In our environment, we use Cisco AnyConnect VPN. People don't have local admin rights to their Macs and initially when people connect, a prompt is shown for system keychain to access from within AnyConnect in order for it to work for them. We do have user certs as well.
