Help

"Always-On VPN" - Only when Off-site

beedee
New Contributor III

Posted on ‎08-08-2017 04:25 PM

Hi,

We have IKEv2 profiles pushed from JSS, enforcing always-on VPN <edit>on iOS devices</edit>, which is really, really, good.

However, we have issues with printing (edit: using PaperCut Mobility printing [not dependent on bonjour, but... still not working]) and are investigating mechanisms to limit the VPN to apply only when the client is Off-Site.

How might this be achieved? The only thing we can see is the Limitations tab of a configuration profile. How does the device "know" that the limitation has come into effect or not? Does it require a check-in / inventory update for the realisation to occur? Won't that mean that there will be delays / gaps on when the profile needs to be applicable? What if a user blocks connectivity on their own network to the JSS server?

Bilal

0 Kudos
10 REPLIES 10

jared_f
Valued Contributor

Posted on ‎08-08-2017 07:29 PM

@beedee,

We use a script to monitor our wireless to make sure that our users don't join our guest network, if they do - it triggers a script to kick them off the wireless. Another use for this script to allow users outside the network to have the a profile installed (i.e. VPN) (away from company wireless) once they login and it will be removed once they arrive back near your company wireless. Here is the modified script I made from the original wireless monitoring script on Jamf Nation.

This would all have to be ran local, you would have to download your VPN configuration profile and place it (it is named vpn.mobileconfig in this script) /library. Also, define your organization's wireless name and now the only thing you have to worry about it triggering this script. Personally, I would trigger it at login with a daemon on the system (so it will trigger even if it can't reach the JSS) and also, have it stored in the JSS and have it run under a network change trigger.

To deploy this, I would create a custom package with Composer and deploy it with Jamf. Obviously, test all of this first. I just quickly modified a script and tested it on my local machine.

Script:

#!/bin/bash

# Monitor & Manage Profiles                   
# Jared F. (modified from @delbrown's WiFi Monitor & Manage script)                                 
# Last Modified: 8/8/17                                               
#                                                            
# Begin Variable Definitions
# Replace "WIFINAME" with your school WiFi.  Leaving it empty will disconnect from any network.

WifiWhitelist="WIFINAME"

# End of Variable Definitions

# Begin Function Declarations
connect ()
{

for CompanyNetwork in $WifiWhitelist
    do
        #loop through whitelist and connect to whitelisted network found
        echo " Available Network ""$CompanyNetwork"
        networksetup -setairportnetwork en0 "$CompanyNetwork" &>/dev/null
    done
}

disconnect ()
{
echo "Time to disconnect"
# send disconnect command to en0
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -z
#exit 1
}

onCompanyNetwork ()
{
# Test to see if the company network has been joined. You can either use the networksetup command or the airport utility for this.

MyWifi=`networksetup -getairportnetwork en0 | awk '{print $4}'`
#MyWifi=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport --getinfo | grep " SSID" | awk '{print $2}'`

# Call the disconnect function if a network outside of company network is joined.
for AllowedID in $WifiWhitelist
    do
        if [ "$AllowedID" == "$MyWifi" ]
            then # Asset is on the company network
            echo "I am connected to the Company Network ""$AllowedID"
            exit 1  
        fi
    done

echo "Device is not connected to Comapny Network so disconnect and reconnect to the proper wireless."
disconnect
connect
exit
}

atCompany ()
{
WifiAvailable=`/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s | awk '{print $1}'`
# Test to see if the Asset is at the company by scanning for company wireless
for ScannedNetworks in $WifiAvailable
    do
        for CompanyNetwork in $WifiWhitelist
            do
                if [ "$CompanyNetwork" == "$ScannedNetworks" ]
                    then
                        AssetAtSchool="Yes"
                        echo "The device is at the company."
                        /usr/bin/profiles -R -F /library/vpn.mobileconfig
                        return
                fi
            done
    done
AssetAtCompany="No"
echo "Asset is not at the company, install the local VPN connection."
/usr/bin/profiles -I -F /library/vpn.mobileconfig
exit
}
# End Function Declarations

#########################

#program starts here
atCompany
onCompanyNetwork

Let me know if you have any questions,
Jared

0 Kudos

jared_f
Valued Contributor

Posted on ‎08-08-2017 07:55 PM

^If this is a Mac environment.

0 Kudos

beedee
New Contributor III

Posted on ‎08-08-2017 10:13 PM

Really so sorry - I didn't mention and this concerns iOS devices.

0 Kudos

jared_f
Valued Contributor

Posted on ‎08-09-2017 07:02 AM

@beedee No problem, did you ever think of just pushing out the VPN settings and have the user trigger it or just have the VPN ok for specific apps?

0 Kudos

beedee
New Contributor III

Posted on ‎08-09-2017 03:33 PM

@jared_f Yes - but no, we want the VPN to be enforced, and for everything.

0 Kudos

beedee
New Contributor III

Posted on ‎08-09-2017 06:09 PM

Would be good to exclude MDM activity from the Always-On VPN.
We've been having issues with the VPN, and can't send commands because they're not connecting.
Any ideas would be welcome.

0 Kudos

jared_f
Valued Contributor

Posted on ‎08-09-2017 06:41 PM

@beedee We noticed the same issues with MDM activity over VPN. I am not sure what industry you are in - but for our use, we only need VPN for users to remote in from their iPads to their workstations. Using the per app VPN works for us. What is your goal with your VPN? To have all traffic flow over the VPN? You could use something like iBeacon to exclude devices from the VPN profile on site, and then put it on when they leave. Unfortunately, there could always be delays.

0 Kudos

beedee
New Contributor III

Posted on ‎08-09-2017 06:46 PM

@jared_f Hi Jared,

We're in K-12 edu (AU), and want to ensure that all web traffic is being filtered and monitored for certain duty of care risks.

We also have a strict policy to allow only certain apps, but have still not managed to clamp down on all violations. Still struggling between DEP and non-DEP camps, and have removed App Store and things like that. Still have some iPad 2 devices...

In summary: a boring device used just for school work, no YouTube, etc.

0 Kudos

jared_f
Valued Contributor

Posted on ‎08-09-2017 07:00 PM

@beedee

That is a very tough situation. There are other solutions to monitor web traffic via a proxy - you would have to take a look at your network situation. Also, I know there is a profile for web content filtering, but it is very limited.

Like you, I have been testing limiting apps - we actually restrict the use of VPN apps because our network is filtered via OpenDNS. I did this by creating a group to look for VPN apps and then, if a device has one it locks down the device with a bunch of restrictions. You cold try this to crack down on violations.

0 Kudos

AircoMDM
New Contributor

Posted on ‎09-13-2018 03:17 PM

Brand new to Jamf. I'm trying to figure out how to implement the Per-App VPN. It seems to work fine off the domain. However, it still tries to use the VPN even when the user is on the domain. How can I prevent that?

We are using SonicWall.

0 Kudos