Enabling the booking of Teams meetings in Outlook on Mac

This issue had me scratching my head for a while: With the latest version of Microsoft Office and Microsoft Teams installed on my Mac running Catalina, I couldn’t enable the booking of Teams meetings from Outlook.

The solution turned out to be to remove the regular Office programs and replace them with Office 365. The official instructions for how to do that said to log on to https://www.office.com or to https://aka.ms/office-install. Well, tough luck: There was no way to find a download link there.

Instead the correct way seems to be to download Microsoft 365 from the App Store. There was no obvious way to connect the Office suite to my work account, so I started Outlook and tried adding an account. This triggered a dialog about the possibility to activate a trial or connect to an existing subscription, with the perhaps ill-chosen options Activate and Cancel. Turns out if you press Activate you get to choose whether you actually want to activate the trial or activate Microsoft 365 with an existing account.

While the gods of good UX and the Law of Least Astonishment cry alone in a cave, I now do have a button to schedule a Teams meeting in Outlook. If I only could get the Calendar and Datadog apps installed in Teams, my life would be complete…

Oh, and speaking of great user experience: Incoming calls in Teams on the Mac do not quite steal focus – thanks for that, at least – but they hog cmd+shift+D so that attempting to send a mail from Mail.app will decline the incoming call. That’s not a great design choice, Microsoft. Now why would anybody want to use Mail.app instead of Outlook? Simple: Snappiness and good search. I can accept jumping through some hoops for things I rarely do, if my day-to-day tasks aren’t nerfed by software that feels slow and bloated.

Trusting Palo Alto GlobalProtect to use a macOS machine certificate

On a managed Mac with a machine certificate, when the certificate is renewed, Palo Alto GlobalProtect will prompt for administrative credentials before connecting. This is because the executable isn’t allowed to directly read from the System keychain.

There’s a nice explanation and fix described on Palo Alto’s site, but in case that one goes missing, here’s the workaround:


Open the Keychain Access application and locate the Machine Certificate issued to Mac OS X Client in the System keychain.
Right-click on the private key associated with Certificate and click Get Info, then go to the Access Control tab
Click ‘+’ to select an Application to allow
Press key combination + + G to open Go to Folder
Enter ‘/Applications/GlobalProtect.app/Contents/Resources’ and click Go
Find PanGPS and click it, and then press Add
Save Changes to private key

Panagent

IKEv2 IPsec VPN with pfSense and Apple devices

Part 2: Apple VPN clients

(Part 1)

In the first part, we configured the pfSense firewall to allow clients to establish secure VPN connections to it. Now we’ll look at what needs to be done to get the clients to actually connect.

Specifically, we’ll create an Apple configuration profile that we can deliver to devices that we want to use as VPN clients.

We’ll start by getting the necessary certificates.

CA and Server certificates

As usual with a PKI-based solution, we need to trust the Root certificate to trust any certificates signed by the Root. Then we need a copy of the Server certificate’s public key to be able to establish an encrypted connection to it from the client. The VPN host in this case already has the client’s public key since we generated the client key-pair locally on the host.

In System – Cert. manager, select the “CAs” tab. Next to the “mydomain VPN-root-CA [year-month]” certificate we created earlier, there’s a row of blue icons. We’re interested in the middle one that represents a round seal. Press it, and your browser will download a .crt file; named something akin to “mydomain+VPN-root-CA+[year-month].crt

Then select the “Certificates” tab and do the same for the server certificate we created earlier. You will now have an additional file called “mydomain+VPN-server+[year-month].crt” in your Downloads directory.

Now for the only bit of shell magic we’ll need to do:

Client certificate

In System – Cert. manager, select the “Certificates” tab. This time download both the certificate (represented by the round seal icon” and the private key (represented by a key icon). This will store “mydomain+VPN-client+[year-month.crt]” and “mydomain+VPN-client+[year-month].key” in your Downloads directory.

Open a Terminal and run the following two commands:

$ cd ~/Downloads
$ openssl pkcs12 -export \
-in mydomain+VPN-client+[year-month].crt \ 
-inkey mydomain+VPN-client+[year-month].key \
-out mydomain+VPN-client+[year-month].p12

You will be asked for an export passphrase. Generate a secure one and store it in your password manager along with the certificate files.

Create an Apple Configuration Profile

This step requires a Mac with Apple Configurator 2 installed.

Start the program and create a new profile. Store it as “[year-month]-mydomain.tld-VPN.mobileconfig

General

Name: mydomain.tld VPN
Identifier: [Reverse FQDN of the VPN gateway, e.g. “tld.mydomain.vpn”
[The rest of the fields are optional]

Certificates

Using the “+” button, add the Root CA certificate (“mydomain+VPN-root-CA+[year-month].crt“), the Server certificate (“”mydomain+VPN-server+[year-month].crt“), and the client certificate bundle we generated earlier (“mydomain+VPN-client+[year-month].p12“). When adding the latter, we also need to enter the export pass phrase.

VPN

Connection Name: mydomain.tld VPN
Connection Type: IKEv2
Always-on VPN: Unchecked
Server: [The Common Name from the Server certificate]
Remote Identifier: [The Common Name from the Server certificate]
Local Identifier: [The Common Name from the Client certificate]
Machine Authentication: Certificate
Certificate Type: RSA
Server Certificate Issuer Common Name: [The Common Name from the Root CA]
Server Certificate Common Name: [The Common Name from the Server certificate]
Enable EAP: Checked
Disconnect on Idle: Optional – I have it set to Never
EAP Authentication: Certificate
Identity Certificate: Select your Client certificate
Dead Peer Detection Rate: Medium
Disable redirects: Unchecked
Disable Mobility and Multihoming: Unchecked
Use IPv4 / IPv6 Internal Subnet Attributes: Unchecked
Enable perfect forward secrecy: Unchecked
Enable certificate revocation check: Unchecked
[Note: The following checkboxes may be changed depending on requirements, but that is outside the scope for this article]
Disable redirects: Unchecked
Disable Mobility and Multihoming: Unchecked
Use IPv4 / IPv6 Internal Subnet Attributes: Unchecked
Enable perfect forward secrecy: Unchecked
Enable certificate revocation check: Unchecked

Select the “IKE SA Params” tab and fill in the following:
First set the Integrity Algorithm to SHA2-384
Then set the Encryption Algorithm to AES-256-GCM
Diffie-Hellman Group: 20
Lifetime In Minutes: 720
Proxy Setup: [Optional]

Select the “Child SA Params” and fill in the following:
First set the Integrity Algorithm to SHA2-256
Then set the Encryption Algorithm to AES-256-GCM
Diffie-Hellman Group: 20
Lifetime In Minutes: 60
Proxy Setup: [Optional]

Save the .mobileconfig.

Using the profile

macOS

The profile can be installed on a Mac by double-clicking the file and entering administrative credentials to allow it to install. When installed, System Preferences – Network will contain a new “network device” called mydomain.tld VPN, with a padlock as an icon. It’s possible to start the VPN connection from here. It’s also possible to check the “Show VPN status in menu bar” checkbox, and manage the VPN by clicking the resulting icon.

iOS

The simplest way to install the profile on an iOS device is by mailing it and tapping the file from within Mail. After providing the device password to allow system changes, there will be a new “mydomain.tld VPN” profile in Settings – VPN. Select it and change Status to Connected.

Conclusion

We have enabled a simple and secure way to reach our home network and to reach the Internet via a known and trusted gateway from our Apple devices even when on the move.
With the proper client configuration, the same principles should be applicable to a client running any modern operating system.

IKEv2 IPsec VPN with pfSense and Apple devices

Part 1: pfSense configuration

For a long time I’ve been content running a simple SSH gateway into my network, since I was severely bandwidth-limited.

The connection was secured in a number of ways I consider a sort of best practice: no remote login for the root account, key based (as opposed to password based) logon, and a custom port which doesn’t add any security per se, but which let me avoid the most common hammering from Asian botnets looking for a way in.

However now that I have a good connection, I have some use for accessing more bandwidth-hungry services from home – or, for that matter, to redirect my Internet traffic via my home when surfing the web over insecure Internet connections.

Here’s the first part of a howto that works with pfSense 2.4, macOS High Sierra (10.13), and iOS 11:

Certificates

The first thing we need is a set of certificates to for mutual identification and encryption between the clients and the VPN endpoint. We’ll start the process on the pfSense box:

CA Certificate

In SystemCert. manager, choose the “CAs” tab and Add a CA certificate.

Descriptive name: mydomain VPN-root-CA [year-month]
Method: Create an internal Certificate Authority
Key length: 2048
Digest algorithm: SHA256
Lifetime (Days): 3650
[Fill in everything down to but not including Common Name]
Common Name: mydomain.tld-vpnrootca

Save the certificate.

Server certificate

In System – Cert. manager, choose the “Certificates” tab and Add/Sign a Server certificate.

Method: Create an internal Certificate
Descriptive name: mydomain VPN-server [year-month]
Certificate Authority: mydomain.tld-vpnrootca
Key length: 2048
Digest algorithm: SHA256
Lifetime (Days): 3650
[….]
Common name: [FQDN of VPN gateway]
Certificate type: Server certificate
Alternative names: Type: FQDN or Hostname Value: [FQDN of VPN gateway]

NB! Do not forget to add an Alternative name even if it’s identical to the Common name!

Save the certificate.

Client certificate

In System – Cert. manager, choose the “Certificates” tab and Add/Sign a User certificate.

Method: Create an internal Certificate
Descriptive name: mydomain VPN-client [year-month]
Certificate Authority: mydomain.tld-vpnrootca
Key length: 2048
Digest algorithm: SHA256
Lifetime (Days): 3650
[….]
Common name: vpnclient.mydomain.tld
Certificate type: User certificate
Alternative names: Type: FQDN or Hostname Value: vpnclient.mydomain.tld

NB! Do not forget to add an Alternative name even if it’s identical to the Common name!

Save the certificate.

VPN configuration

Mobile Client settings

In VPN – IPsec, choose the “Mobile clients” tab and fill in the following values:

IKE Extensions: Enable IPsec mobile client support – checked
User Authentication: Source: Local Database
Group Authentication: Source: system
Virtual Address Pool: Provide a virtual IP address to clients – checked
Network configuration for Virtual Address Pool: 10.200.250.0/24
Provide a virtual IPv6 address to clients: Unchecked
Provide a list of accessible networks to clients:
Unchecked
Allow clients to save Xauth passwords (Cisco VPN client only).: Unchecked
Provide a default domain name to clients: Checked
Specify domain as DNS Default Domain: mydomain.tld
Provide a list of split DNS domain names to clients.: Unchecked
Provide a DNS server list to clients: Checked
[Fill in your DNS servers]
Provide a WINS server list to clients: Unchecked
Provide the Phase2 PFS group to clients: Unchecked
Provide a login banner to clients: Unchecked

Save the settings.

Phase 1 settings

In VPN – IPsec, choose the “Tunnels” tab and Add P1.

Disabled: Unchecked
Key Exchange version: IKEv2
Internet Protocol: IPv4
Interface: WAN
Description: IKEv2 Phase 1
Authentication Method: EAP-TLS
My identifier: Distinguished Name; [Common Name of your Server certificate]
Peer identifier: Any
My Certificate: [Descriptive Name of your Server certificate]
Peer Certificate Authority: [Descriptive Name of your CA certificate]
Encryption Algorithm: AES256-GCM
Key length: 128 bits
Hash: SHA384
DH Group: 20 (nist ecp384)
Lifetime (Seconds)28800
Disable rekey: Unchecked
Margintime (Seconds): 20
Disable Reauth: Unchecked
Responder Only: Checked
MOBIKE: Enable
Split connections: Unchecked
Dead Peer Detection: Checked
Delay: 10
Max failures: 5

Save the settings.

Phase 2 settings

In VPN – IPsec, choose the “Tunnels” tab, Show Phase 2 Entries, and Add P2.

Disabled: Unchecked
Mode: Tunnel IPv4
Local Network: Type: Network
Address: 0.0.0.0/0
NAT/BINAT translation: None
Description: IKEv2 Phase 2
Protocol: ESP
Encryption Algorithms: Check AES256-GCM/128 bits only
Hash Algorithms: Check SHA256 only
PFS key group: 20 (nist ecp384)
Lifetime: 3600
Automatically ping host: [empty]

Save the settings.

Firewall settings

In Firewall – Rules, choose the “IPsec” tab and Add a rule. In this case we’re not interested in limiting traffic, so it will be an “allow all” type rule:

Action: Pass
Disabled: Unchecked
Interface: IPsec
Address Family: IPv4
Protocol: Any
Source: Any
Destination: Any
Log: Unchecked
Description: Allow all VPN traffic to anywhere.

Save the firewall rule.

This is it for the firewall configuration. In the next part (Part 2) we’ll export the certificates and set up an Apple Configurator config for iOS and macOS devices.