How to create a separate "area/desktop" that's quarantined when logged into customers VPN for work?

questionwonder

macrumors member
Original poster
May 6, 2013
70
10
Question - I want to keep my personal machine and anything I do separate from what might happen while logged into my works VPN. Is there a way to create a different desktop/partition/etc/etc that is separate/quarantined from all my personal stuff AND what I might do on my personal computer that can't be shared or spied on when I'm connected to my clients VPN?

I want a different "desktop" or something with all my work stuff, where the VPN will be working...so that if I start doing something on my personal computer that I don't want to be seen by my company, they won't.

I'm aware I can install Windows or MacOS as a VM and just run everything from the VM, BUT I have a pretty old machine (Macbook Air 2013) and I've installed Win VM's on it in the past and they work ok, but my 1.7Ghz/8GBRam isn't the best machine for this situation.

I'm also aware I can create a partition with MacOS and use the 2nd partition for all my work. BUT then I have to start and restart my machine to switch between the two, right??? Sounds kinda cumbersome, especially if I want to go back and forth multiple times a day or hour!

Situation -
The client I'm doing consulting for, as a software engineer, has allowed me to install FortiClient VPN on my personal computer (Macbook Air 2013) and use it to get on their network to do work. Awesome! The desktop in their office they provided was slow and non portable. :(

I use -
Visual Studio
Visual Studio Code
Azure Data Studio
Postman
SSMS
Bitbucket repo
plus anything else I will need in the future but haven't installed yet
I can also MS RDP into my desktop on site
 

MacUser2525

macrumors 68000
Mar 17, 2007
1,948
290
Canada
I am failing to see the problem, any of that software that I have used you are in a separate windowed program accessing the remote machine. This already has you doing what you wish, all local is done by you on your machine without anyone seeing it, the remote is done in the window connected to the machine worked on. Only thing in common is you can do both from the one machine. You can always add a second user and switch between the accounts keeping one for personal and the other for the remote but I see this being pretty useless when you need access to files present on the personal account but not in the remote account.
 

questionwonder

macrumors member
Original poster
May 6, 2013
70
10
Hi.
Maybe I didn't explain my concern very well.
When I use the VPN to do work, I'm working on my personal machine (personal software - Visual Studio Code). I'm not RDP'ing into my work place desktop. My concern is that I might forget to disconnect from the VPN when I finish (~6PM) and then start browsing the internet and doing personal things on my machine, while still connected to the VPN. Should I be concerned about this?

I was looking for a way to keep some kind of separation from what I do personally and what I do professionally without installing a VM (my machine can't handle it) or creating a new partition to use.

I don't know that much about MacOS partitions so I'm not sure if I would be able to use both simultaneously without restarting to get into each one?

Now that I'm writing this, I'm wondering if I can I create a docker of MacOS and use that to VPN into work and have all my work stuff just in the docker?
 

jtara

macrumors 68000
Mar 23, 2009
1,911
491
You’ve described a VM.

Even that won’t offer the separation you are asking for unless properly configured. That is, it needs to use only encrypted storage dedicated to the VM, not connect to your base system storage via network share, etc.

But really since you don’t trust yourself - you should use a completely separate machine. Make sure you put a big red sticky note on the work one to remind you where you are typing.
 

questionwonder

macrumors member
Original poster
May 6, 2013
70
10
haha! that's funny...
ya I guess there really isn't a solution unless I want to VM it.
I was just trying to think outside the box.
 

jtara

macrumors 68000
Mar 23, 2009
1,911
491
Maybe just a separate user would be sufficient. you would have to log in/out but you could use “fast switching”.

Normally apps install in /Applications though but perhaps this is ok. Apps typically store data under the users directory. But you do have an Applications directory under each user and could install apps there.

i dunno what isolation options you might have if you use homebrew and homebrew cask. They will normally install globally. As well as App Store. But unsure if this is a real issue for you.

if you use e.g. npm or rvm, they DO normally install per-user, not globally.

Is there any good reason to route globally through the VPN? Route to the internal office resources through VPN but leave default route direct to your ISP. Internet access is likely to be frustratingly slow over the VPN anyway. If you need to access say some Cloud/offsite services that do IP filtering to insure the connection comes from your work IP block you might have to do some additional routing. (Actually do this even if off-site resources don’t do IP filtering, so that the connections are going through company firewall and so more compliant with security policy)

Use IKEv2 if available it will be fastest.

In any case DO set a different background, so that you are clear where you are.

Yes 8GB is light for a VM. Indeed it’s lite for running Visual Studio or any big build.
 
Last edited:

questionwonder

macrumors member
Original poster
May 6, 2013
70
10
Hi Jtara.
"Route to the internal office resources through VPN but leave default route direct to your ISP."
How would I do this with FortiClient? Is it something the server admin will have to configure on their end?
 
Last edited: