Posted on 05-04-2021 01:16 PM
Hi folks, I'm looking to create a policy to do the following.
Pushing the AWS VPN Client is easy enough by pushing the .pkg file.
Anyone have any experience/ideas for the second part?
Thanks!
Posted on 05-21-2021 05:47 PM
Tried to package the ~/.config/AWS folder but that seems to error on other machines when trying to connect
Posted on 05-22-2021 12:06 PM
I think we cracked this...
We run this via Self Service
#!/bin/bash
#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)
#Set the file path to the ConnectionProfiles file with the loggedIn user
connectionProfiles="/Users/$loggedInUser/.config/AWSVPNClient/ConnectionProfiles"
#If directory not there create it.
mkdir -p "/Users/$loggedInUser/.config/AWSVPNClient/"
#make the file
cat <<EOF > "$connectionProfiles"
{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"**YOUR PROFILE NAME HERE**","OvpnConfigFilePath":"/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/**YOUR PROFILE NAME HERE** ","CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0}]}
EOF
#Fix permissions
chown "$loggedInUser" "$connectionProfiles"
```
With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users
Posted on 06-23-2021 04:07 PM
@bizzaredm Thanks for sharing the script. Worked great for me. FYI, I had to change the following values as well to match my AWS instance:
"CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0
Posted on 07-20-2021 08:19 AM
Can you clarify what you are doing here?
"With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users"
Because the script works in that it will create that file. But AWS vpn still expects that the ovpn file gets added with all of its info.
Posted on 08-02-2021 12:56 PM
Hey AltHoosier,
We were making a DMG with composer with the file from
/Users/MYUSER/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN
Since the app still need the file there as you said.
/Users/bizzaredm/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN
We NOW use 2 scripts rather than a DMG
This is our other script
#!/bin/bash
#Set VPN Config File Name Here(You could hard code this, but we use a policy and use parameters)
vpnConfigFileName="$4"
###### To update the profile the info between FOE needs to be updated ######
#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)
#Set the file path to the ConnectionProfiles file with the loggedIn user
vpnConfigFolder="/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/"
#If directory not there create it.
mkdir -p "$vpnConfigFolder"
fullPathVpn="${vpnConfigFolder}${vpnConfigFileName}"
echo "$fullPathVpn"
#make the file ready for the 2nd profile
cat << FOE > "$fullPathVpn"
client
dev tun
proto udp
remote cvpn-endpoint-00000000.prod.clientvpn.us-west-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
NEEDOzCCAiOgAwIBAgIJAK0Nw9IHrd85MA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
DENMDWNlbGxzaWduYWwuY2EwHhcNMjAwNjAxMjIwMzU3WhcNMzAwNTMwMjIwMzU3
WjAYMRYwFAYDVQQDDA1jZWxsc2lnbmFsLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArir6RuKFdHLMuH9mqljjwFR/y2xIQoPBwKwOXuv5dLYPbOLC
+t7EiYbS4EleaMI+6iGmhrkGv2pyjYRmpEXjfJa9Egq6Xgp0/UdOYn4g5589zsKm
MF8UWaDQ1y3YGhJP0GdRgCEYlOR9PSOvD0heTiU3aruMzGjhbjRtpe35Ey3VeV4t
ZWLY+76Lbo7uCs+L+do3dyv9EuZi0SEsJ0OxvW0tO6rhENtJImud1UAiJDWk5QVz
enximDjqCmeqTSxlhmTlCpW0uEMH5qUId99Ir5CrWOT+N9v8bA8J+5HH+ZJB5kC7
XL+Vv81DTeMkchoAVJKaz6kRRgcFDNQgpHR8CQIDAQABo4GHMIGEMB0GA1UdDgQW
BBRt/iVazFbynQodLwVoxVAvCL5jwDBIBgNVHSMEQTA/gBRt/iVazFbynQodLwVo
xVAvCL8jwKEcpBowGDEWMBQGA1UEAwwNY2VsbHNpZ25hbC5jYYIJAK0Nw9IHrd85
MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBo
lVda7Sd8LdQxOH16x/Oo5B6axD5xWkJzAjg/vlqt8UxAaiJ9w/O0ASNxieg9TmQ/
0fMVqRslXLNcaiT+jQnenIZAxyEtwPy//3QzU6PlyRhlAnJDLgLVHGRrfIL5lUmY
BdeR4Itm/HrmUBZWpS4o7aniIXOKBEZh12D/KkacI7kjZwezyfLzFQ9eUmTTZmX7
RR+C4cL270dm5FdAM7WXiW5Fgmega8g+sWo+uNjJsJtyZev2B70CbWKh9wrssSCl
+ij8nZ1BO8SnUZwdXodz8ecgUFaR/mWs1wVAOPslVgPGyKVAQ3zCfTPiR+XaHORm
CANvPEjFKntz/C3Vi7MB
-----END CERTIFICATE-----
</ca>
auth-user-pass
reneg-sec 0
static-challenge "Enter 2 Factor Code " 1
FOE
#Fix permissions
chown "$loggedInUser" "$fullPathVpn"
chown "$loggedInUser" "$vpnConfigFolder"
chown "$loggedInUser" "/Users/$loggedInUser/.config/"
Posted on 08-16-2021 10:21 AM
This is great, thank you!
One problem I am having is if I install the app with the .pkg and run the 2 scripts... I get this error:
There was an error loading your connection profiles: /Users/johntest/.config/AWSVPNClient/ConnectionProfiles
The way I can bypass this is if open the app first, and then the scripts overwrite the folders that are created (.config/) it seems to accept them... But it will give me this error if I install, run the scripts and try to open.
Any thoughts?
Posted on 09-24-2021 11:39 AM
I'm running into the same issue. Did you ever uncover a solution?
Posted on 08-20-2021 02:11 AM
I have published a script to distribute the profile along with the AWS VPN Client.
I would be happy to help you.
Posted on 08-20-2021 11:06 AM
Thank you! I realized I had a few errors in my script I was able to rectify
Posted on 10-12-2021 11:02 AM
The arguments in your script start with $1, but Jamf's script parameters require that you start with $4...
"Parameters 1–3 are predefined as mount point, computer name, and username"
Should those be modified? Or is there something I am missing?
Posted on 12-13-2021 03:21 AM
Arguments 4 to 9 on Jamf are assigned to arguments 1 to 9 in the source code. The received arguments are adjusted on line 53 of the source code.
I give priority to the readability of the source code.
Posted on 01-11-2022 11:01 AM
I was initially able to get this to work however more often than not now I get the following error when the script is run:
[INFO] Start aws vpn client profile deplyment...
0:29: execution error: AWS VPN Client got an error: Application isn’t running. (-600)
Has anyone come across this error and know how to fix it?
Posted on 07-18-2022 05:41 AM
I know this was posted a little while ago, but I discovered what caused this error and though it might help other's using @enpipi 's excellent script. The script open and closes the AWS VPN Client app in order to create certain files/folders. This erro occurs when the app hasn't launched fast enough, so you can add a sleep command inbetween the open and close commands in the script. I used a 10 second gap.
Posted on 05-09-2022 01:52 AM
Hi @enpipi
If I am not mistaken, the .ovpn file has to be on the device initially before the script can be run?
I am looking for a workflow that would also pull the file unto the device.
Posted on 05-03-2023 01:33 PM
Hey @enpipi!
Thanks for sharing your process - It works great! I was using a simplified version prior but for some reason it stopped working. I believe one of the latest AWS VPN client versions includes an auto-update feature that was causing a permissions error and making the client bounce in the dock, then quit out.
I pivoted and started to use your script, and its going to work for our needs!
I would like to echo @vic-ama's comment about simplifying the entire process by using a CURL command to download the OVPN, rather than having to have it already on the end-point.
This would allow us to modify the ovpn file server-side and any new deployments would get the new configuration without any Jamf Pro policy change. Currently, any time a change needs to occur with that file - We would have to (re)package it up and add it to the policy.
Either way, awesome work & thanks for sharing!
Posted on 10-08-2024 08:29 AM
I'm having a problem adding profiles on my AWS VPN Client, initially I was getting a permissions error but I uninstalled everything from my .config and tried to do a fresh installation but I'm getting this:
there was an error loading your connection profiles: /Users/mark/.config/AWSVPNClient/ConnectionProfiles
Can the above script solve it or how can I go about it
Posted on 09-14-2021 07:25 AM
Has anyone found a way automate AWS VPN client updates?
Posted on 05-03-2023 01:33 PM
No need. The latest client can auto-update!