Apple Configurator 2 and VPN Shared Secrets (or “Higher Numbers Are Not Always Better.”)

Apple’s Configurator application (now Apple Configurator 2 because it’s an irrefutable rule that adding more numbers to things makes them intrinsically better) is an essential tool in the enterprising Mac IT persons’ toolbox. Initially it was designed as the way to build profiles that you’d put onto iPads, but it’s increasingly become a sort of multitool that you can use to build configuration profiles on an ad hoc basis, and even to resuscitate dead T2-enabled Macs.

It’s great, except that (as is the way of things) updates not only introduce fixes but occasionally add new and interesting problems. More specifically (and the reason I’m writing all of this nonsense) is that I spent a frustrating hour or two this week trying to work out why in the name of all that’s good and true Apple would see fit to remove the Shared Secret field from the VPN configuration portion of the Configurator. I’d been building config profiles to post on an intranet for a client, so imagine my surprise when instead of seeing a field where I could pop in the Shared Secret I saw… well. Nothing. Nothing at all. And that was a problem.

Do you see a field for the Shared Secret? No. You do not. Neither do I.

So, a problem. But every problem is a solution waiting to be discovered, and happily enough this one is the most enjoyable kind of head-scratcher; the kind that can be solved with a modicum of common sense and only minor trickery. Happier yet, the .config files generated by Apple Configurator are basically just Property List files that can be opened by a text editor and tweaked. It’s just a case of knowing what tweaks to make.

First, figuring out what to add to the .config file. The mysterious removal of the Shared Secret field showed up with the most recent version of Apple Configurator (2.12.1), but prior versions allowed you to set that configuration, so digging out an older .config file and opening it allows you to see what’s different, thus:

One of these is not like the other.

The older .config file (on the right), includes this text:

<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>PromptForVPNPIN</key>
<false/>
<key>OnDemandEnabled</key>
<integer>0</integer>
<key>SharedSecret</key>
<data> encoded-shared-secret </data>
</dict>

So, copying that into the new, non-shared-secreted .config file should theoretically add the shared secret into the configuration. Great! There’s just one more piece of the puzzle – encoding the shared secret itself. There are websites out there that will allow you plug in text and covert it to Base64, but it’s simple enough to do it via the Terminal. Let’s say your shared secret is… well, let’s just call it sharedsecretpassword:

echo -n 'sharedsecretpassword' | base64

Which will translate sharedsecretpassword to c2hhcmVkc2VjcmV0cGFzc3dvcmQ=

Edit the .config file thus:

<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>SharedSecret</string>
<key>PromptForVPNPIN</key>
<false/>
<key>OnDemandEnabled</key>
<integer>0</integer>
<key>SharedSecret</key>
<data> c2hhcmVkc2VjcmV0cGFzc3dvcmQ= </data>
</dict>

…hit “Save”, et voila. You’ll now have a functional VPN config file that can be deployed with the shared secret (even though Apple Configurator doesn’t seem to want you to).

Leave a Reply

Your email address will not be published.