Help

Custom VPN Profile Issues

nesteph
New Contributor

Posted on ‎09-07-2016 07:40 AM

I made a configuration profile in Apple Configurator 2 so that I could modify it with the keys noted in the Configuration Profile Reference documentation that Apple has supplied. I have successfully configured the profile to where it will enable on demand connection while outside of our network for most sites which is the goal I was going for. I am able to sign these profiles and then upload them to Casper for deployment, but only the iOS devices don't get stuck in a profile install loop. I know the profile works on OS X, cause I can install it manually or make a pkg to put the .mobileconfig on a mac and install it using the following.

sudo profiles -I -F /path/to/profile.mobileconfig

It was brought to my attention that the on demand functionality wasn't working on 10.10.5 machines, but that part isn't a concern at the moment. I have tried pushing out the following profile (redacted some stuff) using both a User Level configuration and a Computer Level configuration with no luck.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IPSec</key>
            <dict>
                <key>AuthenticationMethod</key>
                <string>SharedSecret</string>
                <key>LocalIdentifier</key>
                <string>LOCALID</string>
                <key>LocalIdentifierType</key>
                <string>KeyID</string>
                <key>RemoteAddress</key>
                <string>VPNGATEWAYHERE</string>
                <key>SharedSecret</key>
                <data>
                SHAREDSECRETHERE
                </data>
                <key>XAuthEnabled</key>
                <integer>1</integer>
                <key>XAuthName</key>
                <string>XAUTHUSER</string>
                <key>XAuthPassword</key>
                <string>XAUTHPASS</string>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings</string>
            <key>PayloadDisplayName</key>
            <string>VPN</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.vpn.managed.FAFD0B8C-4ABF-4EAF-A081-9EB058BF58CA</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>051D85EE-C341-4D78-B410-50AB4B154AD4</string>
            <key>PayloadVersion</key>
            <real>1</real>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <string>VPN CONFIG</string>
            <key>VPNType</key>
            <string>IPSec</string>
            <key>OnDemandEnabled</key>
            <integer>1</integer>
            <key>OnDemandRules</key>
            <array>
                <dict>
                    <key>Action</key>
                    <string>EvaluateConnection</string>
                    <key>ActionParameters</key>
                    <array>
                        <dict>
                            <key>Domains</key>
                            <array>
                                <string>.com</string>
                                <string>.org</string>
                                <string>.net</string>
                                <string>.int</string>
                                <string>.edu</string>
                                <string>.gov</string>
                                <string>.mil</string>
                                <string>.ca</string>
                                <string>.uk</string>
                                <string>.us</string>
                            </array>
                            <key>DomainAction</key>
                            <string>ConnectIfNeeded</string>
                            <key>RequiredDNSServers</key>
                            <array>
                                <string>DNS SERVER 1</string>
                                <string>DNS SERVER 2</string>
                            </array>
                        </dict>
                    </array>
                </dict>
            </array>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>VPN CONFIG</string>
    <key>PayloadIdentifier</key>
    <string>com.something.great.791BD95F-053B-49A9-BC2D-FC17F465EA5D</string>
    <key>PayloadOrganization</key>
    <string>ORG NAME</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>128860C8-553F-4C7C-B07E-3A10AF23DAF0</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
Labels:
0 Kudos
2 REPLIES 2

Key1
New Contributor III

Posted on ‎09-07-2016 07:50 AM

Could try generating the VPN profile in the jss and stripping the encryption (https://jamfnation.jamfsoftware.com/discussion.html?id=11830) to check for any major differences.

0 Kudos

nesteph
New Contributor

Posted on ‎09-07-2016 10:18 AM

Problem is I can't generate this profile in the JSS, because it uses keys that aren't present in the GUI for making a profile. And for whatever reason, the connection method needed for this to work isn't one of the options in the GUI for OS X Configuration Profiles in the JSS. I know that the specific configuration listed above for VPN Type of IPSec works on OS X, so I don't know why it isn't an option in there on the OS X side. It is listed and available on the iOS side.

0 Kudos