Virtual Private Network(VPN)

A Virtual Private Network(VPN) as the name suggests establishes a logical private tunnel on the Internet, to ensure only authorized users can access confidential web resources of the organization, from any network. VPN ensures all the device-web resource communication happens on a secure channel preventing any kind of unauthorized access. VPN also boosts productivity as it ensures employees can work from anywhere, without worrying about lack of access to specific resource/data. With mobile devices extensively becoming a part of corporate productivity, it has become mandatory for IT admins to configure on VPN on mobile devices, which can be easily and efficiently done using MDM.

VPN On-Demand

When a VPN profile is configured on a device, users have to turn the VPN settings on the mobile device every time before accessing a secured corporate data. Since VPN runs over the Wi-Fi or cellular data, VPN connectivity turns off automatically every time the device loses connectivity with the Internet. Users have to manually turn them on, to reach the corporate data. To over come this, you can choose VPN On-Demand. As the name signifies, VPN connectivity is established only when specific data requires it and the user need not turn VPN on manually.

You have to specify the domain for which VPN should be turned on. You can add multiple domains by comma separation. The below mentioned table assists you on the inputs which need to be used on the product server to configure VPN for mobile devices.

The following built in VPN connection types are supported by MDM:

In addition to the above mentioned built in VPNs, Mobile Device Manager Plus also supports the following plug in VPNs. These VPN require an additional app to be installed on the devices.

NOTE: These apps can also be configured over-the-air using App Configurations feature.

Pulse Secure VPN, Cisco AnyConnect Legacy, Cisco AnyConnect New and F5 SSL require the corresponding third-party app Pulse Secure, Cisco AnyConnect Legacy, Cisco AnyConnect New and F5 BIG-IP Edge Client respectively, to be installed in the device for setting up the VPN configuration. Click here to know more about App Distribution and click here to know how to install apps silently in iOS devices.

Using certificate for authentication

In addition to configuring VPN on the managed devices, MDM also provides you with the option of provisioning VPN on the devices using certficate as the means of authentication. Authentication, as we all know plays as a major role in establishment of VPN connection and certificate is generally considered to be much more secure form of authentication than pre-shared key. Further, in case of large VPN networks, managing large quantity of pre-shared keys can be cumbersome. Certificates in this case is a much more scalable alternative. Additionally, pre-shared keys are bound to an IP address but certificates are not bound to an IP address, ensuring remote users with a dynamically assigned IP address can authenticate using identification information contained in the certificate. You can configure certificate as explained here and distribute them on a large scale as explained here.

The following documents will help you configure Cisco AnyConnect on your mobile devices-

Profile Details

To configure a VPN policy, you need to configure certain common parameters and parameters specific to a VPN type. To know the parameters to be configured for a particular VPN type, click on the VPN type name from the tabs given

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PPTP-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

L2TP-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

L2TP Secret Key

Specify whether L2TP secret key is to be enabled or not.

Secret Key

Specify the L2TP secret key.

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

IPSec XAuth-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

IPSec Identifier

Name of the group on the VPN server, to which the user is assigned.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

IPSec IKEv2-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

IPSec Identifier

Name of the group on the VPN server, to which the user is assigned.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

CISCO ANYCONNECT-SPECIFIC PARAMETERS

Connection Protocol

Specify the protocol type to be used for establishing and/or maintaining the connection

Authentication Type

Specify the proctocol to govern the authentication during connection establishment

IKE Identity

Specify the infromation used to uniquely identify a user connection

Always On

Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off.

FIPS mode

Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.

Strict Mode

Specify whether Strict mode is to be enabled, for secure establishment of VPN connection

Allowed Apps

List of apps which can utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

F5 SSL-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

FIPS mode

Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.

Allowed Apps

List of apps permitted to utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Web logon mode

If enabled, it lets the device user connect to VPN through a web browser.

Client certificate password

Password for the client certificate, which is used for authentication.

Bypass Apps

List of apps which can bypass the VPN connection

Allow users to configure VPN

Enable/Disable configuring of VPN by users

Modify configured VPN

Enable/Disable modification of previously configured VPN by users

Restriction Message to be displayed

Specify the message shown to the users, on restriction

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PULSE SECURE-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Alternate user name

Specify the alternate user name, associated with the device user

Realm

Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators.

Role

Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing.

Allowed Apps

List of apps permitted to utilize this VPN connection

Authentication Type

Specify the proctocol to govern the authentication during connection establishment

Action on Profile

Specify the whether the profile is to be created/deleted

Make this configuration default

Specify whether this profile is to be made default or not.

Route Type

Specify whether the VPN is to be applied to the device or to applications.

Always On

Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off.

Machine Authentication

Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off.

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PALO ALTO-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Allowed Apps

List of apps permitted to utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Client certificate password

Password for the client certificate, which is used for authentication.

Route Type

Specify whether the VPN is to be applied to the device or to applications.

Remove VPN profile, via restrictions

Enable/Disable restrictions removing the distributed VPN profile.

Copyright © 2018, ZOHO Corp. All Rights Reserved.
ManageEngine