Blocking VPN

jared_f
Valued Contributor

Hi,

Does anybody know the criteria to create a smart group to block vpns? Will this only apply when VPN profiles are applied... What about apps that don't install a profile?

Thanks,
Jared

9 REPLIES 9

skipthompson81
New Contributor II

betternet?

jared_f
Valued Contributor

Well, yes and many others @skipthompson81. We use OpenDNS to filter and we are having issues with people bypassing out filters with VPNS. Especially to install IOS 10! :(

damienbarrett
Valued Contributor

We use a two-fold approach to blocking VPN:

1) I have the most common VPN apps listed as restricted processes in JSS, so even if a student installs the app, it won't run, it gets deleted, and I get an email alerting me (and then I can look at the computer record to see what other crapola has been installed). It's a great early-warning system.

2) We also block VPN activity at the firewall level. We use Untangle firewalls and one of the applications control layers allows the blocking of (some) outbound VPN traffic. Inbound is not affected, so my co-workers and I can still VPN in from the outside.

rhooper
Contributor III

@damienbarrett Are you saying that by blacklisting these you have cut down on the VPN apps, but what about within the Network Prefs where they can create their own VPN Tunnel? Is there a way to block that as well using JSS 9.97? Beside taking out the entire System Preferences dock item.

We have the clients that I am in charge of limiting running rampant with VPN downloads as they learned that our Firewall has slowed them a little. Also Google chrome has an extension that runs on that browser, we had to figure a way to block that as well....

Seems like we are one step forward and two steps back.

rhooper
Contributor III

@damienbarrett Are you saying that by blacklisting these you have cut down on the VPN apps, but what about within the Network Prefs where they can create their own VPN Tunnel? Is there a way to block that as well using JSS 9.97? Beside taking out the entire System Preferences dock item.

We have the clients that I am in charge of limiting running rampant with VPN downloads as they learned that our Firewall has slowed them a little. Also Google chrome has an extension that runs on that browser, we had to figure a way to block that as well....

Seems like we are one step forward and two steps back.

jared_f
Valued Contributor

@rhooper We use Cisco for some of out iOS management and what I have done is created a policy that has a list of all the VPN apps in the iOS app store when you search "VPN", when the device checks in to our server, it takes an inventory of all the apps and it compares it against the blacklisted apps in the policy. If the user has it, it puts them in a group which restricts the device (basically making it useless), removes the wireless profile, and hides all apps. We keep the app store on the devices, but we have a Self Service like catalog that we list apps that are acceptable and the user downloads them from there. If the user decides to get something that isn't listed (in this case a VPN), it disappears right from the home screen before launching. The reason we keep the app store is so the user can do app updates.

For Mac, as @damienbarrett brought up, I have the most common one's restricted processes and when the user tries to launch it it just quits itself and throws off a warning. In this case, I can only apply limited restrictions. But, as always, excluding them from a wireless profile always gets their attention. You can always go the firewall route, but that has pros and cons.

As always, you are not going to catch everything. . . but word spreads fast when you do catch one person!
Jared

jared_f
Valued Contributor

@rhooper I have seen some people on here have created a custom configuration for Chrome that blocks VPN extensions. I will give it a search and get back to you.

jared_f
Valued Contributor

https://www.jamf.com/jamf-nation/discussions/22910/vpn

Here is a solution to stop VPN's on Chrome.

eljefemiller
New Contributor II

@damienbarrett Do you have a list of the VPN apps you're restricting that you're able to share?