We use a Mac VPN, I looked REALLY hard start of the year to replace TunnelBlick and OpenVPN and didn't.
I too wanted to replace it with something configuring the native VPN clients, so it would be easily driven via MDM and not introduce more software (we struggle vainly against introducing attack surface).
I naively hoped the CISCO supplied IPSEC clients might be the solution. Where I found free software IPSEC VPN servers (kind of thing router makers will use) when it worked it negotiated appalling cryptographic characteristics with the CISCO client's Apple ships, in fairness this is probably the server as CISCO to CISCO is good. So unless using expensive enterprise VPNs with iffy security history (and why would you?) forget the native clients.
I did like VMWare Tunnel (proprietary), although it's quite unlike other VPNs, very much fits the BYOD (ouch) type model, but the Mac agent only configures Safari Domains (e.g a glorified web proxy currently).
Reasons I liked VMWare Tunnel..
Well thought out deployment, you configure it in the console, download two XML files and one JAR file and install these (if you can't use a prebuilt server).
You can configure Enterprise fail-over really easily.
The admin is designed to be delegable to people who are deploying end user devices.
It's per App VPN on mobile, so you can constrain access to identified apps.
By default out of compliance devices are blocked.
As soon as the Mac client starts doing network traffic work we will switch.
But VMWare Tunnel is not like a normal VPN, configuration is per domain, not IP based (apparently driven by mobile APIs). So it feels like a BeyondCorp style model, although just a VPN under the hood.
It's much nicer than the rest of Airwatch :(
