The customer is trying to do the following:
He wants to do this because he is trying to trigger a job like a GPUPDATE, which should only run if the end point is on the VPN.
ITMS 8.x
Currently, the Symantec management agent doesn't do that. All we do when the connection type changes, we send basic inventory after 3 minutes. There are no triggers that can be used to run tasks like that. We detect the network change (from outside connection to VPN or local network and vice versa):
Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' added
-----------------------------------------------------------------------------------------------------
Network '{91E05679-2467-4BE9-844C-0CAADD8F3BB3}' connectivity changed to 0x00000003
-----------------------------------------------------------------------------------------------------
IPv4 address change detected
-----------------------------------------------------------------------------------------------------
VPN connection detected
-----------------------------------------------------------------------------------------------------
IP addresses information changed.
-----------------------------------------------------------------------------------------------------
Physical connection established, send basic inventory in 1800 seconds
-----------------------------------------------------------------------------------------------------
But we don't have a condition that detects that if we are connected via VPN then a job or policy can run. We do it by schedule or detection checks (if something is missing or present).
Policy {9152BAF9-FE30-4370-B9EE-716F02947B9E}GlobalProtect 5.2.12 - Install, job task {Index = 0, State = NotStarted, Status = Detected, LastCheckTime = 10-20 03:19:28 -6:00, LastRealRunTime = 10-19 08:22:21 -6:00} due at: 10/20/2022 8:01:00 AM
-----------------------------------------------------------------------------------------------------
It would be possible to target the IP Address Range of the VPN. Filter could be something like IP Address Like '10.10.%'. Then when the agent sends Basic Inventory, it would put the system in that Filter, causing the agent to get the job. Of course the user would need to stay on VPN until it got the Policy. Delays would be: time from receiving Basic until running the next Resource Membership Update, and then the time until the client subsequently updates Configuration.
Admins may target systems on the VPN with a more frequent Configuration Update schedule, setup in the Targeted Agent Settings. 15 minutes may be appropriate for these systems depending on the circumstances.
This is a very good case for setting up CEM so that agents can connect when they are on or off VPN.