[derefr]

You're supposed to be managing the deployment/delivery of Apple Configurator profiles through Server.app's MDM features. If that is in play, then the workflow looks like:

1. You navigate your device to the MDM web portal served from the Mac running Server.app;

2. the MDM portal recognizes your MAC address as a new device, and allows you to register it;

3. an MDM profile is auto-generated for you, which you download and install;

4. the MDM profile transparently manages/updates a real (Apple Configurator) profile, which has been customized by the MDM for any settings keyed specifically to your computer's MAC address.

Using Apple Configurator without MDM, just using Configurator .profile files, would be like using Windows Group Policy without Active Directory, just using GPO .cab files. It's possible, but just kinda silly.

[mirimir]

> Using Apple Configurator without MDM, just using Configurator .profile files, would be like using Windows Group Policy without Active Directory, just using GPO .cab files. It's possible, but just kinda silly.

I totally agree. But let's say that I setup an IKEv2 server in pfSense on some VPS. And now I want to connect to that with my macOS VM. There's no Mac server anywhere involved. And Apple Configurator is in fact the only way to configure the macOS client.

[teilo]

You are assuming that every use of VPN is captured in your scenario. It's not.

And I understand MDM perfectly well. I am the CIO of a company with 350 Macs managed through JAMF. Also, nobody in enterprise who knows what they are doing uses Mac Server. It's been a toy and a joke ever since Mavericks.

But what if I need a VPN connection for somewhere else? What if I'm a consultant with a Mac and trying to connect to a Windows shop?

[auslander]

> It's possible, but just kinda silly.

Why silly? In one .mobileconfig file, I created complex VPN config for my provider, with my own preferences, and loaded it without any MDM, to all my macs and iPhones.

[derefr]

Because, what happens when you want to update that config? Even if you're just doing it for your personal stuff, MDM means centralized push-based management.

[auslander]

I'm not centralized, I will just update my config myself. Simply clicking on new myvpn.mobileconfig file :)

[derefr]

I guess I just don't like the idea of forgetting to update a device that I rarely touch (e.g. my iPad) and then being unable to VPN home with it later when I do go to use it, from a café on vacation or something.

Much easier to just leave Server.app running on my iMac. (It's basically what Server.app is built for; it's certainly not targeted at enterprises!)

[cynix]

I've been trying to deploy configuration profiles containing IKEv2 VPN configs to macOS devices through MDM (Meraki SM) without success, even though the exact same profile works fine for iOS devices. There's very little logging on the device to help me diagnose the issue and it's been very frustrating.

[auslander]

log show --predicate 'subsystem == "com.apple.networkextension"' --info --last 50m