Hi. Is there any way that if an employe recieves an laptop from me with Viscosity and an OpenVPN tunnel preconfigured, that I can block the possibility for the user to export the OpenVPN tunnel config to file?
If the user still can delete the tunnel, it doesent matter. The important thing is to block it beeing past away further.
//Thx in advance
Hi Filip,
What you’ll want to do is lock down the private key so it can’t be exported from the device. Even if the user has the configuration data, without the private key they won’t be able to do anything with it. The best way to do this is to make use of Viscosity’s System Identity feature (on macOS) and Windows Certificate Store support (on Windows). Both of these options support preventing the export of the private key/identity.
On macOS we have a detailed guide at the link below, covering deployment and use of Viscosity’s System Identity feature:
On Windows, you can deploy an identity to the User or Machine Certificate Stores. You can use MDM for this, or just load it locally yourself and make sure it’s marked as non-exportable. To use an identity stored in the Windows Certificate Store, you can make use of the “cryptoapicert” advanced command. This command will let you specify a search string to use for finding a matching certificate in the store. You’ll want to use search criteria that works for all users, so every user can import the same connection into Viscosity but have it find their particular identity. Generally you can do this by using the “issuer” DN, or by specifying part of the subject DN. For information please see:
If you also need to prevent export from users will full administrator rights on the machine, then you’ll likely want to look into generating the private key in the Secure Enclave (on macOS) or TPM (on Windows). These can be accessed by Viscosity using the same steps as above, however as they must be generated locally on the machine itself it can be complex from a deployment standpoint.
Another option popular among enterprise users is storing the identity on a PKCS#11 token, such as a Yubikey. Tokens prevent the export of the private key, although the user can plug the token into a different machine. If macOS or Windows natively supports the token, then you can use Viscosity’s System Identity or cryptoapicert support to use it, or you can make use of Viscosity’s PKCS#11 driver support.
Cheers,
James
I will look in to option one, since im launching full MDM on all the machines in August!
