VPN configuration profile help on the Mac side

blackholemac
Valued Contributor III

I would like to provide a .mobileconfig file to our remote Mac (not iOS) users that pre-populates the VPN settings for our organization. I have generated one and it works all except for the fact that I cannot get the profile to properly control the setting for "Send all Traffic Over VPN". I need that setting to be on (in a checked state).

Here is my profile (with location specifics masked). Can anyone let me know where I might be going wrong? I thank folks in advance. I will note that Apple suggests use of the OverridePrimary key in their documentation. It doesn't seem to work though. The profile works other than that functionality though so if anyone knows perhaps a way that "Send all traffic over VPN" can be toggled in a script, that would work too.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>HasRemovalPasscode</key>
    <false/>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IPSec</key>
            <dict>
                <key>AuthenticationMethod</key>
                <string>SharedSecret</string>
                <key>SharedSecret</key>
                <data>
                OURSHAREDSECRETDATAHERE
                </data>
            </dict>
            <key>OverridePrimary</key>
            <true/>
            <key>PPP</key>
            <dict>
                <key>AuthName</key>
                <string>USERNAMEHERE</string>
                <key>CommRemoteAddress</key>
                <string>ADDRESSHERE</string>
                <key>OnDemandEnabled</key>
                <integer>0</integer>
            </dict>
            <key>PayloadDescription</key>
            <string></string>
            <key>PayloadDisplayName</key>
            <string>VPN</string>
            <key>PayloadEnabled</key>
            <true/>
            <key>PayloadIdentifier</key>
            <string>D8AC2374-5961-4F2A-A829-183AEFC3C67F.com.apple.vpn.managed.F100F9D8-D668-4AAB-9AC7-C0EFBC09CC9A</string>
            <key>PayloadOrganization</key>
            <string>OUR ORGANIZATION HERE</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>21D4B909-964C-4ACE-AA12-C081FB47A88A</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Proxies</key>
            <dict>
                <key>HTTPEnable</key>
                <integer>0</integer>
                <key>HTTPSEnable</key>
                <integer>0</integer>
                <key>ProxyAutoConfigEnable</key>
                <integer>0</integer>
                <key>ProxyAutoDiscoveryEnable</key>
                <integer>0</integer>
            </dict>
            <key>UserDefinedName</key>
            <string>MacVPN</string>
            <key>VPNType</key>
            <string>L2TP</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string></string>
    <key>PayloadDisplayName</key>
    <string>MacVPN</string>
    <key>PayloadEnabled</key>
    <true/>
    <key>PayloadIdentifier</key>
    <string>D8AC2374-5961-4F2A-A829-183AEFC3C67F</string>
    <key>PayloadOrganization</key>
    <string>OUR ORGANIZATION NAME HERE</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>C37953EF-AD55-4889-AFDA-998361FA10F0</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
1 ACCEPTED SOLUTION

JPDyson
Valued Contributor

Use iPCU for Mac? Configurator is intentionally simplified; I was told by an Apple employee who will not be named that it was made for librarians who have to manage iPads.

View solution in original post

10 REPLIES 10

rderewianko
Valued Contributor II

Before we went with a public JSS we used the apple configuratior tool and created config profiles, which casper installed. (through a script as pushing it wasn't optimal for us at that time)

I found it worked a lot better on keeping settings we wanted for our vpn's (it also had the added bonus of not allowing the user to remove the vpn)

blackholemac
Valued Contributor III

Okay absolute strangeness...I got it to work using a profile, but instead of using Apple Configurator or the JSS (which I tried regenerating the profile numerous times with numerous different profile names)....would folks believe that I got it to work using iPhone Configuration Utility for Windows 3.6.2 (yes...I used iPCU for Windows to write a profile to control Macs where Configurator wasn't working for some reason). I am thoroughly baffled, but it works the way we want it. Anyway, I am later going to export the profile created on iPCU for Windows and compare it to the one I posted and see if that helps me understand.

rderewianko
Valued Contributor II

The windows version of the apple configurator has more features than the mac version. Eg the ability to watch a live log from the apple tv, or the ability to add wild cards to the Wireless profiles allowable Certs.

blackholemac
Valued Contributor III

for those interested in comparisons, here is the profile that was generated from iPCU. The above profile was generated from Casper, imported into Configurator and exported as text. (using a straight Casper profile, exported and installed to a machine didn't work either). Makes no sense, but whatever, the problem is solved.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>EAP</key>
            <dict/>
            <key>IPSec</key>
            <dict>
                <key>AuthenticationMethod</key>
                <string>SharedSecret</string>
                <key>SharedSecret</key>
                <data>
                SECRETHERE
                </data>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>1</integer>
            </dict>
            <key>PPP</key>
            <dict>
                <key>CommRemoteAddress</key>
                <string>ADDRESSHERE</string>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures VPN settings, including authentication.</string>
            <key>PayloadDisplayName</key>
            <string>VPN (MacVPN)</string>
            <key>PayloadIdentifier</key>
            <string>OURIDENTIFIERHEREINREVERSEDOMAIN</string>
            <key>PayloadOrganization</key>
            <string>OURCORPORATENAMEHERE</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed</string>
            <key>PayloadUUID</key>
            <string>1C873876-4AB0-4AA1-9893-72CD2B5C72CE</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>Proxies</key>
            <dict/>
            <key>UserDefinedName</key>
            <string>MacVPN</string>
            <key>VPNType</key>
            <string>L2TP</string>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Profile description.</string>
    <key>PayloadDisplayName</key>
    <string>CONNECTIONNAMEHERE</string>
    <key>PayloadIdentifier</key>
    <string>REVERSEDOMAINHERE</string>
    <key>PayloadOrganization</key>
    <string>OURCORPORATENAMEHERE</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>A98F68F0-A5CE-491D-85DE-E13A4C35136B</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

rderewianko
Valued Contributor II

might wanna remove the IP and shared secret on your post ^

rderewianko
Valued Contributor II

double post!

blackholemac
Valued Contributor III

you beat me...i caught it. We'll need to change that now though...du'oh

blackholemac
Valued Contributor III

Now that I've read on it and compared the profiles myself, yeah...that's honestly quite sad...the profile that I originally posted seems to handle that with a </true>setting...the one below handles it with an integer of 1. The one below also embeds the setting in a separate <dict>. sighs...why is the Windows version of iPCU more beefy than Apple's own Configurator for Mac. That just defies logic.

JPDyson
Valued Contributor

Use iPCU for Mac? Configurator is intentionally simplified; I was told by an Apple employee who will not be named that it was made for librarians who have to manage iPads.

blackholemac
Valued Contributor III

I would use iPCU for Mac except that it hasn't been updated since 3.5 on the Mac side and it's on 3.6.2 on the Windows side. 3.6.2 supports iOS 6.1...I'm guessing the old build might have worked, but I tend to like using later tools.

As for Configurator, I definitely don't like it and about the only thing I use it for is when I have to quickly get apps out to student iPads without using an Apple ID scheme. Anyway, a done deal and I now have a working installer package for our VPN that makes use of profiles. I'm not required to support 10.6 so this method will work well.