- Jamf Nation Community
- Products
- Jamf Pro
- Re: VPN Shared Secret?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VPN Shared Secret?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2011 01:22 PM
Hi all-
I'm trying to make a new 10.6.7 base image that includes the VPN Shared Secret configured for all users. Once I create an OS package and restore it to a new machine, the Shared Secret is missing. If I go back to the original machine and login as admin, the Shared Secret is still in the system keychain. Is there any way to script this information into the system keychain after imaging?
Thanks in advance.
Regards,
ryan
8 REPLIES 8
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2011 01:45 PM
Look into the 'security' command; that allows you to manipulate keychains.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2011 01:47 PM
you just need to grab the System.keychain and install it with the right permissions.
--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2011 02:30 PM
You can export the configuration (check "Export user configurations" and "Include items from the user's keychain"), edit the .networkConnect file to remove your LAN/login ID; then deploy it using Casper, import it using the script in the resource kit, then delete the .networkConnect file from the hard drive.
Works/solves the problem.
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2011 04:59 PM
I meant to this for some time so I went ahead and did it. In my case, I have 5 profiles to install and I wanted to use Cisco IPSec not L2TP as assumed in the script.
As mentioned below I configured all profiles on a machine. I specified "EnterYourUserIdHere" as the user name, no password. Then exported Configuration. However, export failed when I chose only
"Export user configurations" and
..."Include items from the user's keychain"
apparently, as there was no config to export...
So I chose
"Export the default configuration"
..."Include items from the system keychain"
Which makes sense as the Shared pwd is stored in the System Keychain.
I did the following changes to the script:
- Remove first 3 params and replace $4 with $1, $5 with $2
- Rename "VPN (L2TP )"with "VPN (IPSec) in the relevant line
- Removed the display dialog near the end
- Removed the echo statement at the end
I then packaged all this in Composed and made it available for self-install. This works fine for the logged on user... Problem is that when I log out and log back in as another user, "Account Name" seems to vanish. Also "Show VPN status in menu bar" option becomes unchecked. What's worse, settings are locked and regular user cannot change them, which means they cannot click "Connect button", as that does not become available unless there is a username defined already (bad GUI imho).
Users however can check "ShowVPN status in menu bar" and then use that to connect, as a workaround.
How do you folks handle these issues? Did you notice them?
Adil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2011 02:45 PM
I did not have the issues you had. I entered a username, and established a VPN connection (group/shared secret) to ensure that it worked.
On Jun 13, 2011, at 6:59 PM, Hindistan, Adil wrote:
"Export user configurations" and "Include items from the user's keychain" provided me with a .networkConnect document.
I subsequently edited that document and removed my username from the field.
The only four edits to the Resource Kit script that I performed were:
1) Specifying the path of the .networkConnect file (I stuck it temporarily in /Users/Shared
2) Changing, as you did, the "VPN (L2TP)" to "VPN (IPSec)"
3) Needed to define an auto proxy server URL on the VPN interface with the networksetup command
4) Added in a command to remove the .networkConnect file from /Users/Shared
I set this up as both a policy (for new users) and a Self Service item (for existing users). I originally tried to get tricky with the username and filling in the Username field in the VPNclient, but later wrote documentation to tell the user how to set it up. Might revisit this again when I get some more time.
Please try deploying with only a slightly-modified script. Once you've got that working, then try modifying it further to add the username, et. al....
--Robert
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2011 04:00 PM
Well, you took out user name, so you should not be able to click "connect" anyway. So, your users are checking "Show VPN status in menu bar" and using that to connect?
Adil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2011 04:28 PM
Well, it's more complicated than that. The username is actually domainusername, so I cheated and just removed the username. So there's text in the field, which isn't precluding them from hitting the Connect button. It just won't authenticate that way ;)
I believe the script also checks the "show VPN status in menu bar" checkbox. So, after my documentation has them enter the rest of their username, and hit "Connect" from inside System Preferences, I later on have them use the menu bar for connection/disconnection...
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2011 05:03 PM
I am on the same boat and that's why I too entered some text there which gets inserted fine for the user that's installing it but not for the next user. It does not stick...
So you tried to login with a different domain acc. and still see the username you set?
