Deploying a Dynamic IPSEC VPN Profile via Casper Suite

Would you like to be able to deploy the VPN profile for your business or university on single user systems without setting it up manually for each user or using a custom created package? With Casper we are able to deploy an IPSEC VPN Profile through a configuration profile. Read on for the details on how to perform this and save yourself a few extra steps with a new single user system.

One of the reasons that we switched from Apple's Profile Manager to the Casper suite was to have the ability to deploy the deploy a dynamic VPN profile depending on the user assigned to the system. I have been able to create our university's Cisco VPN Profile which is added to the system once it has been imaged. The only issue however is what if a user is not assigned to the system?  The $USERNAME variable is then blank and the user cannot modify it.  Through the use of Smart Groups in Casper however you can address the issue by creating a Smart Group that has all computers that do not have a user assigned to them and then exclude that group from your VPN Profile.

First thing we want to do is create Smart Groups which will determine which computers will receive the VPN Profile.  If you are unsure what Smart Groups are please check the Casper Administrators guide which can be downloaded from here. I believe Smart Groups for computers are listed on page 198 of the guide. I use two groups. The first group is called Mac Laptops which will place any computer with the word MacBook in its model into the group as desktops always stay on campus and do not require the VPN. The second group I make is called No User assigned which I have two requirements. We have a dummy user for loaners named loaner which would not require the laptop to leave campus. The second requirement is if the user name is equal to blank or NULL which means a user has not been assigned to the laptop yet and thus the VPN is not required. Remember that these are just the settings that are useful in my education environment. No environment is the same and be sure to tweak the settings  Once we have these groups created it is now time to create your configuration profile.

To create the VPN Profile first we will want to setup our settings within a configuration profile in Casper here:

Once we have begun creating a configuration profile we will want to then select VPN and configure:

Here you will enter your connection details for your VPN and the type.  You will want to leave the password field blank as you will want it to prompt the user each time but for the username field you want to use the payload variable $USERNAME which will dynamically insert the user name when it is deployed to the system. You can find more information on payload variables available in Casper in the Casper Administrator's guide.

Now that your VPN Profile is configured we will want to pick the scope.  We will want to target Mac Laptops but exclude any machines that don't have user names assigned via the No users assigned Smart Group.

Once this is completed the configuration profile should deploy easily to each system that has a user assigned to it. This method is ONLY good for those who want to deploy the VPN to single user systems. The next step however is we would like to add the VPN item in the Menu bar so users can easily connect when needed. To perform this we would reopen our VPN configuration profile and add a custom settings file called com.apple.mcx.menuExtras. In this PLIST you want to define the following Keys:

1
2
3
4
<key>VPN.menu</key>
<true/><br />
<key>delaySeconds</key>
<real>1</real>

You can use defaults write  to create this file anywhere on your system for upload or your favorite text editor.  Once you have created the file don't forget run the plutil command to convert it to XML1 so you can upload it to the Casper configuration profile. Deploying this with the VPN profile will not only add the VPN profile to the user's system but also add the Menu bar item which will allow them to access your corporate or university VPN easily.  If you require assistance with setting this up please let me know.