Deploying AWS VPN Client with .ovpn file

New Contributor II

Hi folks, I'm looking to create a policy to do the following.

  • Install AWS VPN Client
  • Add Profile with provided .ovpn file.

Pushing the AWS VPN Client is easy enough by pushing the .pkg file.
Anyone have any experience/ideas for the second part?




Tried to package the ~/.config/AWS folder but that seems to error on other machines when trying to connect



I think we cracked this...

We run this via Self Service


#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)

#Set the file path to the ConnectionProfiles file with the loggedIn user

#If directory not there create it.
mkdir -p "/Users/$loggedInUser/.config/AWSVPNClient/"

#make the file
cat <<EOF > "$connectionProfiles"
{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"**YOUR PROFILE NAME HERE**","OvpnConfigFilePath":"/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/**YOUR PROFILE NAME HERE** ","CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0}]}

#Fix permissions

chown "$loggedInUser" "$connectionProfiles"


With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users

New Contributor

@bizzaredm Thanks for sharing the script. Worked great for me. FYI, I had to change the following values as well to match my AWS instance:


New Contributor


Can you clarify what you are doing here?

"With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users"

Because the script works in that it will create that file. But AWS vpn still expects that the ovpn file gets added with all of its info.

Hey AltHoosier,

We were making a DMG with composer with the file from 


 Since the app still need the file there as you said.

  1. Deploy the app with pkg
  2. Use the above script to make the AWS App think know about the profile
  3. Deploy DMG that you made from an already configured (manual) setup of the profile in 
  4. Open the app and it should all work 

We NOW use 2 scripts rather than a DMG

This is our other script



#Set VPN Config File Name Here(You could hard code this, but we use a policy and use parameters) 

###### To update the profile the info between FOE needs to be updated ######

#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)

#Set the file path to the ConnectionProfiles file with the loggedIn user

#If directory not there create it.  
mkdir -p "$vpnConfigFolder"

echo "$fullPathVpn"

#make the file ready for the 2nd profile
cat << FOE > "$fullPathVpn"
dev tun
proto udp
remote 443
resolv-retry infinite
remote-cert-tls server
cipher AES-256-GCM
verb 3


reneg-sec 0
static-challenge "Enter 2 Factor Code " 1

#Fix permissions
chown "$loggedInUser" "$fullPathVpn"
chown "$loggedInUser" "$vpnConfigFolder"
chown "$loggedInUser" "/Users/$loggedInUser/.config/"




This is great, thank you!

One problem I am having is if I install the app with the .pkg and run the 2 scripts... I get this error:

There was an error loading your connection profiles: /Users/johntest/.config/AWSVPNClient/ConnectionProfiles

The way I can bypass this is if open the app first, and then the scripts overwrite the folders that are created (.config/) it seems to accept them... But it will give me this error if  I install, run the scripts and try to open.

Any thoughts?

New Contributor III

I'm running into the same issue. Did you ever uncover a solution?

New Contributor II

I have published a script to distribute the profile along with the AWS VPN Client.
I would be happy to help you.

Thank you!  I realized I had a few errors in my script I was able to rectify 

New Contributor

The arguments in your script start with $1, but Jamf's script parameters require that you start with $4...

"Parameters 1–3 are predefined as mount point, computer name, and username"

Should those be modified?  Or is there something I am missing?

New Contributor II

Arguments 4 to 9 on Jamf are assigned to arguments 1 to 9 in the source code. The received arguments are adjusted on line 53 of the source code.

I give priority to the readability of the source code.

New Contributor III

I was initially able to get this to work however more often than not now I get the following error when the script is run:


[INFO] Start aws vpn client profile deplyment...
0:29: execution error: AWS VPN Client got an error: Application isn’t running. (-600)


Has anyone come across this error and know how to fix it?

I know this was posted a little while ago, but I discovered what caused this error and though it might help other's using @enpipi 's excellent script. The script open and closes the AWS VPN Client app in order to create certain files/folders. This erro occurs when the app hasn't launched fast enough, so you can add a sleep command inbetween the open and close commands in the script. I used a 10 second gap.

New Contributor

Hi @enpipi 

If I am not mistaken, the .ovpn file has to be on the device initially before the script can be run?

I am looking for a workflow that would also pull the file unto the device.

New Contributor III

Hey @enpipi!

Thanks for sharing your process - It works great!  I was using a simplified version prior but for some reason it stopped working.  I believe one of the latest AWS VPN client versions includes an auto-update feature that was causing a permissions error and making the client bounce in the dock, then quit out.

I pivoted and started to use your script, and its going to work for our needs!

I would like to echo @vic-ama's comment about simplifying the entire process by using a CURL command to download the OVPN, rather than having to have it already on the end-point.

This would allow us to modify the ovpn file server-side and any new deployments would get the new configuration without any Jamf Pro policy change.  Currently, any time a change needs to occur with that file - We would have to (re)package it up and add it to the policy.

Either way, awesome work & thanks for sharing!

New Contributor III

Has anyone found a way automate AWS VPN client updates?

No need.  The latest client can auto-update!