[Nextgrid]

That's indeed often the case, how it works is that the machine itself has a client certificate it uses to authenticate with the VPN.

There's no reason that certificate can't be used directly for the HTTPS connection to the admin UI, providing the same security benefits without actually requiring a VPN.

Furthermore depending on how "deep" the social engineering attack goes, a local user with administrator privileges can typically export those certificates unless they are stored on a hardware module (either a smartcard or an internal TPM/secure element).