Virtual Private Network(VPN)
A Virtual Private Network(VPN) as the name suggests establishes a logical private tunnel on the Internet, to ensure only authorized users can access confidential web resources of the organization, from any network. VPN ensures all the device-web resource communication happens on a secure channel preventing any kind of unauthorized access. VPN also boosts productivity as it ensures employees can work from anywhere, without worrying about lack of access to specific resource/data. With mobile devices extensively becoming a part of corporate productivity, it has become mandatory for IT admins to configure on VPN on mobile devices, which can be easily and efficiently done using MDM.
VPN profiles applied to devices provisioned as Profile Owner will ensure only the traffic from the apps distributed using MDM is routed through the VPN. VPN will not be applied to the apps outside the container.
Supported VPN types
The following VPN types are supported by MDM:
VPN TYPE |
SAMSUNG |
NON-SAMSUNG |
ADDITIONAL REQUIREMENT(S), IF ANY |
LEGACY |
PROFILE OWNER |
DEVICE OWNER |
PPTP |
Supported from Android 4.3 |
|
|
|
None |
L2TP PSK |
Supported from Android 4.3 |
|
|
|
None |
IPSec XAuth PSK |
Supported from Android 4.3 |
|
|
|
None |
IPSec IKEv2 PSK |
Supported from Android 4.3 |
|
|
|
None |
Cisco AnyConnect |
Supported from Android 6.0/Knox version 5.7 or more |
|
|
|
Cisco AnyConnect app must be installed on the device. Automate installation of this app |
F5 SSL |
Supported from Android 6.0/Knox version 5.7 or more |
|
|
|
F5 Access app must be installed on the device. Automate installation of this app |
Pulse Secure |
Supported from Android 6.0/Knox version 5.7 or more |
|
|
|
Pulse Secure app must be installed on the device. Automate installation of this app |
Palo Alto |
Supported from Android 6.0/Knox version 5.7 or more |
|
|
|
Palo Alto app must be installed on the device. Automate installation of this app |
Profile Details
To configure a VPN policy, you need to configure certain common parameters and parameters specific to a VPN type. To know the parameters to be configured for a particular VPN type, click on the VPN type name from the tabs given
PPTP
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
PPTP-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Allow new addition of VPNs |
Specify the additional VPNs can be configiured or not |
Allow modification of configured VPNs |
Specify whether the configured VPNs can be modified by device users or not |
L2TP
Profile Specification |
Description
|
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
L2TP-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Shared secret |
Specify the pre-shared secret |
L2TP Secret Key |
Specify whether L2TP secret key is to be enabled or not. |
Secret Key |
Specify the L2TP secret key. |
Allow new addition of VPNs |
Specify the additional VPNs can be configiured or not |
Allow modification of configured VPNs |
Specify whether the configured VPNs can be modified by device users or not |
IPSec XAuth
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
IPSec XAuth-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Shared secret |
Specify the pre-shared secret |
Allow new addition of VPNs |
Specify the additional VPNs can be configiured or not |
Allow modification of configured VPNs |
Specify whether the configured VPNs can be modified by device users or not |
IPSec Identifier |
Name of the group on the VPN server, to which the user is assigned. |
IPSec IKEv2
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
IPSec IKEv2-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Shared secret |
Specify the pre-shared secret |
Allow new addition of VPNs |
Specify the additional VPNs can be configiured or not |
Allow modification of configured VPNs |
Specify whether the configured VPNs can be modified by device users or not |
IPSec Identifier |
Name of the group on the VPN server, to which the user is assigned. |
CISCO ANYCONNECT
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
CISCO ANYCONNECT-SPECIFIC PARAMETERS |
Connection Protocol |
Specify the protocol type to be used for establishing and/or maintaining the connection |
Authentication Type |
Specify the proctocol to govern the authentication during connection establishment |
IKE Identity |
Specify the infromation used to uniquely identify a user connection |
FIPS mode |
Specify whether the VPN connection/communication is governed by FIPS-compliant protocols. |
Strict Mode |
Specify whether Strict mode is to be enabled, for secure establishment of VPN connection |
Allowed Apps |
List of apps which can utilize this VPN connection |
Identity Certificate |
Specify the identity certificate to be used for certificate-based authentication. |
Always On |
By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner. |
VPN Lockdown |
When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled. |
F5 SSL
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
F5 SSL-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
FIPS mode |
Specify whether the VPN connection/communication is governed by FIPS-compliant protocols. |
Allowed Apps |
List of apps permitted to utilize this VPN connection |
Identity Certificate |
Specify the identity certificate to be used for certificate-based authentication. |
Web logon mode |
If enabled, it lets the device user connect to VPN through a web browser. |
Client certificate password |
Password for the client certificate, which is used for authentication. |
Bypass Apps |
List of apps which can bypass the VPN connection |
Allow users to configure VPN |
Enable/Disable configuring of VPN by users |
Modify configured VPN |
Enable/Disable modification of previously configured VPN by users |
Restriction Message to be displayed |
Specify the message shown to the users, on restriction |
Always On |
By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner. |
VPN Lockdown |
When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled. |
PULSE SECURE
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
PULSE SECURE-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Alternate user name |
Specify the alternate user name, associated with the device user |
Realm |
Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators. |
Role |
Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing. |
Allowed Apps |
List of apps permitted to utilize this VPN connection |
Authentication Type |
Specify the proctocol to govern the authentication during connection establishment |
Action on Profile |
Specify the whether the profile is to be created/deleted |
Make this configuration default |
Specify whether this profile is to be made default or not. |
Route Type |
Specify whether the VPN is to be applied to the device or to applications. |
Machine Authentication |
Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off. |
Identity Certificate |
Specify the identity certificate to be used for certificate-based authentication. |
Always On |
By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner. |
VPN Lockdown |
When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled. |
PALO ALTO
Profile Specification |
Description |
COMMON PARAMETERS |
Connection Name |
Specify the name, which needs to be displayed as the VPN name on the end user's mobile device |
Connection Type |
The VPN type, to be provisioned on the device |
Server Name / IP Address |
Host name or IP address of the VPN server |
PALO ALTO-SPECIFIC PARAMETERS |
User Name |
The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details |
Password |
Specify the password to be used for authentication |
Allowed Apps |
List of apps permitted to utilize this VPN connection |
Identity Certificate |
Specify the identity certificate to be used for certificate-based authentication. |
Client certificate password |
Password for the client certificate, which is used for authentication. |
Route Type |
Specify whether the VPN is to be applied to the device or to applications. |
Remove VPN profile, via restrictions |
Enable/Disable restrictions removing the distributed VPN profile. |
Always On |
By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner. |
VPN Lockdown |
When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled. |
Always On VPN:
Enabling Always On VPN helps maintain a persistent connection between the managed devices and their organizational network, without the need for the users to manually connect to the VPN every time. Always On VPN can be configured only for devices provisioned as Device Owner.
Identity certificate
An Identity certificate can be uploaded to secure VPN. The device must be password protected for this to function. The following VPN vendors allow securing VPN using a certificate:
- Cisco Any Connect
- F5SSL
- Pulse Secure
To configure certificate,
- Create a VPN profile.
- Select the Connection type.
- Under Authentication settings, select 'certificate based authentication' and upload the required certificate.
- If your organization needs support for any other VPN vendors, please add it here