Posted on 05-22-2025 09:37 AM
In the Restrictions section of Profiles, I see an option for "Allow creation of VPN configurations". I have disabled this as I don't want our users to be able to add VPNs.
Is there also an option to disable deletion of VPN configurations?
Likewise, is there any way to prevent a user from just toggling the VPN off. Or perhaps automatically re-enabling the VPN if they do turn it off?
Solved! Go to Solution.
Posted on 05-22-2025 10:31 AM
If the VPN deployed via a device profile, unless they can also remove profiles or unenrolled the device.
Enforcing VPN usage is a little more complicated.
It really depends on what you've got in your toolbox.
Posted on 05-22-2025 10:31 AM
If the VPN deployed via a device profile, unless they can also remove profiles or unenrolled the device.
Enforcing VPN usage is a little more complicated.
It really depends on what you've got in your toolbox.
Posted on 05-22-2025 12:09 PM
Thanks! I will check to see if the app in question has an "always-on" option for the VPN.
How would I set up network rules to prevent access unless the VPN is on?
Posted on 05-22-2025 12:16 PM
It really depends on how you're connecting to VPN. Are you using the native VPN client or a 3rd party solution? Any other tools you're using?
Posted on 05-23-2025 04:45 AM
Remember if you use Jamf Safe Internet, that is already an always-on VPN config.
Posted on 05-23-2025 05:11 AM
I was considering using an app called Qustodio. It has some features that Jamf School does not, like setting schedule and time limits for apps. Qustodio's parental controls are enforced by VPN. Their documentation (and a support rep I spoke with) said that when the user toggles the VPN off, it automatically re-enables itself within a few seconds. I'm not sure how this works, though. Is that a capability inherent to the app itself?
They said if I want to prevent the user from deleting the entire profile, I'd need to install their MDM, which prevents deleting a VPN configuration. But as I will already have an MDM (Jamf) installed, I don't think I can do this. Instead, I could create a separate mobileconfig file that prevents deletion of VPN configurations and upload that to her phone, right?
Tech Lockdown offers a mobileconfig file that does this.
Posted on 05-23-2025 07:48 AM
Yes, if their product is also an MDM (which is what you're describing), then they should be able to give you the configuration to do it with Jamf. Some of the config is going to vary a bit from their product, but the principles are the same.
Posted on 05-23-2025 01:34 PM
Ok, I will check with them. Thanks!