- Jamf Nation Community
- Products
- Jamf Pro
- VPN configuration profile help on the Mac side
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 09:16 AM
I would like to provide a .mobileconfig file to our remote Mac (not iOS) users that pre-populates the VPN settings for our organization. I have generated one and it works all except for the fact that I cannot get the profile to properly control the setting for "Send all Traffic Over VPN". I need that setting to be on (in a checked state).
Here is my profile (with location specifics masked). Can anyone let me know where I might be going wrong? I thank folks in advance. I will note that Apple suggests use of the OverridePrimary key in their documentation. It doesn't seem to work though. The profile works other than that functionality though so if anyone knows perhaps a way that "Send all traffic over VPN" can be toggled in a script, that would work too.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>HasRemovalPasscode</key>
<false/>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>SharedSecret</key>
<data>
OURSHAREDSECRETDATAHERE
</data>
</dict>
<key>OverridePrimary</key>
<true/>
<key>PPP</key>
<dict>
<key>AuthName</key>
<string>USERNAMEHERE</string>
<key>CommRemoteAddress</key>
<string>ADDRESSHERE</string>
<key>OnDemandEnabled</key>
<integer>0</integer>
</dict>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>VPN</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>D8AC2374-5961-4F2A-A829-183AEFC3C67F.com.apple.vpn.managed.F100F9D8-D668-4AAB-9AC7-C0EFBC09CC9A</string>
<key>PayloadOrganization</key>
<string>OUR ORGANIZATION HERE</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>21D4B909-964C-4ACE-AA12-C081FB47A88A</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict>
<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>
<key>ProxyAutoConfigEnable</key>
<integer>0</integer>
<key>ProxyAutoDiscoveryEnable</key>
<integer>0</integer>
</dict>
<key>UserDefinedName</key>
<string>MacVPN</string>
<key>VPNType</key>
<string>L2TP</string>
</dict>
</array>
<key>PayloadDescription</key>
<string></string>
<key>PayloadDisplayName</key>
<string>MacVPN</string>
<key>PayloadEnabled</key>
<true/>
<key>PayloadIdentifier</key>
<string>D8AC2374-5961-4F2A-A829-183AEFC3C67F</string>
<key>PayloadOrganization</key>
<string>OUR ORGANIZATION NAME HERE</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>C37953EF-AD55-4889-AFDA-998361FA10F0</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-28-2013 05:50 AM
Use iPCU for Mac? Configurator is intentionally simplified; I was told by an Apple employee who will not be named that it was made for librarians who have to manage iPads.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 10:37 AM
Before we went with a public JSS we used the apple configuratior tool and created config profiles, which casper installed. (through a script as pushing it wasn't optimal for us at that time)
I found it worked a lot better on keeping settings we wanted for our vpn's (it also had the added bonus of not allowing the user to remove the vpn)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 10:54 AM
Okay absolute strangeness...I got it to work using a profile, but instead of using Apple Configurator or the JSS (which I tried regenerating the profile numerous times with numerous different profile names)....would folks believe that I got it to work using iPhone Configuration Utility for Windows 3.6.2 (yes...I used iPCU for Windows to write a profile to control Macs where Configurator wasn't working for some reason). I am thoroughly baffled, but it works the way we want it. Anyway, I am later going to export the profile created on iPCU for Windows and compare it to the one I posted and see if that helps me understand.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:01 AM
The windows version of the apple configurator has more features than the mac version. Eg the ability to watch a live log from the apple tv, or the ability to add wild cards to the Wireless profiles allowable Certs.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:02 AM
for those interested in comparisons, here is the profile that was generated from iPCU. The above profile was generated from Casper, imported into Configurator and exported as text. (using a straight Casper profile, exported and installed to a machine didn't work either). Makes no sense, but whatever, the problem is solved.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>EAP</key>
<dict/>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>SharedSecret</key>
<data>
SECRETHERE
</data>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
<key>PPP</key>
<dict>
<key>CommRemoteAddress</key>
<string>ADDRESSHERE</string>
</dict>
<key>PayloadDescription</key>
<string>Configures VPN settings, including authentication.</string>
<key>PayloadDisplayName</key>
<string>VPN (MacVPN)</string>
<key>PayloadIdentifier</key>
<string>OURIDENTIFIERHEREINREVERSEDOMAIN</string>
<key>PayloadOrganization</key>
<string>OURCORPORATENAMEHERE</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>1C873876-4AB0-4AA1-9893-72CD2B5C72CE</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>Proxies</key>
<dict/>
<key>UserDefinedName</key>
<string>MacVPN</string>
<key>VPNType</key>
<string>L2TP</string>
</dict>
</array>
<key>PayloadDescription</key>
<string>Profile description.</string>
<key>PayloadDisplayName</key>
<string>CONNECTIONNAMEHERE</string>
<key>PayloadIdentifier</key>
<string>REVERSEDOMAINHERE</string>
<key>PayloadOrganization</key>
<string>OURCORPORATENAMEHERE</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>A98F68F0-A5CE-491D-85DE-E13A4C35136B</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:05 AM
might wanna remove the IP and shared secret on your post ^
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:05 AM
double post!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:05 AM
you beat me...i caught it. We'll need to change that now though...du'oh
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-27-2013 11:05 AM
Now that I've read on it and compared the profiles myself, yeah...that's honestly quite sad...the profile that I originally posted seems to handle that with a </true>setting...the one below handles it with an integer of 1. The one below also embeds the setting in a separate <dict>. sighs...why is the Windows version of iPCU more beefy than Apple's own Configurator for Mac. That just defies logic.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-28-2013 05:50 AM
Use iPCU for Mac? Configurator is intentionally simplified; I was told by an Apple employee who will not be named that it was made for librarians who have to manage iPads.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-28-2013 07:07 PM
I would use iPCU for Mac except that it hasn't been updated since 3.5 on the Mac side and it's on 3.6.2 on the Windows side. 3.6.2 supports iOS 6.1...I'm guessing the old build might have worked, but I tend to like using later tools.
As for Configurator, I definitely don't like it and about the only thing I use it for is when I have to quickly get apps out to student iPads without using an Apple ID scheme. Anyway, a done deal and I now have a working installer package for our VPN that makes use of profiles. I'm not required to support 10.6 so this method will work well.
