Configuration profiles in OS X. SCEP requests and getting VPN settings

The ruVPN project brings to your attention a VPN solution for Mac OS X-based computers , these are macbooks, aimaks, mac mini and mac pro. The service will be especially relevant for MacBook users, they often have to use open wireless networks in coffee shops, airports and hotels.

I already wrote about possible threats to the use of public networks. All the situations described are applicable to laptop users.

However, the article is not only an announcement. I will tell you about the nuances of installing profiles on Apple computers.
')
First of all, I refer to a large article about configuration profiles for Apple mobile devices. There, I just mentioned that "the technology of loading configuration profiles with some assumptions applies to mobile devices based on OS X 10.8+, that is, for fresh MacBook, MacBook Air / Pro". Now we will talk about "some assumptions."

First of all, it should be noted that OS X is much more demanding to comply with standards and protocols. What is quietly ignored by the profile manager in iOS causes an error in OS X. It is necessary to carefully check all sections of the profile, especially for SCEP requests.

List of differences between OS X and iOS when working with configuration profiles:

• The profile must contain the PayloadScope parameter to specify the scope of the profile, system or client.
• The GetCACaps GET request does not contain a message parameter; some SCEP servers ignore such a request.
• All values ​​in the SubjectAltName parameter of the SCEP query section must be recognized by the system, for example, the UPN (User Principal Name) operating system does not understand, so a single certificate profile for OS X and Windows cannot be done.

Otherwise, everything is identical to iOS profiles. In addition, there are many additional parameters specific to OS X only.

As for VPN, unlike iOS, there are two bitter pills.

First of all, support for the Connect on Demand automatic connection was removed from OS X Montain Lion. All because of the patent troll VirneX, which systematically requires to remove such technology from all Apple products.

Therefore, the connection to the VPN will have to be started manually, which for laptops, however, is not a big inconvenience. The launch of VPN comes from the drop-down menu in the status bar:



Secondly, the VPN connection is forcibly broken about once every 45 minutes, prompted for a password to connect. The simplest and most reasonable solution is to close the dialog box and start the connection from the statusbar. No password is required.
The problem arises because of the standard parameters of the racoon service, which can be changed quite easily . After editing the racoon configuration, the protected tunnel lasts for days. :-)

Let me remind you that ruVPN offers VPN solutions based on configuration profiles. Anyone can test profile loading and VPN service for free .

The tariff plan called " Armored Train ", so this picture is at the beginning of the article. A very symbolic name for a fast and secure network connection.

Have a nice holiday!