We created a web portal with SAML authentication that provisions and manages wireguard profiles on our edge locations. Employees have to log into the portal to obtain a wireguard configuration, and their configuration(s) are removed when their profile is deprovisioned in the IDP. It’s much easier to support then OpenVPN was - much easier to support and the wireguard client for mobile (at least iOS) just works, whereas the OpenVPN client for iOS was a nightmare to setup.