As hopefully most people here are aware it is common in larger organisations to 'push' settings for Apple devices i.e. Macs and iOS via an MDM aka Mobile Device Management system. Example MDM systems include Apple's own Profile Manager, Jamf Pro, MobileIron and so on.
An MDM system is used to build a 'profile' which contains settings, this is basically an XML list. One of the more common scenarios is to push VPN settings, such a profile can define not only the type of VPN system being used e.g. IPSec or SSL but also the address of the VPN server, the user name, the certificate to use, rules regarding 'VPN on Demand' or 'Per-App VPN' and so on. It is possible to use this approach to push settings to an iOS device which will use the official OpenVPN client on iOS.
Since MDM systems are intended to cover both iOS and Macs it normally is also possible to do this for Macs as well and I have done this in the past for an IPSec style VPN.
However I have not found any articles describing how to do this with TunnelBlick, in fact I get the impression this may not currently be possible.
The purpose of this post is therefore two-fold, firstly to enquire whether anyone has managed to create an automated MDM based approach to configure TunnelBlick and in my case this would be to use Jamf Pro, secondly if this is not currently possible to suggest that the developers look at the possibility of modifying TunnelBlick to make it compatible with this approach.
Note: All the major commercial VPN products are compatible with this approach including Juniper, Cisco, SonicWALL, F5, CheckPoint and of course the built-in Apple provided VPN clients.
The ideal solution would allow the following -
User enrols their Mac to MDM system
MDM system pushes VPN profile
VPN Profile definition on the MDM server does the following
1. Takes the login name of the user
2. Requests a certificate for the user from a SCEP server (ideally we generate the cert from a SCEP server but uploading a pre-generated cert to the MDM system is also possible)
3. Produces a VPN profile aka mobileconfig file containing the new certificate plus if need a copy of the rootCA certiciate, the user credentials, and all required configuration information e.g. VPN server address, protocol type, any VPN-on-Demand or Per-App VPN rules etc.
Mac installs the VPN profile automatically and this immediately takes affect - presuming in this case that TunnelBlick has already been installed.
At the moment it seems the current supposedly automated TunnelBlick deployment process such as it is is not in reality automated and certainly not friendly with standard enterprise deployment tools such as Munki, Jamf and so on. It involves mounting a disk image - which could potentially be automated but then running the app from the disk image which is not the common approach, even if one does this it would not make it practical to generate a per user config with a per user certificate as the config file has to be built-in to the disk image.