Re: Block macOS access to the VPN client

Beowulff_

Hi,
Is it possible to block any macOS machine from logging into the VPN client?
I have already verified sk182226, but it only works if you enable the compliance function when installing the client.
But in this case I need to block any macOS, even without the compliance function installed.

PhoneBoy

You need to enable SCV and configure some Windows-specific checks.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

By default, SCV support is disabled for macOS, so SCV check should fail.
You can enable it and configure a specific policy with: https://support.checkpoint.com/results/sk/sk182226

Beowulff_

Hello, thanks for the reply.
It's working fine on Windows.
I enabled the options for MacOS, but if I don't enable the compliance option on the MAC endpoint, it won't allow clients that don't verify SVC to log in.
These are unmanaged MACs and I can't guarantee that they will enable the compliance option, so I wanted to block VPN access from any MAC. Would that be possible?
Attached is the SVC file I'm testing.

Tks

PhoneBoy

It shouldn't matter if you enable Compliance on the Mac endpoint or not.
You've included Mac-specific checks in your local.scv file (the SCVPolicyMac abd SCVNamesMac sections).
These should be removed if you do not want Macs to connect.

Beowulff_

Even after removing sessions (the SCVPolicyMac abd SCVNamesMac), the MAC remains connected normally to the VPN.

New svc file

PhoneBoy

Please check that SCV is actually enabled in Global Properties and the option to ignore when the client doesn't support it is NOT checked as shown below.
Otherwise, I suggest engaging with TAC.

the_rock

I never knew about below options in access roles (IA blade needed to use), but maybe something that could work.

Andy

Beowulff_

Hello, thanks for the reply.
But I need to completely block MAC users from accessing the site, not even letting them log into the VPN.

Tks

the_rock

K, understood. I dont know for sure how SCV would work in such instance (never really tested it), but maybe worth check with TAC. let me do some tests in the lab and see how far I get.

Best,

Andy

the_rock

This is what AI Copilot provided, though to me, seems very similar to the sk you mentioned.

Andy

****************************

To block macOS access to the VPN client, you can stop the Check Point VPN service and GUI process. Here are the steps to do this:

Open the Terminal on the macOS endpoint computer.

Stop the GUI process:

sudo launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.checkpoint.eps.gui.plist

Stop the Check Point VPN service:

sudo launchctl bootout system /Library/LaunchDaemons/com.checkpoint.epc.service.plist

These commands will stop the Check Point VPN client from running on the macOS endpoint computer. If you need to start the services again, you can use the following commands:

Start the GUI process:

sudo launchctl bootstrap gui/$(id -u) /Library/LaunchAgents/com.checkpoint.eps.gui.plist

Start the Check Point VPN service:

sudo launchctl bootstrap system /Library/LaunchDaemons/com.checkpoint.epc.service.plist

This will re-enable the Check Point VPN client on the macOS endpoint computer.

Are you a member of CheckMates?

Block macOS access to the VPN client