I’ve got a problem that is solvable, but I’m trying to figure out the “best way”.
The Problem: We have a VPN connection that uses PPTP. Configuring it via a configuration works fine, but I need to be able to add a search domain to the PPTP VPN config. Typically the search domain comes across automatically in the DHCP request, but for this connection, it does not.
Adding the search domain is easy with networksetup.
networksetup -setsearchdomains “connection name” “search.domain”
Here are the 2 different approaches to solving this that I've found:
The only problem here is that I can’t “trigger” some post-config-profile actions to happen immediately after the config profile is added. Sure, I can find machines with the profile that are missing the search domain using extension attributes and smart groups, but it feels like it’s a lot of moving parts (requiring EA’s, smart groups and policies) to do something so simple. Plus, if the config profile is ever re-pushed to the device, it would need the search domain fixed again, requiring all of the above to stay in place.
This reduces the attractiveness of using configuration profiles…they can’t be as easily managed using this method, and it would also break the ability to apply the config profile to machines outside of our network (our distribution point is not exposed externally). However, it would be much easier to piece all of the bits together in a single package and a policy.
While Either method will work. I’l leaning toward #2 as its easier to consolidate the parts into a single package and policy. Has anyone else ever wished to have a trigger for "configuration profile pushed"? I feel like I'm missing something easy. If anyone else had some elegant method of doing this, I’d love to hear it.
It almost sounds like you're asking for a Feature Request. Make Configuration Profiles a searchable criteria in a smart group so policies can be created scoped to machines in that smart group. If that's what you're looking for, make a feature request. I don't think it's currently possible.
Just note, a down side to #2 is that the JSS won't track any config profiles that weren't signed and pushed by the JSS MDM. I'm not sure why that is. But perhaps that's another feature request in and of itself.
This isn't something as nifty as 'run x after config profile deployment' (though you could do that by checking for the existence of a profile with an extension attribute), but you might want to check out /etc/ppp/ip-up. Can use it to run a script on VPN link establishment. Occasionally use it for creating ad-hoc static routes on my machine where split-tunnel is desired but not supported by default.
Config profile for distributing VPN connection, ip-up for running particular commands on link connection. Some extra connection logic can be implemented by using parameters passed to ip-up.