- Jamf Nation Community
- Products
- Jamf Pro
- Re: How to check if the mac is connected to VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to check if the mac is connected to VPN
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2023 07:22 AM
How can I find if any connected to VPN? Is it dependent on app to find it, like as for Cisco AnyConnect and Pulse it will be different. Or any generic way is there in macOS?
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2023 07:28 AM
@Asifahmed One common way that's used to determine if a Mac is on an institutional network, not necessarily VPN, is to look up the IP address of a known host and see if the result is for the internal versus external network (or it may be an address that doesn't resolve externally). Looking specifically for a VPN connection being active is trickier because there is no single mechanism that will identify if a VPN client has an active tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2023 09:13 AM
I use an EA to know whether the computer is connected to the VPN. This EA displays the DNS server when it is connected to the VPN.
#!/bin/bash
echo "<result>$(/opt/cisco/anyconnect/bin/vpn stats | grep "Client Address (IPv4):" | awk '{print $4}')</result>"
exit 0
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2023 10:47 AM
A VPN should have a predictable IP range, looking for computers within that range should be sufficient for 99.9% of cases. Beyond that, you need to look in to what options your specific VPN client has to gather this information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-16-2023 06:34 AM
Depending on how far down the rabbit hole you want to go (and whether you want to detect VPN on the client-side or from Jamf), you can play with some different things:
- ifconfig - simple terminal command to report all network interfaces. Most VPN tools show up under the utun interfaces. Might take some trial and error to figure-out which one is the VPN.
- Network Segments - whomever if managing your VPN should know what IP range ties to your VPN and you can add this range to Jamf to be able to limit-to or exclude VPN devices
- VPN client - Cisco AnyConnect (and others) have a command-line interface you can query on the client. For Cisco, these commands can give you some info:
- /opt/cisco/anyconnect/bin/vpn stats
- /opt/cisco/anyconnect/bin/vpn state
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-18-2023 01:37 PM
In the days we used Pulse as a VPN, it was easy to query scutil and check for any virtual NICs created (like from a vpn...). So that's what I did. If you're Pulse it may just work for you out of the box or you may have to tweak it.
#!/bin/bash
# VPN IP.sh
#
#
# Created by Corfman, Ed on 6/3/21.
#
## Get the current Network information with a system configuration command
VPNlink=$( /usr/sbin/scutil --nwi )
## Parse the system configuration information for the utun2 entry
pulseIP=$( /usr/sbin/scutil --nwi | /usr/bin/sed -n 5p | /usr/bin/awk '{ print $NF }' )
## Parse the Network information and search for the Pulse VPN connection via utun2 entry
if [[ "$VPNlink" == *"utun"* ]]; then
echo "<result>$pulseIP</result>"
exit 0
else
echo "<result>Pulse Secure VPN is not connected</result>"
fi
exit 0
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-19-2023 03:14 AM
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2023 09:34 AM
@easyedc Thanks for the helpful post. I was wondering if I could modify this for Cisco AnyConnect in the same manner, not sure if you've had anyone run that question out to you since Cisco is in most IT infrastructures?
I'll play around with your script and see if I can get it to work regarding Cisco VPN (AnyConnect).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-09-2023 11:37 AM
I don't really know much about AnyConnect, other than it exists. I've never been in an organization that uses it. Using the same scutil command now
/usr/sbin/scutil --nwiDoesn't provide a tunneled IP address, so it's all a matter of how Cisco operates. I'm currently using Zscaler (which is an always on VPN) it just spits out my current IP address on my home network. It doesn't get a unique VPN Address, as a result this is less helpful than it was in the past.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-16-2024 05:45 AM
Just wanted to leave my solution specifically for Cisco Secure Client. I don't have a Cisco AnyConnect client to test this, but it just might if you change the path to the command.
#!/bin/bash
# Check if the Cisco Secure Client VPN is active
vpn_status=$(/opt/cisco/secureclient/bin/vpn status | egrep -o "state: (Connected|Reconnecting)")
# If you have Cisco AnyConnect, you can try this path instead. I have not tested this.
# vpn_status=$(/opt/cisco/anyconnect/bin/vpn status | egrep -o "state: (Connected|Reconnecting)")
if [ -n "$vpn_status" ]; then
echo "Cisco VPN is active."
else
echo "No active Cisco VPN connection."
fiI had to also search for "Reconnecting" since that also was an indication that a connection was going on.
Reply
