Skip to main content
Question

Config Profile -> VPN payload -> "On Demand Rules Configuration XML" ?

  • March 9, 2020
  • 5 replies
  • 82 views
C
Forum|alt.badge.img+4

Can anybody point me towards some useful documentation on how to take advantage of this? Would love to figure out how to get a VPN config to auto-connect when the user tries to hit particular web sites or is joined to particular networks...

    5 replies

    C
    Forum|alt.badge.img+4

    Anybody?

    M
    Forum|alt.badge.img+2
    • martenblank
    • New Contributor
    • March 30, 2020

    Also interested in this !

    G
    Forum|alt.badge.img+3
    • ggetenj
    • New Contributor
    • April 14, 2020

    Same here. It's nice to have the possiblity to add things in a field, but not so nice if nothing is documented…

    J
    Forum|alt.badge.img+4
    • jp2019
    • Contributor
    • April 14, 2020

    Same here, also interested in this.

    B
    Forum|alt.badge.img+8

    Since the thread is like a first hit when „googling” this and is still unanswered, here's my findings:

    This checkbox and text field correspond to OnDemandEnabled and OnDemandRules keys of the VPN Payload you can find documented in Apple's Configuration Profile Reference (currently on page 93 — subject to change over time). The expected value of the later should be an array of dictionaries (hence Jamf Pro's XML requirement) and accepted values are documented in „On Demand Rules Dictionary Keys” section on pages 95–97.

    Still, available documentation is a bit vague and the exact structure of the expected XML is not exactly clear from it. However within #ios channel of MacAdmins' Slack I've found two examples that are accepted by Jamf Pro and should provide you all with just enough information to build your own XMLs to suit your individual needs:

    1. Connect VPN unless on specific WiFi: 
      <array>
<dict>
    <key>Action</key>
    <string>Ignore</string>
    <key>SSIDMatch</key>
    <array>
        <string>SpecificSSID</string>
    </array>
</dict>
<dict>
    <key>Action</key>
    <string>Connect</string>
</dict>
</array>
    2. Connect if unable to resolve internal domains on connection attempt: 
      <array>
<dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>ActionParameters</key>
    <array>
        <dict>
            <key>Domains</key>
            <array>
                <string>..local</string>
                <string>intranet.*.com</string>
            </array>
            <key>DomainAction</key>
            <string>ConnectIfNeeded</string>
        </dict>
    </array>
</dict>
</array>

    Surprisingly, Profile Manager and Apple Configurator 2 both still use deprecated keys of OnDemandMatchDomains* 🤔.

      Terms & ConditionsCookie settingsAccessibility statement