the function in the restrictions on the JSS.

thejenbot
Contributor III

There is a restriction so that new VPNs can't be configured, but is there a way to check to see if some script kiddie has already done it and is using it? Or does pushing that config profile out disable any currently configured as well?

jared_f
Valued Contributor

@WhippsT @thejenbot We have found that the restriction you are speaking of does not allow users to configure manual VPNs, but it still allows apps to function. I saw this criterion a few months back and I am searching based on this. Seems to be working great!

anonymous
betternet
private
proxy
tunnel
unblocker
vpn

I don't remember the topic I found these in, but whoever listed them - it has worked wonders.

taz_mcbr1
New Contributor II

Hi @jared_f @WhippsT @thejenbot

Please consider upvoting this feature request: https://www.jamf.com/jamf-nation/feature-requests/2880/show-current-vpn-status

Reporting on applications with the word "vpn, betternet" etc. only reports that the VPN app was installed, but doesn't report on whether a VPN is actually configured. Users can manually configure the VPN via settings, VPN - without an application - and these VPN users are now invisible to your report. It's quite a major loophole for our student safeguarding.

I've already tried blocking manual creation of VPNs via a configuration profile - it stops creation of new, but if they were already in place, it leaves them alone! Given the report was only looking at app installs, not VPNs configured, the report was essentially useless - we were targeting some students who didn't have a VPN but did have an app, and missing some students who did have a VPN but no app!

Edlondon
New Contributor

Hi, I’m a real noob around here - have only dealt in Apple Configurator before. Does this mean you can block the installation of specific apps from the App Store with descriptions which include terms such as ‘proxy’ ‘vpn’ etc? 
thanks

taz_mcbr1
New Contributor II

Hi, there is no way that I know of to block apps using keywords in jamf pro. You can only block apps if you know the exact app ID/name.  This is done via a configuration profile.

You can create smart groups however, where you can identify who has installed an app that meets a keyword. Then you can run an action against members of that group. The keyword has to be associated with an attribute, e.g. where app name = proxy or where appID = proxy.  This is a very blunt tool though - just shows you who has an app that meets the name criteria. I've found lots of proxies for example don't use the word proxy in their name so were never picked up!  Hope that helps.