This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VannessChen
Explorer
4 weeks ago
Jump to solution

Enable SCV in Remote Access VPN client for macOS

Hi Experts,

My customer would like to restrict macOS devices that are not joined to the AD domain from connecting to VPN through Endpoint Agent.

According to SK182226, I understand that it’s possible to configure relevant rules to achieve this control. However, I’m not sure which parameter specifically corresponds to the AD domain membership check.

If anyone has experience with this configuration, I’d really appreciate your guidance or advice.

Thank you in advance!

0 Kudos
1 Solution

Accepted Solutions
Ruan_Kotze
MVP Gold
MVP Gold
4 weeks ago
Jump to solution

Hi Vanness,

I did a write up on how to enable domain membership checks via SCV for Windows Clients - I know you mentioned Macs but this should provide a good starting point.  I know when I did it the first time I was wishing for slightly clearer documentation.

https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

-Ruan

 

View solution in original post

(1)
5 Replies
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
Jump to solution

 Not sure if this makes sense, but here is AI response.

Andy

 

*****************

To achieve the desired control of restricting macOS devices that are not joined to the AD domain from connecting to the VPN through Endpoint Agent, you are on the right track by referencing the rules described in SK182226. This document outlines how to configure policies to enforce device compliance.

The key parameter you are looking for in this context is the "Domain Membership" check. Specifically, you're aiming to check whether the macOS device is joined to your Active Directory domain, and if it's not, deny access to the VPN.

Here’s a rough outline of what you might need to do:

  1. Configure Endpoint Agent Rules:

    • Within the Endpoint Security profile, you will configure rules to check the system's domain membership status.

    • The AD Domain Membership check is generally based on the presence of specific domain-joined attributes (such as the domain, organizational unit, or computer name) on the device. This can be defined within the security policy settings.

  2. Custom Rule Configuration:

    • In the relevant rule set, you can define a custom "Domain Membership" condition that ensures that only devices joined to the AD domain can pass the VPN authentication.

    • The AD Domain check will typically use the device’s hostname or domain information as a condition, ensuring that the endpoint meets the necessary domain membership requirement.

  3. Testing and Validation:

    • After configuring the rules, make sure to test with devices that are both domain-joined and non-domain-joined to verify the behavior.

    • You can also leverage system logs on the Endpoint Agent to confirm that the domain membership check is correctly being enforced.

If your specific setup involves third-party VPN solutions or additional security layers, the exact parameter name or configuration might differ. That being said, I would recommend reviewing the most recent VPN and Endpoint Agent documentation from your vendor (if applicable) for any updates or specific syntax required.

Best,
Andy
0 Kudos
VannessChen
Explorer
4 weeks ago
In response to the_rock
Jump to solution

Hi Andy,

I’ve reviewed SK182226, which mentions that the SCV feature for macOS is supported, but it is disabled by default and requires the client to manually enable it (as described in Step 2).

Given this behavior, does it mean that we cannot use SCV to block unmanaged or unknown macOS devices in the current situation?

Also, does the SCVGlobalParams parameter — specifically "allow_non_scv_clients (false)" — apply to macOS clients as well?

According to this discussion thread:
👉 How to enable Secure Client Verification
https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-enable-Secure-Client-Verification/td-p/...

it seems there isn’t a clear or definitive answer.

the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to VannessChen
Jump to solution

Yes, not 100% clear...I woukd definitely confirm with TAC.

Andy

Best,
Andy
0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
4 weeks ago
Jump to solution

Hi Vanness,

I did a write up on how to enable domain membership checks via SCV for Windows Clients - I know you mentioned Macs but this should provide a good starting point.  I know when I did it the first time I was wishing for slightly clearer documentation.

https://namitguy.blogspot.com/2020/04/implementing-secure-client-verification.html

-Ruan

 

(1)
the_rock
MVP Platinum
MVP Platinum
4 weeks ago
In response to Ruan_Kotze
Jump to solution

Wow...EXCELLENT!

 

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events