We have recently found that the IP address ranges used to detect whether a client is "On-site" or not are only checked for the first network adapter (you can see this in the S2HubTracelog.log). VPN connectivity is most-often via a virtual network adapter which is not the primary network adapter so using the VPN range to detect if a device is on-site or not does not work well (at all) in most scenarios.
From a software licensing perspective we have at least one application for which we are only licensed to run it if you are physically on-site so having the VPN as part of the "on-site" detection isn't ideal anyway.
We have lots of software that will work when off-site but on VPN (requiring an on-prem license server is the most common scenario here) but we have to either make available to all devices, regardless of being on-site or not, which doesn't work well as not everyone has VPN-connectivity meaning there are lots of available apps that can be launched that will fail due to lack of connectivity to license servers.
I suppose I'm asking for two different things in this request...
1 - Check more than the first network adapter for specified IP ranges. It is quite possible for a device to have both a wired and wireless adapter when on-site which could break the current detection method depending on how they are connected. This would allow us to add the VPN IP ranges to the on-site detection (we would have to do
SOMETHING
else to block other unlicensed software in this scenario).
2 - Have a "VPN Connected" detection alongside the "On-site" detection which has a specific set of IP ranges. This would allow us to correctly scope and limit applications based on license type, license restriction and device connectivity. In this scenario you would want to be able to say if device is "On-site" and / or "On VPN" rather than require one or the other or both.
I note that this request is similar (but different) to this one...