This week is another mobile focused blog post. This week is al around Microsoft Tunnel. More specifically, this week is all about using Microsoft Tunnel for providing per-app VPN on iOS/iPadOS devices and Android devices. Per-app VPN enables organizations to only allow specifically configured apps to use the configured VPN tunnel. So, not simply pushing all traffice through the VPN tunnel, but only the traffic of specific apps. That provides a solid method for providing access to on-premises resources for only the apps that really need it. This post will start with a quick summary of what should be in place, followed by going through the important per-app VPN specific configurations. Those configurations slightly differ per platform. This post will end by showing the user experience on iOS/iPadOS devices and on Android devices.
Important: Keep in mind that Microsoft Tunnel is only available for iOS/iPadOS devices and Android devices.
Prerequisites for per-app VPN with Microsoft Tunnel
When looking at using Microsoft Tunnel for providing per-app VPN functionality, it’s important to keep in mind that this post won’t go into the details about installing and configuring Microsoft Tunnel itself. This post will focus on the per-app VPN specific configurations. That means that the following should be in place:
- Microsoft Tunnel Gateway should be installed and configured as shown in the beginning of this post
- Microsoft Defender for Endpoint app is distributed to iOS/iPad devices and Android devices
- (If needed) Microsoft Defender for Endpoint app is configured for use with Microsoft Tunnel only as shown in this post
Using Microsoft Tunnel for providing per-app VPN on Android devices
When a Microsoft Tunnel Gateway is availabe and the Microsoft Defender for Endpoint app is distributed, the only configuration left for providing per-app VPN functionality on Android devices is a VPN profile.
Creating and distributing VPN profile for Android devices
For Android devices the creation and distribution of a VPN profile is pretty straight forward, but there are some important configurations that need attention when focussing on providing per-app VPN. The following eight steps walk through the process of creating a VPN profile for the different corporate-owned Android Enterprise managed devices that can be used for per-app VPN. Even though the corporate-owned device and personal device deployment scenarios require a separate VPN profile, the steps below are similar for both deployment scenarios.
- Open theMicrosoft Endpoint Manager admin centerportal navigate toDevices>Android>Configuration profiles
- On theAndroid|Configuration profilesblade, selectCreate profile
- On theCreate a profilepage, provide the following information and clickCreate
- Platform: Android Enteprise
- Profile: SelectFully Managed, Dedicated, and Corporate-Owned Work Profile>VPNor selectWork Profile>VPN, depending on the Android Enterprise deployment scenario
- On theBasicspage, provide the following information and clickNext
- Name: Provide a valid name for the VPN profile
- Description: (Optional) Provide a valid description for the VPN profile
- On theConfiguration settingspage, provide the following information and clickNext
- Connection type: SelectMicrosoft Tunnel
- Base VPN>Connection name: Provide a valid name for the VPN profile that will be shown to the user
- Base VPN>Microsoft Tunnel site: Select theSitethat will be used by this VPN profile
- Per-app VPN>Select apps that would be allowed to use this VPN connection: Click Add to select the different store apps that should be allowed to use the VPN connection
Note: Keep in mind that apps should be added to Microsoft Intune first before those apps are selectable for adding in the VPN profile. And once an app is added to the list, the VPN connection will be limited to the selected apps.
- Always-on VPN>Always-on VPN: SelectEnableto make sure that the VPN will automatically connect
- Proxy>Automatic configuration script: (Optional) Configure the location of the automatic configuration script
- Proxy>Address: (Optional) Configure the address of the proxy server
- Proxy>Port number: (Optional) Configure the port number of the proxy server
- Custom settings> (Optional) Add theConfiguration key,Value typeandConfiguration valueof the configuration options
- On theScopetags page, clickNext
- On theAssignmentspage, configure the assignment to the required users and/or devices and clickNext
- On theReview + createpage, verify the configuration and clickCreate
Using Microsoft Tunnel for providing per-app VPN on iOS devices
When a Microsoft Tunnel Gateway is availabe and the Microsoft Defender for Endpoint app is distributed, the configurations left for providing per-app VPN functionality on iOS/iPadOS devices are creating a VPN profile and linking that VPN profile to the assingments of the apps that should be using the VPN connection.
Creating and distirbuting VPN profile for iOS/iPadOS devices
For iOS/iPadOS devices the creation and distribution of a VPN profile is also pretty straight forward, but there are some important configurations that need attention when focussing on providing per-app VPN. The following eight steps walk through the process of creating a VPN profile for iOS/iPadOS devices. These steps are nearly identical to the steps for creating a VPN profile for Android Enterprise devices. Only the available configurations for per-app VPN, in step 5, are slightly different.
- Open theMicrosoft Endpoint Manager admin centerportal navigate toDevices>iOS/iPadOS>Configuration profiles
- On theiOS/iPadOS |Configuration profilesblade, selectCreate profile
- On theCreate a profilepage, provide the following information and clickCreate
- Platform: iOS/iPadOS
- Profile: SelectVPN
- On theBasicspage, provide the following information and clickNext
- Name: Provide a valid name for the VPN profile
- Description: (Optional) Provide a valid description for the VPN profile
- On theConfiguration settingspage, provide the following information and clickNext
- Connection type: SelectMicrosoft Tunnel
- Base VPN>Connection name: Provide a valid name for the VPN profile that will be shown to the user
- Base VPN>Microsoft Tunnel site: Select theSitethat will be used by this VPN profile
- Base VPN>Disconnect on sleep: (Optional) SelectEnableto disconnect the VPN connection on sleep
- Per-app VPN>Per-app VPN: SelectEnableto use this VPN profile for specific apps
Note: Keep in mind that this only enables the VPN profile for usage with per-app VPN. After that it must still be linked in the assignment of the apps that should be using the VPN connection.
- On-Demand VPN Rules>On-demand rules: (Optional) Add rules to configure the behavior for any network connection
- On-Demand VPN Rules>Block users from disabling automatic VPN: (Optional) SelectYesto prevent users from disablig
- Proxy>Automatic configuration script: (Optional) Configure the location of the automatic configuration script
- Proxy>Address: (Optional) Configure the address of the proxy server
- Proxy>Port number: (Optional) Configure the port number of the proxy server
- Custom settings> Add theKeyandValueof the required configuration options
- On theScopetags page, clickNext
- On theAssignmentspage, configure the assignment to the required users and/or devices and clickNext
- On theReview + createpage, verify the configuration and clickCreate
Important: When using Microsoft Defender for Endpoint with per-app VPN enabled, web protection only applies to the apps that are associated with this VPN profile.
Linking VPN profile in app assignment settings
After creating and disitrubuting the per-app VPN profile, the profile must still be linked to the apps that are allowed to use the VPN connection. That can be achieved by editting or creating an app assignment. The following steps walk through the process of editting an existing assignment of an app and adding the VPN profile.
- Open theMicrosoft Endpoint Manager admin centerportal navigate toApps>iOS/iPadOS
- On theiOS/iPadOS |iOS/iPadOS appspage, selectthe app that should be using the VPN connection and click Edit with Assignments
- On the Edit applications page, select the existing assignment
- On the Edit assignment blade, in the App settings section, select the just created VPN profile with VPN and click OK > Review + save
- On the Review + save page, click Save
User experience with per-app VPN via Microsoft Tunnel
When looking at the user experience with per-app VPN via Microsoft Tunnel, it’s interesting to look at the behavior on iOS and Android devices. And by looking at the the applied configuration and the user experience in different apps. Below, in Figure 4, is the per-app configuration in the Microsoft Defender for Endpoint app on an iOS device that clearly shows that only Microsoft Edge is allowed to use the VPN connection. Below, in Figure 5, Microsoft Edge is used for connecting to an internal resource. The connection is successful and it shows on top that the VPN connection is used. Below, in Figure 6, Safari is used for accessing the same internal resource. As expected the connection is not successful.
The experience is similar on Android devices. Only a few minor differences. Below, in Figure 7, is the per-app configuration in the Microsoft Defender for Endpoint app on an Android device that clearly shows that per-app VPN is enabled an that only Microsoft Edge is allowed to use the VPN connection. Below, in Figure 8, Microsoft Edge is used for connecting to an internal resource. The connection is successful and it shows on top that the VPN connection is enabled. It doesn’t, however, only show that information when the VPN connections is used. Below, in Figure 9, Safari is used for accessing the same internal resource. As expected the connection is not successful, but on top it still shows that the VPN connection is enabled.
More information
For more information about Microsoft Tunnel and per-app VPN, refer to the following docs.
- Learn about the Microsoft Tunnel VPN solution for Microsoft Intune | Microsoft Docs
- Install and configure Microsoft Tunnel VPN solution for Microsoft Intune | Microsoft Docs
