Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (2024)

  • Article

Virtual private networks (VPN) allow users to access organization resources remotely, including from home, hotels, cafes, and more. In Microsoft Intune, you can configure VPN client apps on Android Enterprise devices using an app configuration policy. Then, deploy this policy with its VPN configuration to devices in your organization.

You can also create VPN policies that are used by specific apps. This feature is called per-app VPN. When the app is active, it can connect to the VPN, and access resources through the VPN. When the app isn't active, the VPN isn't used.

This feature applies to:

  • Android Enterprise

There are two ways to build the app configuration policy for your VPN client app:

  • Configuration designer
  • JSON data

This article shows you how to create a per-app VPN and VPN app configuration policy using both options.

Note

Many of the VPN client configuration parameters are similar. But, each app has its unique keys and options. Consult with your VPN vendor if you have questions.

Before you begin

  • Android doesn't automatically trigger a VPN client connection when an app opens. The VPN connection must be started manually. Or, you can use always-on VPN to start the connection.

  • The following VPN clients support Intune app configuration policies:

    • Cisco AnyConnect
    • Citrix SSO
    • F5 Access
    • Palo Alto Networks GlobalProtect
    • Pulse Secure
    • SonicWall Mobile Connect

  • When you create the VPN policy in Intune, you'll select different keys to configure. These key names vary with the different VPN client apps. So, the key names in your environment may be different than the examples in this article.

  • The Configuration designer and JSON data can successfully use certificate-based authentication. If VPN authentication requires client certificates, then create the certificate profiles before you create the VPN policy. The VPN app configuration policies use the values from the certificate profiles.

    Android Enterprise personally owned work profile devices support SCEP and PKCS certificates. Android Enterprise fully managed, dedicated, and corporate-owned work profile devices only support SCEP certificates. For more information, see Use certificates for authentication in Microsoft Intune.

Per-app VPN overview

When creating and testing per-app VPN, the basic flow includes the following steps:

  1. Select the VPN client application. Before you begin (in this article) lists the supported apps.
  2. Get the application package IDs of the apps that will use the VPN connection. Get the app package ID (in this article) shows you how.
  3. If you use certificates to authenticate the VPN connection, then create and deploy the certificate profiles before you deploy the VPN policy. Make sure the certificate profiles deploy successfully. For more information, see Use certificates for authentication in Microsoft Intune.
  4. Add the VPN client application to Intune, and deploy the app to your users and devices.
  5. Create the VPN app configuration policy. Use the app package IDs and certificate information in the policy.
  6. Deploy the new VPN policy.
  7. Confirm the VPN client app successfully connects to your VPN server.
  8. When the app is active, confirm that traffic from your app successfully goes through the VPN.

Get the app package ID

Get the package ID for each application that will use the VPN. For publicly available applications, you can get the app package ID in the Google Play store. The displayed URL for each application includes the package ID.

In the following example, the package ID of the Microsoft Edge browser app is com.microsoft.emmx. The package ID is part of the URL:

Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (1)

For Line of Business (LOB) apps, get the package ID from the vendor or application developer.

See Also
VPN unter Android: Wie Sie es einrichten, die besten AnbieterBenutzerdefiniertes pro App-VPN-Profil für Android DA in Microsoft IntuneAndroid: VPN einrichten und (automatisch) verbindenBestes VPN für Android: Top 5 Apps (Kostenlos & Premium)

Certificates

This article assumes your VPN connection uses certificate-based authentication. It also assumes you successfully deployed all the certificates in the chain needed for clients to successfully authenticate. Typically, this certificate chain includes the client certificate, any intermediate certificates, and the root certificate.

For more information on certificates, see Use certificates for authentication in Microsoft Intune.

When your client authentication certificate profile is deployed, it creates a certificate token in the certificate profile. This token is used to create the VPN app configuration policy.

If you’re not familiar with creating app configuration policies, see Add app configuration policies for managed Android Enterprise devices.

Use the Configuration Designer

  1. Sign in to the Microsoft Intune admin center.

  2. Select Apps > App configuration policies > Add > Managed devices.

  3. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is App config policy: Cisco AnyConnect VPN policy for Android Enterprise work profile devices.

    • Description: Enter a description for the policy. This setting is optional, but recommended.

    • Platform: Select Android Enterprise.

    • Profile type: Your options:

      • All Profile Types: This option supports username and password authentication. If you use certificate-based authentication, don't use this option.
      • Fully Managed, Dedicated, and Corporate-Owned Work Profile Only: This option supports certificate-based authentication, and username and password authentication.
      • Personally-Owned Work Profile Only: This option supports certificate-based authentication, and username and password authentication.

    • Targeted app: Select the VPN client app you previously added. In the following example, the Cisco AnyConnect VPN client app is used:

      Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (2)

  4. Select Next.

  5. In Settings, enter the following properties:

    • Configuration settings format: Select Use Configuration designer:

      Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (3)

    • Add: Shows the list of configuration keys. Select all the configuration keys needed for your configuration > OK.

      In the following example, we selected a minimal list for AnyConnect VPN, including certificate-based authentication and per-app VPN:

      Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (4)

      See Also
      Configure a Per-App VPN Configuration for Android Endpoints Using Workspace ONE

    • Configuration value: Enter the values for the configuration keys you selected. Remember, the key names vary depending on the VPN Client app you're using. In the keys selected in our example:

      • Per App VPN Allowed Apps: Enter the application package ID(s) you collected earlier. For example:

        Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (5)

      • KeyChain Certificate Alias (optional): Change the Value type from string to certificate. Select the client certificate profile to use with VPN authentication. For example:

        Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (6)

      • Protocol: Select the SSL or IPsec tunnel protocol of the VPN.

      • Connection Name: Enter a user friendly name for the VPN connection. Users see this connection name on their devices. For example, enter ContosoVPN.

      • Host: Enter the host name URL to the headend router. For example, enter vpn.contoso.com.

        Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (7)

  6. Select Next.

  7. In Assignments, select the groups to assign the VPN app configuration policy.

    Select Next.

  8. In Review + create, review your settings. When you select Create, your changes are saved, and the policy is deployed to your groups. The policy is also shown in the app configuration policies list.

    Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (8)

Use JSON

Use this option if you don't have, or don't know all the required VPN settings used in the Configuration designer. If you need help, consult your VPN vendor.

Get the certificate token

In these steps, create a temporary policy. The policy won't be saved. The intent is to copy the certificate token. You'll use this token when creating the VPN policy using JSON (next section).

  1. In the Microsoft Intune admin center, select Apps > App configuration policies > Add > Managed devices.

  2. In Basics, enter the following properties:

    • Name: Enter any name. This policy is temporary, and won't be saved.
    • Platform: Select Android Enterprise.
    • Profile type: Select Personally-Owned Work Profile Only.
    • Targeted app: Select the VPN client app you previously added.

  3. Select Next.

  4. In Settings, enter the following properties:

    • Configuration settings format: Select Use configuration designer.

    • Add: Shows the list of configuration keys. Select any key with a Value type of string. Select OK.

      Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (9)

  5. Change the Value type from string to certificate. This step lets you select the correct client certificate profile that authenticates the VPN:

    Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (10)

  6. Immediately change the Value type back to string. The Configuration value changes to a token {{cert:GUID}}:

    Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (11)

  7. Copy and paste this certificate token to another file, such as a text editor.

  8. Discard this policy. Don't save it. The only purpose is to copy and paste the certificate token.

Create the VPN policy using JSON

  1. In the Microsoft Intune admin center, select Apps > App configuration policies > Add > Managed devices.

  2. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the policy. Name your policies so you can easily identify them later. For example, a good policy name is App config policy: JSON Cisco AnyConnect VPN policy for Android Enterprise work profile devices in entire company.
    • Description: Enter a description for the policy. This setting is optional, but recommended.
    • Platform: Select Android Enterprise.
    • Profile type: Your options:
      • All profile types: This option supports username and password authentication. If you use certificate-based authentication, don't use this option.
      • Fully Managed, Dedicated, and Corporate-Owned work profile only: This option supports certificate-based authentication, and username and password authentication.
      • Personally-Owned Work Profile Only: This option supports certificate-based authentication, and username and password authentication.
    • Targeted app: Select the VPN client app you previously added.

  3. Select Next.

  4. In Settings, enter the following properties:

    • Configuration settings format: Select Enter JSON data. You can edit the JSON directly.
    • Download JSON template: Use this option to download, and update the template in any external editor. Be careful with text editors that use Smart quotes, as they may create invalid JSON.

    After you enter the values needed for your configuration, remove all settings that have "STRING_VALUE" or STRING_VALUE.

    Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (12)

  5. Select Next.

  6. In Assignments, select the groups to assign the VPN app configuration policy.

    Select Next.

  7. In Review + create, review your settings. When you select Create, your changes are saved, and the policy is deployed to your groups. The policy is also shown in the app configuration policies list.

JSON example for F5 Access VPN

{ "kind": "androidenterprise#managedConfiguration", "productId": "app:com.f5.edge.client_ics", "managedProperty": [ { "key": "disallowUserConfig", "valueBool": false }, { "key": "vpnConfigurations", "valueBundleArray": [ { "managedProperty": [ { "key": "name", "valueString": "MyCorpVPN" }, { "key": "server", "valueString": "vpn.contoso.com" }, { "key": "weblogonMode", "valueBool": false }, { "key": "fipsMode", "valueBool": false }, { "key": "clientCertKeychainAlias", "valueString": "{{cert:77333880-14e9-0aa0-9b2c-a1bc6b913829}}" }, { "key": "allowedApps", "valueString": "com.microsoft.emmx" }, { "key": "mdmAssignedId", "valueString": "" }, { "key": "mdmInstanceId", "valueString": "" }, { "key": "mdmDeviceUniqueId", "valueString": "" }, { "key": "mdmDeviceWifiMacAddress", "valueString": "" }, { "key": "mdmDeviceSerialNumber", "valueString": "" }, { "key": "allowBypass", "valueBool": false } ] } ] } ]}

Additional information

  • Add app configuration policies for managed Android Enterprise devices
  • Android Enterprise device settings to configure VPN in Intune

Next steps

  • Create VPN profiles to connect to VPN servers in Intune
Configure a VPN or per-app VPN for Android Enterprise devices in Microsoft Intune - Microsoft Intune (2024)

FAQs

How to setup VPN on Android with app? ›

  1. Open your device's Settings app.
  2. Tap Network & internet. VPN. If you can't find it, search for "VPN." If you still can't find it, get help from your device manufacturer.
  3. Tap the VPN you want.
  4. Enter your username and password.
  5. Tap Connect. If you use a VPN app, the app opens.

Read More
How do I push a VPN through Intune? ›

To push a VPN profile created in Intune to FortiClient (iOS): In Intune, go to Devices > iOS/iPadOS > Configuration profiles > Create > New Policy > Templates > VPN. Configure a name and description as desired. From the Connection type dropdown list, select Custom VPN.

Explore More
How does per app VPN work? ›

Per App VPN lets each app that's managed by a mobile device management (MDM) solution communicate with the private network using a secure tunnel, while excluding unmanaged apps from using the private network. Managed Apps can be configured with different VPN connections to further safeguard data.

Explore More
Is Microsoft Intune a VPN? ›

Microsoft Tunnel is a VPN gateway solution for Microsoft Intune that runs in a container on Linux and allows access to on-premises resources from iOS/iPadOS and Android Enterprise devices using modern authentication and Conditional Access.

Discover More
How does a VPN app work on Android? ›

What is a VPN? A virtual private network (VPN) conceals internet data traveling to and from your device. VPN software lives on your devices — whether that's a computer, tablet, or smartphone. It sends your data in a scrambled format (this is known as encryption) that's unreadable to anyone who may want to intercept it.

Learn More Now
Is it safe to use VPN on Android? ›

A VPN, or a virtual private network, for Android enables users to securely connect to the internet by encrypting their online traffic and masking their IP address. Strong encryption also allows people in authoritarian regimes to bypass censorship and firewall blocks.

Explore More
How do I setup a Microsoft VPN? ›

Create a VPN profile
  1. Select Start > Settings > Network & internet > VPN > Add VPN.
  2. Under Add a VPN connection, do the following: For VPN provider, choose Windows (built-in). In the Connection name box, enter a name you'll recognize (for example, My Personal VPN). ...
  3. Select Save.

View More
How do I add a VPN configuration? ›

How to set up a VPN on Android
  1. Head to “Settings.”
  2. Click on “Connections.”
  3. Choose “More connection settings.”
  4. Click on “VPN.”
  5. Select “Add VPN.”
  6. Click the three vertical dots in the upper-right corner and select “Add VPN profile.”
  7. Fill in the “Name,” “Server address,” etc.
  8. Click “Save.”
Sep 20, 2023

See Details
How is VPN configured? ›

Set Up a VPN on a PC

Use the Windows Store or internet to download a VPN app. Move into “Settings” and click on “Network” and then “VPN.” Click “Add a VPN” and fill out the fields for “Server Name,” “VPN Type” and your account information, which should be shared by the VPN provider you chose. Save your VPN.

Show Me More
What is the difference between VPN and per-app VPN? ›

A regular VPN connection tunnels in the whole device's web traffic through one network. Per-App VPN is basically the same concept but for every single app. This means that you get to establish a different VPN connection for each app of your device.

Learn More

What is per-app VPN? ›

This feature is called per-app VPN. You choose the managed apps that can use your VPN on devices managed by Intune. When you use per-app VPNs, end users automatically connect through the VPN, and get access to organizational resources, such as documents.

Discover More
Does Microsoft ban for VPN? ›

If its being used to bypass region restrictions such as getting a better deal, then yes, it would violate terms of service which could lead to being banned.

Learn More
Does Microsoft have a VPN app? ›

Edge Secure Network uses VPN technology to stop third parties and bad actors from accessing your sensitive information, so you can make purchases online, fill out forms, and keep your browsing activity away from prying eyes. And best of all, it's built in and free in Microsoft Edge.

Read On
What can Microsoft Intune be used for? ›

With Intune, you can protect data on managed devices (enrolled in Intune) and protect data on unmanaged devices (not enrolled in Intune). Intune can isolate organization data from personal data. The idea is to protect your company information by controlling the way users access and share information.

Discover More
How to manually set up VPN on Android? ›

Manually (built-in)
  1. Go into your Android settings.
  2. Click Network & Internet.
  3. Click Advanced.
  4. Select VPN.
  5. Click the plus sign.
  6. Enter in your administrator's information.
  7. Click Save.
Jan 19, 2024

Get More Info Here
How do I manually create a VPN on Android? ›

Set Up a VPN on an Android Device

Go to “Settings” and from there click “Network & Internet” then “Advanced” and, finally, “VPN.” Click “Add VPN.” Fill out your VPN's “Name” and “Server” and hit save. Click on your newly added VPN profile and fill out the “Account” and “Password” fields then click “Connect.”

Read On
Can you use an app through VPN? ›

You can also use a VPN to access blocked apps in your country. For example, if you're trying to download a gambling app, but it's not available in your country, you can connect to a server in another country where it is available.

See Details
Can you use a VPN on an app? ›

Once you download and set up the VPN app, all the internet traffic on your device -- whether it's from a browser or another app, like Spotify -- will be protected when you use your VPN. A VPN app is kind of like those house-size tarps bug exterminators use to cover entire homes; everything is covered.

Tell Me More
Top Articles
Loaded Red Potato Salad Recipe
A Unique Nutella Dessert: Marbled Nutella Marshmallows Recipe
Sean Hannity - Show, Education & Radio
Sean Hannity Show, Bio, Wiki, Age, Wife, Salary, & Net Worth
Latest Posts
The ORIGINAL Baker's Chocolate Brownie Recipe
Roasted Garlic Parmesan Cauliflower Recipe - Crunchy Creamy Sweet
Article information

Author: Terrell Hackett

Last Updated:

Views: 6126

Rating: 4.1 / 5 (72 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Terrell Hackett

Birthday: 1992-03-17

Address: Suite 453 459 Gibson Squares, East Adriane, AK 71925-5692

Phone: +21811810803470

Job: Chief Representative

Hobby: Board games, Rock climbing, Ghost hunting, Origami, Kabaddi, Mushroom hunting, Gaming

Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.