[teilo]

No. There are plenty of setting an end user shouldn't normally poke around in, that are still accessible under something like an Advanced button, or are an Option-click away. This should be no different.

What if I'm a consultant, with a Mac, and I need to access a client's VPN? They aren't going to change their router just for me, and they aren't going to provide me an MDM profile.

[tptacek]

Why wouldn't they provide you an MDM profile? Lots of companies have committed in writing to ensuring that anyone with access to prod is using an endpoint registered with MDM; that comes up on self-assessment questionnaires.

The fact that opaque configuration makes it harder for randos to get temporary access to VPNs does not seem like a hardship from my vantage point of managing security teams.