The only problem with this approach (and of course it is the prescribed approach) is the unfriendly nature of it. I have often wondered why, when using the full endpoint management server, that there isn't a better way.
In an enterprise estate, there are several user classes (sales, technical, accounts, executives), and these may require different VPN configurations. There is not a simple way to create a VPN policy for these user communities from the central management point, and that seems very strange. One size fits all does not work in large estates.
For example, in our own business - I want my sales team to have an always-on configuration. They need to connect if they are out of the office, so I want to give them a sales VPN profile (ideally with transparent machine authentication because they are sales people). But our technical teams need to log on to a completely different VPN gateway, but they are technical and they know when they need a VPN and when they don't. They have access to customer systems from the VPN, so 2-factor authentication is preferable.
These user groups have config needs that are completely different and whilst I can manage a user base with 2 or 3 different trac.defaults configurations across around 40 machines, it's clunky and for no good reason. @PhoneBoy it's time for EndPoint to grow up a little more and remember that unlike gateways, endpoints are managed by the desktop team where clunky fixes to text files that are not accessible via the management interface are a blocker to acceptability and ultimately to sales success. Engineers may love to hate the "just edit this file in vi" type of SK, but frankly it's a killer for most endpoint administrators and needs to evolve. Can it be in R81 endpoint management please ? 😄
Long term technology addict and occasional Check Point consultant.