Changing per-app VPN profile assignment from user group to device group

LalliSR 1 Reputation point
2024-07-05T11:13:11.1+00:00

Is it possible to swap the assignment of a per-app VPN configuration profile from a user group to a device group without affecting the users? The profile settings will remain the same; only the assignment needs to be changed.

Microsoft Intune iOS
Microsoft Intune iOS
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.iOS: An Apple mobile operating system.
236 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,921 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,201 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Khaled Elsayed Mohamed 1,290 Reputation points
    2024-07-07T07:14:13.0233333+00:00

    Hi LalliSR

    first, try this in a limited scope


    in case you have server:

    1. Create a Device Group:

       - If you want to apply settings on a device, regardless of who's signed in, assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.

     

    1. Export the Trusted Root Certificate:

       - Export the trusted root certificate (.cer file) from your VPN server. You'll add this file to the trusted certificate profile in Intune.

       - Confirm that your VPN server uses certificate-based authentication and export the trusted root certificate file with a .cer extension.

     

    1. Create a Trusted Certificate Profile in Intune:

       - In Intune, create a trusted certificate profile that includes the VPN server's root certificate issued by the Certification Authority (CA).

       - Add the exported certificate to this profile.

     

    1. Configure the Per-App VPN Profile:

       - Create a per-app VPN profile in Intune, specifying the VPN settings (such as server address, authentication method, etc.).

       - Associate the trusted certificate profile with this per-app VPN profile.

     

    1. Assign Apps to the VPN Profile:

       - Assign the desired apps to the per-app VPN profile.

       - Users will automatically connect through the VPN when using these apps.

     

    Remember to check your VPN vendor's documentation for any additional requirements specific to per-app VPN. Once you've completed these steps, the assignment will be swapped from the user group to the device group, maintaining the same profile settings for your apps.
    https://learn.microsoft.com/en-us/mem/intune/configuration/device-profile-assign

    https://learn.microsoft.com/en-us/mem/intune/configuration/vpn-setting-configure-per-app

    https://www.vansurksum.com/2019/11/22/intune-choosing-whether-to-assign-to-user-or-device-groups/


    Another solution:

    1. Prepare the Device Group:

    ·        Ensure that the device group you want to assign the VPN profile to is already created and contains the appropriate devices.

    1. Duplicate the Existing Profile:

    ·        Create a new VPN configuration profile with the same settings as the existing one. This ensures that no settings are changed during the transition.

    1. Assign the New Profile to the Device Group:

    ·        Assign the newly created VPN configuration profile to the device group.

    1. Remove the Existing Profile Assignment:

    ·        After verifying that the new profile is applied to devices correctly, you can remove the assignment of the original VPN configuration profile from the user group.

    Detailed Steps for Microsoft Intune:

    1. Create Device Group:

    ·        In the Intune portal, navigate to Groups.

    ·        Create a new device group or ensure the existing one contains the devices.

    1. Duplicate the VPN Configuration Profile:

    ·        Go to Devices > Configuration profiles.

    ·        Find the existing VPN profile assigned to the user group.

    ·        Note down all the settings of this profile.

    ·        Create a new VPN profile with the same settings by clicking on Create profile.

    ·        Choose Windows 10 and later (or the relevant platform) and VPN for the profile type.

    ·        Enter the same settings as the original profile.

    1. Assign New Profile to Device Group:

    ·        After creating the new VPN profile, go to Assignments.

    ·        Assign it to the device group you prepared.

    1. Monitor Profile Deployment:

    ·        Ensure the new VPN profile is successfully applied to the devices.

    ·        This can be done by checking the device configuration status in Intune.

    1. Remove Old Profile from User Group:

    ·        Once you confirm the new profile is working correctly, go back to the original VPN profile.

    ·        Edit the Assignments and remove the user group.

    Verification and Impact:

    • Verification:
    • Ensure devices receive the new VPN profile by checking the deployment status in Intune.
    • Verify that the VPN connectivity works as expected on a few devices.
    • Minimizing Impact:
    • If possible, perform this change during off-peak hours to minimize the impact on users.
    • Inform users beforehand about the maintenance window and possible brief disruptions.

     

    1. Prepare the Device Group:

    ·        Ensure that the device group you want to assign the VPN profile to is already created and contains the appropriate devices.

    1. Duplicate the Existing Profile:

    ·        Create a new VPN configuration profile with the same settings as the existing one. This ensures that no settings are changed during the transition.

    1. Assign the New Profile to the Device Group:

    ·        Assign the newly created VPN configuration profile to the device group.

    1. Remove the Existing Profile Assignment:

    ·        After verifying that the new profile is applied to devices correctly, you can remove the assignment of the original VPN configuration profile from the user group.

    Detailed Steps for Microsoft Intune:

    1. Create Device Group:

    ·        In the Intune portal, navigate to Groups.

    ·        Create a new device group or ensure the existing one contains the devices.

    1. Duplicate the VPN Configuration Profile:

    ·        Go to Devices > Configuration profiles.

    ·        Find the existing VPN profile assigned to the user group.

    ·        Note down all the settings of this profile.

    ·        Create a new VPN profile with the same settings by clicking on Create profile.

    ·        Choose Windows 10 and later (or the relevant platform) and VPN for the profile type.

    ·        Enter the same settings as the original profile.

    1. Assign New Profile to Device Group:

    ·        After creating the new VPN profile, go to Assignments.

    ·        Assign it to the device group you prepared.

    1. Monitor Profile Deployment:

    ·        Ensure the new VPN profile is successfully applied to the devices.

    ·        This can be done by checking the device configuration status in Intune.

    1. Remove Old Profile from User Group:

    ·        Once you confirm the new profile is working correctly, go back to the original VPN profile.

    ·        Edit the Assignments and remove the user group.

    Verification and Impact:

    • Verification:
    • Ensure devices receive the new VPN profile by checking the deployment status in Intune.
    • Verify that the VPN connectivity works as expected on a few devices.
    • Minimizing Impact:
    • If possible, perform this change during off-peak hours to minimize the impact on users.
    • Inform users beforehand about the maintenance window and possible brief disruptions.

     

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.