Force VPN connection off-campus

cruess
New Contributor III

Hey everyone,

This is my first post with JAMF NATION. We have our environment (mostly) fleshed out and are VERY pleased with our migration to JAMF.

I am working on setting up VPN connections for all teachers (K-12 environment) on their Macbook Pro's and iPads. The connection works and is successful (via config profile).

Here's the issue:
I need to force the VPN to connect whenever these district devices are off-campus so that they still receive our security/filtering/monitoring services. Would it be better to base this off of location (if possible- I've heard JAMF refuses to collect location data) or is it best practice to make a policy/script based on currently connected network? I.e. If machine is not connected to one of our district networks, then force VPN, and if so, how would I go about doing so..? Is this even possible on iOS due to lack of policies / config options?

Any advice / helpful pointers is greatly appreciated!
Thanks in advance

9 REPLIES 9

drodenbaugh
New Contributor II

We are looking for the same type of connection. I don't know if we could look at the external IP address on campus and when that changes then force the VPN. It would be great if Mac had an always on VPN.

TomH
New Contributor III

Depends on your VPN solution, but iOS & OSX support vpn on demand through rules in the configuration profile, usually this needs to be coupled with certificate based auth for a slick solution. You can match on a URL test / DNS servers etc.

cruess
New Contributor III

We're using the Routing and Remote services from a Windows 2012R2 server.

Thanks for a point in the right direction. The URL check will work nicely, I believe. If the device can't resolve to our JAMF server, then it must be off campus, thus, forcing VPN connectivity- which should then resolve the URL and stop.

For iOS, I don't see the option for on demand VPN as I do with OSX config profile. So, I'll begin testing with a MacBook. Any thoughts on how to do this for iPad?

Follow up question: How can I force the options for "Send all traffic through VPN" and "Show VPN status in menu bar"?

TomH
New Contributor III

The iOS keys exist, if you take a look here you can see everything available for your profile:

Apple Developer

Adding VPN to the menu bar can be done with a configuration profile, here is one i created with mcxToProfile which you can save as a .mobileconfig and upload to your JSS.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadContent</key>
            <dict>
                <key>com.apple.mcxMenuExtras</key>
                <dict>
                    <key>Forced</key>
                    <array>
                        <dict>
                            <key>mcx_preference_settings</key>
                            <dict>
                                <key>VPN.menu</key>
                                <true/>
                            </dict>
                        </dict>
                    </array>
                    <key>mcx_targets</key>
                    <array>
                        <string>user-managed</string>
                    </array>
                </dict>
            </dict>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>MCXToProfile.9eb8b8d5-71d7-448c-add1-fab72f4c58d6.alacarte.customsettings.0acb51b8-560b-43b7-890e-7556fbd70285</string>
            <key>PayloadType</key>
            <string>com.apple.ManagedClient.preferences</string>
            <key>PayloadUUID</key>
            <string>0acb51b8-560b-43b7-890e-7556fbd70285</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Included custom settings:
com.apple.mcxMenuExtras
</string>
    <key>PayloadDisplayName</key>
    <string>VPN: com.apple.mcxMenuExtras</string>
    <key>PayloadIdentifier</key>
    <string>uk.co.tomholbrook.MenuExtras</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <true/>
    <key>PayloadScope</key>
    <string>System</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>9eb8b8d5-71d7-448c-add1-fab72f4c58d6</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

Send all traffic should be in your VPN Configuration Profile something like:

            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>

cruess
New Contributor III

@TomH Thanks for the resources! I've found the scripting section for OSX under "computer management" and have begun testing with the URL/DNS check you suggested. However, I am a little unsure about how to go about this for the iPads. What is best practice for workflow on getting scripts to iOS?

I did find that the "Force all traffic through VPN" is simply a check box now in the JSS config profile.

@drodenbaugh I came across this site, which I believe addresses your issue of an "always on" VPN.
http://superuser.com/questions/377277/is-there-a-way-to-force-os-x-lion-to-connect-to-a-vpn-whenever-theres-network-c

drodenbaugh
New Contributor II

@cruess We have been working on an Apple Script that checks the network connect of the computer. If it is turned on then the script runs a shell script that brings back the IP address of the network that is connected. If the script does not see that IP on the "list" of approved ip addresses then it connects the VPN. We have the script run every 5 seconds.

on idle
    set airPortDevice to do shell script "/usr/sbin/networksetup -listallhardwareports | awk '{if($3=="Wi-Fi"){getline;print}}' | awk '{print $2}'"
    set airPortPower to do shell script ("networksetup -getairportpower " & airPortDevice & " | awk '{print $4}'")
    if airPortPower is equal to "on" then
        tell application "System Events"
            tell current location of network preferences
                set myConnection to the service "VPN (L2TP)"
                if myConnection is not null then
                    if current configuration of myConnection is not connected then
                        set vIP1 to do shell script "ifconfig en0|grep 'inet '|cut -d ' ' -f 2"
                        set vIP2 to do shell script "ifconfig en1|grep 'inet '|cut -d ' ' -f 2"
                        set vIP3 to do shell script "ifconfig en2|grep 'inet '|cut -d ' ' -f 2"
                        set vIP4 to do shell script "ifconfig en3|grep 'inet '|cut -d ' ' -f 2"

                        if vIP1 contains "10.0.128" or vIP1 contains "10.0.129" or vIP1 contains "10.0.130" or vIP1 contains "10.0.131" or vIP1 contains "10.0.131" or vIP1 contains "10.0.132" or vIP1 contains "10.0.133" or vIP1 contains "10.0.134" then
                            set networkUp to false
                        else
                            if vIP2 contains "10.0.128" or vIP2 contains "10.0.129" or vIP2 contains "10.0.130" or vIP2 contains "10.0.131" or vIP2 contains "10.0.131" or vIP2 contains "10.0.132" or vIP2 contains "10.0.133" or vIP2 contains "10.0.134" then
                                set networkUp to false
                            else
                                if vIP3 contains "10.0.128" or vIP3 contains "10.0.129" or vIP3 contains "10.0.130" or vIP3 contains "10.0.131" or vIP3 contains "10.0.131" or vIP3 contains "10.0.132" or vIP3 contains "10.0.133" or vIP3 contains "10.0.134" then
                                    set networkUp to false
                                else
                                    if vIP4 contains "10.0.128" or vIP4 contains "10.0.129" or vIP4 contains "10.0.130" or vIP4 contains "10.0.131" or vIP4 contains "10.0.131" or vIP4 contains "10.0.132" or vIP4 contains "10.0.133" or vIP4 contains "10.0.134" then

                                        set networkUp to false
                                    else
                                        set networkUp to true
                                    end if
                                end if
                            end if
                        end if
                        if networkUp is true then
                            connect myConnection
                        end if
                    end if
                end if
            end tell
        end tell
    end if
end idle
return 5

mattware
Contributor

Does your filter not have a client like iBoss does? This seems like a lot of load on your infrastructure to have so many VPN connections.

cruess
New Contributor III

@mattware Our web filter was iBoss last year, but now its been switched to NXFilter. Unfortunately for me, the ISP/Firewall/Filtering is all hosted with our ESD and I don't have access- I have to submit a ticket for changes.

As far as the load, we're only talking about 73 MacBooks and 73 Staff iPads, running through 1 VPN- hosted from a dedicated server. It really should be fine, the concern is more around the security of sensitive student info.

@drodenbaugh That script looks great! I'll try modifying it to our environment and needs, but I think this is what we're looking for.

Any ideas/pointers for accomplishing this on the iOS devices?

MST
Contributor

Sorry to interrupt this post. looks like I am looking for this solution with off-site Mac Book Airs. Silly question how can I authenticate VPN client with user and password + IP of concentrator? Thank you