Installing VPN Profiles using Self Service


Our company is a support company. It's difficult to keep up with all the VPN settings for all of our different clients so we've devised a way to install the VPN profiles on the Mac using Self Service. It's not full proof, and requires a small amount of user interaction, then end user has to manually populate their credentials. But it works! More importantly, it works with multiple network locations. If the active location is missing the VPN setting, you can open Self Service and install the profile again and it will become part of that network location as well.

This solution requires 3 separate parts: a profile that is packaged as a dmg, a script and a policy.
The profile is created in Casper and downloaded from it using the URL https://<>:8443/exportOSXConfigurationProfile.html. I place it in /Users/Shared and package it up in Composer as a .dmg. It will only live here temporarily. We'll delete it as part of the script.

The script is rather simple. I call it It accepts a variable as the profile name. I recommend you pass the script the absolute path of the profile rather that figuring out casper's working directory. It automatically opens the Network Pref pane after installing the profile so the end user can put in their settings. And then deletes the profile from its temporary location.

# Nick Koval - élan Technologies 2013
# install the passed profile
profiles -I -F "$4"

# open the network pref pane
/usr/bin/open /System/Library/PreferencePanes/Network.prefpane

# remove the profile
rm -rf "$4"

Once the script is uploaded to Casper Admin, I set the priority to "After" and the variable label for #4 to "Profile."

Finally the Policy. The policy is a Self Service policy that installs one package, runs one script and updates inventory (force of habit). The package places the profile in /Users/Shared/. The script installs the profile we pass to it. In my case /Users/Shared/<profliename>.mobileconfig and then opens the network pref pane and deletes the profile from /Users/Shared.

The policy includes this in the Self Service description (which is a required view) to let the user know that they have to do something. "System Preferences will automatically open once the install is completed. Please select the VPN interface. Enter your AD Username for Account Name, click the Authentication Settings button and enter your AD password in the password field, then click Okay and finally, click Apply to complete the installation."

If you use this, please post to this discussion. I'd like to know if anyone else is using this approach and if so how it worked for you.


Contributor III

Impressive work.

This requires Administrative access, right? To add the AD account name, you need to unlock the Network preference pane, or is there something I'm missing?

Valued Contributor II

We do something a bit different. Instead of telling casper which vpn (which would require a bit more scripting and a preset naming convention) we just tell it any Config profile in a folder.

#insert vpn
profiles -I -F /Library/Application Support/JAMF/VPN/*.mobileconfig

#remove the config file
rm /Library/Application Support/JAMF/VPN/*.mobileconfig

- RD


tuinte - you are correct regarding the authentication in the Network Pref pane. In our case all of our techs are admins on their own boxes. In some cases, a client only has only given us one account to share between all the techs. In those cases the credentials are hard coded into the profile and no one needs to change anything.