Wireguard is fabulous due to its speed, but there’s not much data available about how to deploy it using standard macOS tooling like MDM. In this case Mosyle MDM has a custom VPN profile, but it doesn’t support the method we need, so we need to use iMazing Profile Editor.
Luckily this tool DOES have a profile that supports Wireguard, but again <sad panda> there’s not much documentation…
Test Manually First!
I know I promised there’d be some Unifi content, but really – just poke it until it works, there’s nothing massively tricky about that part. But do test before spending time here-
Export a config file, add Wireguard to your test machine, import the profile and check it works… ok?
Comparing the example profile here and the first version of my iMazing profile, – I made a lot of bad assumptions!
Now let’s figure out how to make config profiles for deployment.
iMazing Profile Manager Settings
Going from top to bottom, here are the iMazing Profile editor settings you need to modify- where you see a title with ‘=’ the second term is the term used by Wireguard or Apple
PayloadDisplayName
– Should be ‘VPN’ according to the Wireguard docs, I think this is the item that iMazing Profile Editor automatically adds as ‘VPN#1’ at the top of the profile screen
UserDefinedName
– name of profile to show in macOS System Settings
Type
– Set this to ‘VPN (Vendor-Specific)‘
VPNSubType
– for macOS set to ‘com.wireguard.macos’
– for IOS set to ‘com.wireguard.ios’
Wireguard Quick Config = VendorConfig
– when you add ‘com.wireguard.macos’ to ‘VPN Subtype‘, a field will open up so you can paste into ‘Wireguard Quick Config‘. Paste the config that you got from your UDM Pro
Server = VPN/ RemoteAddress
– Paste the Server IP (including port number) into the field for ‘Server‘ in iMazing Profile Editor, eg ‘123.123.123.123:51820’
AuthenticationMethod
‘Password‘
– Set the pop-up to ‘password’ but don’t enter anything in the password field
Stuff that sorts itself out…
Tunnel Provider Type
– This doesn’t seem to be needed, put nothing in here
PayloadType
– Should be com.apple.vpn.managed (seems to be added automatically when other details are correct)
PayloadVersion
– Should be 1, seems to be added automatically when other details are correct
PayloadIdentifier
– seems to be added automatically
PayloadUUID
– seems to be added automatically
VPNType
– seems to be added automatically
So you want the bad news? You’ll have to do this manually- every single one is unique. if you have any ideas around this or think it is scriptable, please let me know…
Can I get that in a Pic?
