Wireguard Configuration File distribution

New Contributor III

Good morning dear Jamf Community,
does anyone have experience with Wireguard? This is specifically about the distribution of the configuration files after the app installation. Glad about messages


New Contributor II

@S_Puschel I'm about to try this myself. It looks like it might be possible according to this link: https://github.com/WireGuard/wireguard-apple/blob/master/MOBILECONFIG.md

The above seems pretty clear, but I'm not sure how to push it out using Jamf. I've once before pushed a Custom Schema for Support.app, so I need to refresh myself on that.

Did you find a method that works?

New Contributor II

@S_Puschel I'm not sure if you're still interested in this, but I've finally managed this.

Following WireGuard's own guide (as above) allows you to create a working profile, but it breaks when uploading to Jamf. Fortunately Jamf support were able to help and explained how to sign it.

To avoid any pain, what won't work:
creating Custom Schema under Applications & Custom Settings / External Applications
uploading raw .plist text in Applications & Custom Settings / Upload
uploading an unsigned .mobileconfig

The problem is caused by the multi-line string used in any working WireGuard configuration, as none of the above methods support multi-line strings. However, signing the profile before uploading it prevents Jamf from modifying the file, so the multi-line string stays intact. Be careful not to try editing/adapting the file once on Jamf - recreate the file if you need to make changes.

Step 1

Open TextEdit and paste in the following:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<string>Name to Display in Jamf and System Preferences</string>
<string>Tunnel Name to Display in WireGuard</string>
        PrivateKey = mInDaw06K0NgfULRObHJjkWD3ahUC8XC1tVjIf6W+Vo=
        Address =
        DNS =,
        PublicKey = JRI8Xc0zKP9kXk8qP84NdUQA04h6DLfFbwJn4g+/PFs=
        Endpoint = demo.wireguard.com:12912
        AllowedIPs =
<string>Endpoint from above e.g. demo.wireguard.com:12912</string>

Step 2

Edit the text to suit your needs, replacing the following parts:
PayloadDisplayName (this is what will be displayed in Jamf and the computer's System Preferences)
PayloadIdentifier (this and other UUIDs can be generated in terminal by running "uuidgen")
PayloadIdentifier (second one, under <Dict>)
PayloadUUID (second one, under <Dict>)
UserDefinedName (this is what the tunnel will be called in WireGuard)
WgQuickConfig (put your whole WireGuard between <string> and </string>)
RemoteAddress (the same as you used for Endpoint in WgQuickConfig)

Step 3

Save the file as [something].mobileconfig and confirm that you'd like to use .mobileconfig as the extension if asked.

Step 4 (optional for testing)

Install the file locally -
Double-click the .mobileconfig file created above.
Go to System Preferences / Profiles.
The Profile should be listed at the top left under Downloaded.
Click on it and then Install (you'll need admin rights and to enter the password).
Check that the Tunnel you want to create is now listed and working in WireGuard (you may need to restart WireGuard).
If you've confirmed it's working, you can remove the Profile (and in turn tunnel) by clicking the minus sign (bottom-left) in Preferences / Profiles.

Step 5 (only needs to be done once, can skip if already done)

Setup your computer for signing by following Jamf's guide:

Do the following sections:
Creating a Signing Certificate Using the Jamf Pro Built-in CA
Installing the Certificate to Use for Signing Purposes

Step 6

Sign the certificate as described in the above Guide under 'Signing a Custom Configuration Profile with the Installed Certificate'. For example:
/usr/bin/security cms -S -N "JamfSign" -i ~/Desktop/WireGuard.mobileconfig -o ~/Desktop/WireGuard-signed.mobileconfig

Step 7

Sign into your Jamf instance.
Go to Computers / Configuration Profiles.
Click 'Upload'.
Choose the signed file (created in the previous step).
Scope the file to the chosen computer, but make sure not to change any of the other settings - it should always remain signed and read-only.

The Tunnel should now be in WireGuard on the scoped computer and working when activated (you may need to restart WireGuard).