Create VPN profiles to connect to VPN servers in Intune
Article
Important
On October 22, 2022, Microsoft Intune ended support for devices running Windows 8.1. Technical assistance and automatic updates on these devices aren't available.
If you currently use Windows 8.1, then move to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices.
Important
Android device administrator management is deprecated and no longer available for devices with access to Google Mobile Services (GMS). If you currently use device administrator management, we recommend switching to another Android management option. Support and help documentation remain available for some devices without GMS, running Android 15 and earlier. For more information, see Ending support for Android device administrator on GMS devices.
Virtual private networks (VPNs) give users secure remote access to your organization network. Devices use a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization. Use these settings so users can easily and securely connect to your organizational network.
This feature applies to:
Android device administrator
Android Enterprise personally owned devices with a work profile
iOS/iPadOS
macOS
Windows 10
Windows 11
Windows 8.1 and newer
For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share on the organization network. You create a VPN profile that includes these settings. You assign this profile to all users who have iOS/iPadOS devices. The users see the VPN connection in the list of available networks, and can connect with minimal effort.
This article lists the VPN apps you can use, shows you how to create a VPN profile, and includes guidance on securing your VPN profiles. You must deploy the VPN app before you create the VPN profile. If you need help with deploying apps using Microsoft Intune, go to What is app management in Microsoft Intune?.
If you use certificate based authentication for your VPN profile, then deploy the VPN profile, certificate profile, and trusted root profile to the same groups. This step makes sure that each device can recognize the legitimacy of your certificate authority. For more information, go to How to configure certificates with Microsoft Intune.
User enrollment for iOS/iPadOS and macOS only support per-app VPN.
For Windows 11 devices, there is an issue between the Windows 11 client and the Windows VPNv2 CSP.
A device with one or more Intune VPN profiles loses its VPN connectivity when the device processes multiple changes to VPN profiles for the device simultaneously. When the device checks-in with Intune a second time, it processes the VPN profile changes, and connectivity is restored.
The following changes can cause a loss of VPN functionality:
You change or update an existing VPN profile that was previously processed by the Windows 11 device. This action deletes the original profile, and applies the updated profile.
Two new VPN profiles apply to the device at the same time.
An active VPN profile is removed at the same time a new VPN profile is assigned.
This issue doesn't apply and VPN connectivity remains in the following scenarios:
A Windows 11 device doesn't have an existing VPN profile assigned, and the devices receives one Intune VPN profile.
Windows 11 devices have an existing VPN profile assigned, and are assigned another VPN profile with no other profile changes.
A Windows 10 device upgrades to Windows 11, and there are no changes to that device's VPN profiles. After the upgrade to Windows 11, any changes to the devices VPN profiles or adding new VPN profiles will trigger the issue.
If you only configure one of the IKE Security Association Parameters or Child Security Association Parameters settings, then there's a loss of VPN functionality.
Step 1 - Deploy your VPN app
Before you can use VPN profiles assigned to a device, you must install the VPN app. This VPN app connects to your VPN server.
There are different VPN apps available. On user devices, you deploy the VPN app your organization uses. After the VPN app is deployed, then you create and deploy a VPN device configuration profile that configures the VPN server settings, including the VPN server name (or FQDN) and authentication method.
Some platforms and VPN apps require an app configuration policy to preconfigure the VPN app, instead of a VPN device configuration profile. This section also lists the platforms and VPN apps that must use an app configuration policy.
After the VPN app is assigned to the device, this next step creates the device configuration policy that configures the VPN connection. If your VPN app connection type uses an app configuration policy to configure the app, then skip this step.
Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is VPN profile for entire company.
Description: Enter a description for the profile. This setting is optional, but recommended.
Select Next.
In Configuration settings, depending on the platform you chose, the settings you can configure are different. Select your platform for detailed settings:
In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC and scope tags for distributed IT.
Select Next.
In Assignments, select the user or groups that receive your profile. For more information on assigning profiles, go to Assign user and device profiles.
Select Next.
In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
Secure your VPN profiles
VPN profiles can use many different connection types and protocols from different manufacturers. These connections are typically secured through the following methods.
Certificates
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user's device to connect. The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.
If you use certificate-based authentication for your VPN profile, then deploy the VPN profile, certificate profile, and trusted root profile to the same groups. This assignment makes sure each device recognizes the legitimacy of your certificate authority.
Certificates added using the PKCS imported certificate profile aren't supported for VPN authentication. Certificates added using the PKCS certificates profile are supported for VPN authentication.
User name and password
The user authenticates to the VPN server by providing a user name and password, or derived credentials.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.
Understand and troubleshoot VPN profile issues on Android, iOS, and Windows devices in Microsoft Intune. Review logs and see some common issues and resolutions.
Add or create a VPN configuration profile on iOS/iPadOS devices using virtual private network (VPN) configuration settings in Microsoft Intune. Configure the connection details, authentication methods, split tunneling, custom VPN settings with the identifier, key and value pairs, per-app VPN settings that include Safari URLs, and on-demand VPNs with SSIDs or DNS search domains, proxy settings to include a configuration script, IP or FQDN address, and TCP port.
Configuring advanced client features can be accomplished in numerous ways one of the easiest and most scalable is using Microsoft Intune. After watching this video you will be able to create and deploy a VPN connection profile using Microsoft Intune. In this video Verify the device is registered Configuration Service Providers (CSP) in brief Creating VPN a policy (using the Windows 8.1 and later template) Creating the policy (using the Windows Custom Policy (Windows 10...) template) Configuring OMA-URI con
See the prerequisites, create a group for the virtual private network (VPN) users, add a SCEP certificate profile, configure a per-app VPN profile, and assign some apps to the VPN profile in Microsoft Intune on iOS/iPadOS devices. Also lists the steps to verify the VPN connection on the device.
Learn and read about all the available VPN settings in Microsoft Intune, what they're used for, and what they do. See the traffic rules, Conditional Access, and DNS and proxy settings for Windows 10/11 and Windows Holographic for Business devices.
Add or create a virtual private network (VPN) configuration profile in Microsoft Intune. Add the connection details, split tunneling, custom VPN settings with the identifier, key and value pairs, proxy settings with a configuration script, IP or FQDN address, and TCP port in Microsoft Intune on devices running macOS.