pdf icon
Category Filter
x

Virtual Private Network(VPN)

A Virtual Private Network(VPN) as the name suggests establishes a logical private tunnel on the Internet, to ensure only authorized users can access confidential web resources of the organization, from any network. VPN ensures all the device-web resource communication happens on a secure channel preventing any kind of unauthorized access. VPN also boosts productivity as it ensures employees can work from anywhere, without worrying about lack of access to specific resource/data. With mobile devices extensively becoming a part of corporate productivity, it has become mandatory for IT admins to configure on VPN on mobile devices, which can be easily and efficiently done using MDM.

VPN profiles applied to devices provisioned as Profile Owner will ensure only the traffic from the apps distributed using MDM is routed through the VPN. VPN will not be applied to the apps outside the container.

Supported VPN types

The following VPN types are supported by MDM:

VPN TYPE SAMSUNG NON-SAMSUNG ADDITIONAL REQUIREMENT(S), IF ANY
LEGACY PROFILE OWNER DEVICE OWNER
PPTP Supported from Android 4.3 None
L2TP PSK Supported from Android 4.3 None
IPSec XAuth PSK Supported from Android 4.3 None
IPSec IKEv2 PSK Supported from Android 4.3 None
Cisco AnyConnect Supported from Android 6.0/Knox version 5.7 or more Cisco AnyConnect app must be installed on the device. Automate installation of this app
F5 SSL Supported from Android 6.0/Knox version 5.7 or more F5 Access app must be installed on the device. Automate installation of this app
Pulse Secure Supported from Android 6.0/Knox version 5.7 or more Pulse Secure app must be installed on the device. Automate installation of this app
Palo Alto Supported from Android 6.0/Knox version 5.7 or more Palo Alto app must be installed on the device. Automate installation of this app

Profile Details

To configure a VPN policy, you need to configure certain common parameters and parameters specific to a VPN type. To know the parameters to be configured for a particular VPN type, click on the VPN type name from the tabs given

PPTP
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
PPTP-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Allow new addition of VPNs Specify the additional VPNs can be configiured or not
Allow modification of configured VPNs Specify whether the configured VPNs can be modified by device users or not
L2TP
Profile Specification

Description

COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
L2TP-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Shared secret Specify the pre-shared secret
L2TP Secret Key Specify whether L2TP secret key is to be enabled or not.
Secret Key Specify the L2TP secret key.
Allow new addition of VPNs Specify the additional VPNs can be configiured or not
Allow modification of configured VPNs Specify whether the configured VPNs can be modified by device users or not
IPSec XAuth
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
IPSec XAuth-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Shared secret Specify the pre-shared secret
Allow new addition of VPNs Specify the additional VPNs can be configiured or not
Allow modification of configured VPNs Specify whether the configured VPNs can be modified by device users or not
IPSec Identifier Name of the group on the VPN server, to which the user is assigned.
IPSec IKEv2
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
IPSec IKEv2-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Shared secret Specify the pre-shared secret
Allow new addition of VPNs Specify the additional VPNs can be configiured or not
Allow modification of configured VPNs Specify whether the configured VPNs can be modified by device users or not
IPSec Identifier Name of the group on the VPN server, to which the user is assigned.
CISCO ANYCONNECT
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
CISCO ANYCONNECT-SPECIFIC PARAMETERS
Connection Protocol Specify the protocol type to be used for establishing and/or maintaining the connection
Authentication Type Specify the proctocol to govern the authentication during connection establishment
IKE Identity Specify the infromation used to uniquely identify a user connection
FIPS mode Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.
Strict Mode Specify whether Strict mode is to be enabled, for secure establishment of VPN connection
Allowed Apps List of apps which can utilize this VPN connection
Identity Certificate Specify the identity certificate to be used for certificate-based authentication.
Always On By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.
VPN Lockdown When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.
F5 SSL
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
F5 SSL-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
FIPS mode Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.
Allowed Apps List of apps permitted to utilize this VPN connection
Identity Certificate Specify the identity certificate to be used for certificate-based authentication.
Web logon mode If enabled, it lets the device user connect to VPN through a web browser.
Client certificate password Password for the client certificate, which is used for authentication.
Bypass Apps List of apps which can bypass the VPN connection
Allow users to configure VPN Enable/Disable configuring of VPN by users
Modify configured VPN Enable/Disable modification of previously configured VPN by users
Restriction Message to be displayed Specify the message shown to the users, on restriction
Always On By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.
VPN Lockdown When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.
PULSE SECURE
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
PULSE SECURE-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Alternate user name Specify the alternate user name, associated with the device user
Realm Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators.
Role Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing.
Allowed Apps List of apps permitted to utilize this VPN connection
Authentication Type Specify the proctocol to govern the authentication during connection establishment
Action on Profile Specify the whether the profile is to be created/deleted
Make this configuration default Specify whether this profile is to be made default or not.
Route Type Specify whether the VPN is to be applied to the device or to applications.
Machine Authentication Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off.
Identity Certificate Specify the identity certificate to be used for certificate-based authentication.
Always On By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.
VPN Lockdown When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.
PALO ALTO
Profile Specification Description
COMMON PARAMETERS
Connection Name Specify the name, which needs to be displayed as the VPN name on the end user's mobile device
Connection Type The VPN type, to be provisioned on the device
Server Name / IP Address Host name or IP address of the VPN server
PALO ALTO-SPECIFIC PARAMETERS
User Name The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details
Password Specify the password to be used for authentication
Allowed Apps List of apps permitted to utilize this VPN connection
Identity Certificate Specify the identity certificate to be used for certificate-based authentication.
Client certificate password Password for the client certificate, which is used for authentication.
Route Type Specify whether the VPN is to be applied to the device or to applications.
Remove VPN profile, via restrictions Enable/Disable restrictions removing the distributed VPN profile.
Always On By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.
VPN Lockdown When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.

Always On VPN:

Enabling Always On VPN helps maintain a persistent connection between the managed devices and their organizational network, without the need for the users to manually connect to the VPN every time. Always On VPN can be configured only for devices provisioned as Device Owner.

Identity certificate
An Identity certificate can be uploaded to secure VPN. The device must be password protected for this to function. The following VPN vendors allow securing VPN using a certificate:

  • Cisco Any Connect
  • F5SSL
  • Pulse Secure

To configure certificate,

  1. Create a VPN profile.
  2. Select the Connection type.
  3. Under Authentication settings, select 'certificate based authentication' and upload the required certificate.
  4. If your organization needs support for any other VPN vendors, please add it here
Jump To

    Related Articles