VPN on demand not working

mucgyver
New Contributor III

Hi folks.

I try hard to get VPN On Demand to work. Unfortunately, it currently does not work with Jamf Pro's built-in way (PI-101098), so Jamf Support referred me to iMazing Profile editor. Getting bits and pieces from various web resources together, I tried to built a working VPNOnDemand.mobileconfig by myself, but as soon as I deploy it to my client, it does not have any affect.

The VPN on Demand configuration should basically do the following:

1.) If client connected to a certain company WiFi network ("SomeWifiNetwork" in the example), it should generally NOT use VPN at all.

2.) If NOT connected to the WiFi network above, but any other network, it should ALWAYS establish a VPN connection while trying to connect to certain domains (example1.com and example2.com in the example).

3.) Trying to connect to VPN server via L2TP ("1.2.3.4" in the example), shared secret included ("SHAREDSECRET" in example), user name and password should be prompted (hence not included in example).

When I deploy it to my client, it neither shows up in my VPN connections in system preferences - network, but Jamf Pro tells that .mobileconfig has been deployed successfully ("Completed" not "failed").

I assume that there might be a f*ck up in eiher/and/or

- the syntax itself (much copy and pasting)

- the structure/Hierarchy level of certain arrays/dicts/keys (again much copy and pasting and some lack of understanding)

- the order of the "On demand rules" (as I learned, order makes difference, see desired behaviour above)

 

So here is the example .mobileconfig file as deployed via Jamf Pro:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>IPSec</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>SharedSecret</key>
				<data>
				SHAREDSECRET
				</data>
			</dict>
			<key>PPP</key>
			<dict>
				<key>CommRemoteAddress</key>
				<string>1.2.3.4</string>
				<key>DisconnectOnIdle</key>
				<integer>1</integer>
				<key>DisconnectOnIdleTimer</key>
				<integer>900</integer>
			<!-- Enabling OnDemand – This can be toggled on/off via System Settings/Network [macOS] and Settings/VPN [iOS] -->
							<key>OnDemandEnabled</key>
							<integer>1</integer>
							
							<!-- OnDemand Rules -->
							<!-- Value for "Action" can either be "Connect", "Disconnect", "Ignore", or "EvaluateConnection" -->
							<key>OnDemandRules</key>
							<array>
								<!-- Edit and/or remove any of the following dictionaries to adjust to your needs -->
								
								<!-- Disconnect if device is connected to one of the listed Wifi networks -->
								<dict>
									<key>Action</key>
									<string>Disconnect</string>
									<key>InterfaceTypeMatch</key>
									<string>WiFi</string>
									<key>SSIDMatch</key>
									<array>
										<!-- List one or more WiFi networks -->
										<string>SomeWifiNetwork</string>
									</array>
								</dict>
								
								<!-- Connect if domain name matches the pattern -->
								<dict>
									<key>Action</key>
									<string>EvaluateConnection</string>
									
									<key>ActionParameters</key>
									<array>
										<dict>
											<key>Domains</key>
											<array>
												<string>example1.com</string>
												<string>example2.com</string>
											</array>
											<key>DomainAction</key>
											<string>AlwaysConnect</string>
											<key>RequiredURLStringProbe</key>
											<string>0.0.0.0</string>
										</dict>
									</array>
								</dict>
								
								<!-- Default action if none of the above mentioned rules matches -->
								<dict>
									<key>Action</key>
									<string>Ignore</string>
								</dict>
							</array>
						</dict>
			<key>PayloadDisplayName</key>
			<string>VPN On Demand</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.492136D1-6402-48FB-8F2F-B0CA7846AFEE</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>492136D1-6402-48FB-8F2F-B0CA7846AFEE</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>UserDefinedName</key>
			<string>VPN On Demand</string>
			<key>VPNType</key>
			<string>L2TP</string>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>VPN On Demand</string>
	<key>PayloadIdentifier</key>
	<string>XTDR9N0JVW.A4EEF7F8-A9EA-4B0D-A95D-28C8F95FF5B7</string>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>A4EEF7F8-A9EA-4B0D-A95D-28C8F95FF5B7</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>

 

Any thoughts? Any assistance much appreciated. Thanks. <3

1 REPLY 1

mucgyver
New Contributor III

Does anyone have any idea?