Virtual Private Network(VPN)

A Virtual Private Network(VPN) as the name suggests establishes a logical private tunnel on the Internet, to ensure only authorized users can access confidential web resources of the organization, from any network. VPN ensures all the device-web resource communication happens on a secure channel preventing any kind of unauthorized access. VPN also boosts productivity as it ensures employees can work from anywhere, without worrying about lack of access to specific resource/data. With mobile devices extensively becoming a part of corporate productivity, it has become mandatory for IT admins to configure on VPN on mobile devices, which can be easily and efficiently done using MDM.

VPN profiles applied to devices provisioned as Profile Owner will ensure only the traffic from the apps distributed using MDM is routed through the VPN. VPN will not be applied to the apps outside the container.

Supported VPN types

The following VPN types are supported by MDM:

VPN TYPE SAMSUNG NON-SAMSUNG ADDITIONAL REQUIREMENT(S), IF ANY
CORE ANDROID/LEGACY PROFILE OWNER DEVICE OWNER
PPTP Supported from Android 4.3 None
L2TP PSK Supported from Android 4.3 None
IPSec XAuth PSK Supported from Android 4.3 None
IPSec IKEv2 PSK Supported from Android 4.3 None
Cisco AnyConnect Supported from Android 6.0/Knox version 5.7 or more Cisco AnyConnect app must be installed on the device. Automate installation of this app
F5 SSL Supported from Android 6.0/Knox version 5.7 or more F5 Access app must be installed on the device. Automate installation of this app
Pulse Secure Supported from Android 6.0/Knox version 5.7 or more Pulse Secure app must be installed on the device. Automate installation of this app
Palo Alto Supported from Android 6.0/Knox version 5.7 or more Palo Alto app must be installed on the device. Automate installation of this app

Profile Details

To configure a VPN policy, you need to configure certain common parameters and parameters specific to a VPN type. To know the parameters to be configured for a particular VPN type, click on the VPN type name from the tabs given

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PPTP-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

L2TP-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

L2TP Secret Key

Specify whether L2TP secret key is to be enabled or not.

Secret Key

Specify the L2TP secret key.

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

IPSec XAuth-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

IPSec Identifier

Name of the group on the VPN server, to which the user is assigned.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

IPSec IKEv2-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Shared secret

Specify the pre-shared secret

Allow new addition of VPNs

Specify the additional VPNs can be configiured or not

Allow modification of configured VPNs

Specify whether the configured VPNs can be modified by device users or not

IPSec Identifier

Name of the group on the VPN server, to which the user is assigned.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

CISCO ANYCONNECT-SPECIFIC PARAMETERS

Connection Protocol

Specify the protocol type to be used for establishing and/or maintaining the connection

Authentication Type

Specify the proctocol to govern the authentication during connection establishment

IKE Identity

Specify the infromation used to uniquely identify a user connection

FIPS mode

Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.

Strict Mode

Specify whether Strict mode is to be enabled, for secure establishment of VPN connection

Allowed Apps

List of apps which can utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Always On

By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.

VPN Lockdown

When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

F5 SSL-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

FIPS mode

Specify whether the VPN connection/communication is governed by FIPS-compliant protocols.

Allowed Apps

List of apps permitted to utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Web logon mode

If enabled, it lets the device user connect to VPN through a web browser.

Client certificate password

Password for the client certificate, which is used for authentication.

Bypass Apps

List of apps which can bypass the VPN connection

Allow users to configure VPN

Enable/Disable configuring of VPN by users

Modify configured VPN

Enable/Disable modification of previously configured VPN by users

Restriction Message to be displayed

Specify the message shown to the users, on restriction

Always On

By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.

VPN Lockdown

When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PULSE SECURE-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Alternate user name

Specify the alternate user name, associated with the device user

Realm

Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators.

Role

Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing.

Allowed Apps

List of apps permitted to utilize this VPN connection

Authentication Type

Specify the proctocol to govern the authentication during connection establishment

Action on Profile

Specify the whether the profile is to be created/deleted

Make this configuration default

Specify whether this profile is to be made default or not.

Route Type

Specify whether the VPN is to be applied to the device or to applications.

Machine Authentication

Enabling this automatically establishes connection on user login and the connection is maintained till the user logs off.

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Always On

By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.

VPN Lockdown

When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.

Profile Specification

Description

COMMON PARAMETERS

Connection Name

Specify the name, which needs to be displayed as the VPN name on the end user's mobile device

Connection Type

The VPN type, to be provisioned on the device

Server Name / IP Address

Host name or IP address of the VPN server

PALO ALTO-SPECIFIC PARAMETERS

User Name

The user to whom this VPN configuration is to be applied. Using the dynamic variable %username% fetches the user name from the enrollment details

Password

Specify the password to be used for authentication

Allowed Apps

List of apps permitted to utilize this VPN connection

Identity Certificate

Specify the identity certificate to be used for certificate-based authentication.

Client certificate password

Password for the client certificate, which is used for authentication.

Route Type

Specify whether the VPN is to be applied to the device or to applications.

Remove VPN profile, via restrictions

Enable/Disable restrictions removing the distributed VPN profile.

Always On

By enabling this, force the configured VPN connection to always be on without the user having to start the configuration on every device restart. Always On can be configured only for devices provisioned as Device Owner.

VPN Lockdown

When the configured VPN is disconnected/unavailable, enable this to restrict access to other networks, including mobile data.VPN Lockdown can be configured only when Always On is enabled.

Always On VPN:

Enabling Always On VPN helps maintain a persistent connection between the managed devices and their organizational network, without the need for the users to manually connect to the VPN every time. Always On VPN can be configured only for devices provisioned as Device Owner.

Identity certificate

An Identity certificate can be uploaded to secure VPN. The device must be password protected for this to function. The following VPN vendors allow securing VPN using a certificate:

To configure certificate,

  1. Create a VPN profile.
  2. Select the Connection type.
  3. Under Authentication settings, select 'certificate based authentication' and upload the required certificate.
  4. If your organization needs support for any other VPN vendors, please add it here

See Also: Associating Profiles to Groups, Associating Profiles to Devices, App Management, Distribute Apps to Devices, Distribute Apps to Groups
Copyright © 2020, ZOHO Corp. All Rights Reserved.
ManageEngine