Global Protect Man in the Middle

How mobile device management can work from a VPN client

Published: Thursday, Sep 30, 2021 Last modified: Friday, Dec 3, 2021

I have aur/globalprotect-openconnect installed to access my employer’s VPN.

However it’s not clear that the MacOS version installs Microsoft Intune, which basically is able to do anything on your system.

Now you know that a VPN is a gateway to MDM aka remote administration, aka your computing environment effectively in the control of a third party.

Another two avenues of giving up control, is to install of “Anti-Virus software” and an Enterprise requiring you install a root certificate authority for “fixing internal SSL”. Unfortunately the way SSL currently works is that any root certificate can facilitate MitM attack.

Sidenote: DNSSEC probably won’t fix this issue as now you would have to trust DNS responses. What is needed is some system cross referencing with Certificate Transparency services to catch nefariously issued certificates and then black list that Certificate Authority!

Currently it’s rather painful to track nefarious third party CAs once they are in your trusted store.