TunnelBlick deployment possibilities

[John Lockwood]

As hopefully most people here are aware it is common in larger organisations to 'push' settings for Apple devices i.e. Macs and iOS via an MDM aka Mobile Device Management system. Example MDM systems include Apple's own Profile Manager, Jamf Pro, MobileIron and so on.

An MDM system is used to build a 'profile' which contains settings, this is basically an XML list. One of the more common scenarios is to push VPN settings, such a profile can define not only the type of VPN system being used e.g. IPSec or SSL but also the address of the VPN server, the user name, the certificate to use, rules regarding 'VPN on Demand' or 'Per-App VPN' and so on. It is possible to use this approach to push settings to an iOS device which will use the official OpenVPN client on iOS.

Since MDM systems are intended to cover both iOS and Macs it normally is also possible to do this for Macs as well and I have done this in the past for an IPSec style VPN.

However I have not found any articles describing how to do this with TunnelBlick, in fact I get the impression this may not currently be possible.

The purpose of this post is therefore two-fold, firstly to enquire whether anyone has managed to create an automated MDM based approach to configure TunnelBlick and in my case this would be to use Jamf Pro, secondly if this is not currently possible to suggest that the developers look at the possibility of modifying TunnelBlick to make it compatible with this approach.

Note: All the major commercial VPN products are compatible with this approach including Juniper, Cisco, SonicWALL, F5, CheckPoint and of course the built-in Apple provided VPN clients.

The ideal solution would allow the following -

User enrols their Mac to MDM system

MDM system pushes VPN profile

VPN Profile definition on the MDM server does the following

1. Takes the login name of the user

2. Requests a certificate for the user from a SCEP server (ideally we generate the cert from a SCEP server but uploading a pre-generated cert to the MDM system is also possible)

3. Produces a VPN profile aka mobileconfig file containing the new certificate plus if need a copy of the rootCA certiciate, the user credentials, and all required configuration information e.g. VPN server address, protocol type, any VPN-on-Demand or Per-App VPN rules etc.

Mac installs the VPN profile automatically and this immediately takes affect - presuming in this case that TunnelBlick has already been installed.

At the moment it seems the current supposedly automated TunnelBlick deployment process such as it is is not in reality automated and certainly not friendly with standard enterprise deployment tools such as Munki, Jamf and so on. It involves mounting a disk image - which could potentially be automated but then running the app from the disk image which is not the common approach, even if one does this it would not make it practical to generate a per user config with a per user certificate as the config file has to be built-in to the disk image.

[Tunnelblick developer]

The purpose of this post is therefore two-fold, firstly to enquire whether anyone has managed to create an automated MDM based approach to configure TunnelBlick and in my case this would be to use Jamf Pro, secondly if this is not currently possible to suggest that the developers look at the possibility of modifying TunnelBlick to make it compatible with this approach.

1. There are organizations that use Munki to deploy Tunnelblick. See this discussion for an example.
   
   
2. There is a very long "wish list" of features for Tunnelblick; adding it more compatiblity with MDM is not a very high priority.
   

[John Lockwood]

Thanks for the link to that Munki related thread, I had found another shorter one which which did not seem to adequately cover things but this one does as far as deploying the TunnelBlick app itself via Munki.

This leaves just the issue of a means of pushing a config with a certificate to users. As you confirm and I suspected - this is currently not possible. If/when you do decide to look in to this perhaps a means of TunnelBlick seeing the mobileconfig profile, spotting it is labelled for TunnelBlick to use and then taking that information to generate a matching .tblk config and installing it would seem a logical approach. It is possible to assign a MobileConfig to either a device i.e. the entire Mac, or to a user and this could inform where to install a resulting .tblk config.

Arguably it might even be possible to have a 'helper' app act as an intermediary to 'receive' the mobileconfig and use that information to build and install a matching tblk config. This would avoid the need to modify TunnelBlick itself for those not wanting this feature but still make it possible to support this approach for those who would.

Note: If an existing tblk config with the same name exists it should over-write it. It should also reload the new version to activate it.

[Tunnelblick developer]

You can deploy configurations via Munki -- at least according to this post.

If someone develops (or has developed) such a "helper app" (which would "'receive' the mobileconfig and use that information to build and install a matching tblk config"), they should consider donating it so others can benefit.

My experience is that the organizations that need such things don't share, though, so don't hold your breath.

[John Lockwood]

The Munki method of deploying a configuration would be to start off with a .tblk config and install that on the client. This might indeed be deployable via Munki but it would require manually creating individual configurations rather than using an MDM system to automate creating and deploying configurations. All those commercial solutions I referred to use the MDM approach for a reach after all which is because it is far more scaleable being that it is totally automatic and generic being that the config/profile is built automatically for each individual user.

[Tunnelblick developer]

If MDM can't run a script or install a package on the user's computer, how does it install an app?

[Tunnelblick developer]

Why must .tblks be created manually? It's just a folder with a bunch of subfolders and files, there's nothing proprietary or even Mac-specific in it. (Unlike a .dmg, for example, which is a proprietary Apple format).

[John Lockwood]

For apps that are available via Apple's App Stores the MDM system can trigger the end-user device to auto download and install them for free Apps this is straight forward for paid Apps you link this to a matching Apple VPP (Volume Purchase Plan).

However in the case of a Mac as I have been discussing we could install just the TunnelBlick app first or even after via say Munki, Jamf also have their own tool similar to Munki. 

Answering the specific question the MDM standard does not allow running scripts, as described above the MDM standard can trigger app store download/installs. This therefore also normally applies to settings, again normally scripts do not enter in to it, the settings instead are in the form of XML files 'pushed' via the MDM server and in reality downloaded via https and then loaded in to the Mac.

In response to your next email, since the only way the MDM standard can push settings is in the form of mobileconfig files which as mentioned are XML settings these clearly are not the same format as used by TunnelBlick, hence some process would need to digest the XML and spit out a matching TunnelBlick config.

You could download a free copy of Apple's Configurator tool from the Mac app store, use it to create an example Profile with an example VPN config and then save the mobileconfig file and view it with a text editor, you would then be able to see the XML although obviously the settings are at this point unlikely to have any real world match.