https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259803#M1286 <P>Hi Experts,</P><P>My customer would like to restrict macOS devices that are not joined to the AD domain from connecting to VPN through Endpoint Agent.</P><P>According to SK182226, I understand that it’s possible to configure relevant rules to achieve this control. However, I’m not sure which parameter specifically corresponds to the AD domain membership check.</P><P>If anyone has experience with this configuration, I’d really appreciate your guidance or advice.</P><P>Thank you in advance!</P> Tue, 14 Oct 2025 03:50:01 GMT Vanness_Chen 2025-10-14T03:50:01Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259803#M1286 <P>Hi Experts,</P><P>My customer would like to restrict macOS devices that are not joined to the AD domain from connecting to VPN through Endpoint Agent.</P><P>According to SK182226, I understand that it’s possible to configure relevant rules to achieve this control. However, I’m not sure which parameter specifically corresponds to the AD domain membership check.</P><P>If anyone has experience with this configuration, I’d really appreciate your guidance or advice.</P><P>Thank you in advance!</P> Tue, 14 Oct 2025 03:50:01 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259803#M1286 Vanness_Chen 2025-10-14T03:50:01Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259870#M1287 <P>&nbsp;Not sure if this makes sense, but here is AI response.</P> <P>Andy</P> <P>&nbsp;</P> <P>*****************<BR /><BR /></P> <P data-start="8" data-end="309">To achieve the desired control of restricting macOS devices that are not joined to the AD domain from connecting to the VPN through Endpoint Agent, you are on the right track by referencing the rules described in SK182226. This document outlines how to configure policies to enforce device compliance.</P> <P data-start="311" data-end="548">The key parameter you are looking for in this context is the <STRONG data-start="372" data-end="395">"Domain Membership"</STRONG> check. Specifically, you're aiming to check whether the macOS device is joined to your Active Directory domain, and if it's not, deny access to the VPN.</P> <P data-start="550" data-end="602">Here’s a rough outline of what you might need to do:</P> <OL data-start="604" data-end="1709"> <LI data-start="604" data-end="1006"> <P data-start="607" data-end="642"><STRONG data-start="607" data-end="642">Configure Endpoint Agent Rules:</STRONG></P> <UL data-start="646" data-end="1006"> <LI data-start="646" data-end="762"> <P data-start="648" data-end="762">Within the <STRONG data-start="659" data-end="688">Endpoint Security profile</STRONG>, you will configure rules to check the system's domain membership status.</P> </LI> <LI data-start="766" data-end="1006"> <P data-start="768" data-end="1006">The <STRONG data-start="772" data-end="796">AD Domain Membership</STRONG> check is generally based on the presence of specific domain-joined attributes (such as the domain, organizational unit, or computer name) on the device. This can be defined within the security policy settings.</P> </LI> </UL> </LI> <LI data-start="1008" data-end="1404"> <P data-start="1011" data-end="1041"><STRONG data-start="1011" data-end="1041">Custom Rule Configuration:</STRONG></P> <UL data-start="1045" data-end="1404"> <LI data-start="1045" data-end="1218"> <P data-start="1047" data-end="1218">In the relevant rule set, you can define a custom <STRONG data-start="1097" data-end="1120">"Domain Membership"</STRONG> condition that ensures that only devices joined to the AD domain can pass the VPN authentication.</P> </LI> <LI data-start="1222" data-end="1404"> <P data-start="1224" data-end="1404">The <STRONG data-start="1228" data-end="1241">AD Domain</STRONG> check will typically use the device’s hostname or domain information as a condition, ensuring that the endpoint meets the necessary domain membership requirement.</P> </LI> </UL> </LI> <LI data-start="1406" data-end="1709"> <P data-start="1409" data-end="1436"><STRONG data-start="1409" data-end="1436">Testing and Validation:</STRONG></P> <UL data-start="1440" data-end="1709"> <LI data-start="1440" data-end="1575"> <P data-start="1442" data-end="1575">After configuring the rules, make sure to test with devices that are both domain-joined and non-domain-joined to verify the behavior.</P> </LI> <LI data-start="1579" data-end="1709"> <P data-start="1581" data-end="1709">You can also leverage system logs on the Endpoint Agent to confirm that the domain membership check is correctly being enforced.</P> </LI> </UL> </LI> </OL> <P data-start="1711" data-end="2031">If your specific setup involves third-party VPN solutions or additional security layers, the exact parameter name or configuration might differ. That being said, I would recommend reviewing the most recent VPN and Endpoint Agent documentation from your vendor (if applicable) for any updates or specific syntax required.</P> Tue, 14 Oct 2025 23:15:30 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259870#M1287 the_rock 2025-10-14T23:15:30Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259873#M1288 <P>Hi Andy,</P><P>I’ve reviewed SK182226, which mentions that the SCV feature for macOS is supported, but it is disabled by default and requires the client to manually enable it (as described in Step 2).</P><P>Given this behavior, does it mean that we cannot use SCV to block unmanaged or unknown macOS devices in the current situation?</P><P>Also, does the SCVGlobalParams parameter — specifically "allow_non_scv_clients (false)" — apply to macOS clients as well?</P><P>According to this discussion thread:<BR /><span class="lia-unicode-emoji" title=":backhand_index_pointing_right:">👉</span> How to enable Secure Client Verification<BR /><A href="https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-enable-Secure-Client-Verification/td-p/131860" target="_blank">https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-enable-Secure-Client-Verification/td-p/131860</A></P><P>it seems there isn’t a clear or definitive answer.</P> Wed, 15 Oct 2025 02:36:28 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259873#M1288 Vanness_Chen 2025-10-15T02:36:28Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259875#M1289 <P>Yes, not 100% clear...I woukd definitely confirm with TAC.</P> <P>Andy</P> Wed, 15 Oct 2025 02:41:35 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259875#M1289 the_rock 2025-10-15T02:41:35Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259905#M1290 <P>Hi Vanness,</P> <P>I did a write up on how to enable domain membership checks via SCV for Windows Clients - I know you mentioned Macs but this should provide a good starting point.&nbsp; I know when I did it the first time I was wishing for slightly clearer documentation.</P> <P><A href="https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html" target="_blank">https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html</A></P> <P>-Ruan</P> <P>&nbsp;</P> Wed, 15 Oct 2025 10:46:07 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/259905#M1290 Ruan_Kotze 2025-10-15T10:46:07Z https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/260020#M1291 <P>Wow...EXCELLENT!</P> <P>&nbsp;</P> Thu, 16 Oct 2025 06:14:38 GMT https://community.checkpoint.com/t5/Mobile/Enable-SCV-in-Remote-Access-VPN-client-for-macOS/m-p/260020#M1291 the_rock 2025-10-16T06:14:38Z