Use a Microsoft Intune custom profile to create a per-app VPN profile for Android devices

Important

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.

You can create a per-app VPN profile for Android 8.0 and later devices that are enrolled in Intune. First, create a VPN profile that uses either the Pulse Secure or Citrix connection type. Then, create a custom configuration policy that associates the VPN profile with specific apps.

This feature applies to:

  • Android device administrator (DA) enrolled in Intune

To use per-app VPN on Android Enterprise devices, use an app configuration policy. App configuration policies support more VPN client apps. On Android Enterprise devices, you can use the steps in this article. But, it's not recommended, and you're limited to only Pulse Secure and Citrix VPN connections.

After you assign the policy to your Android DA device or user groups, users should start the Pulse Secure or Citrix VPN client. Then, the VPN client allows only traffic from the specified apps to use the open VPN connection.

Note

Only the Pulse Secure and Citrix connection types are supported for Android device administrator. On Android Enterprise devices, use an app configuration policy.

Prerequisites

Step 1 - Create a VPN profile

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create > New policy.

  3. Enter the following properties:

    • Platform: Select Android device administrator.
    • Profile type: Select VPN.
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is Android DA per-app VPN profile for entire company.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings, configure the settings you want in the profile:

    Take note of the Connection Name value you enter when creating the VPN profile. This name is needed in the next step. In this example, the connection name is MyAppVpnProfile.

  8. Select Next, and continue creating your profile. For more information, go to Create a VPN profile.

Step 2 - Create a custom configuration policy

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Manage devices > Configuration > Create > New policy.

  3. Enter the following properties:

    • Platform: Select Android device administrator.
    • Profile type: Select Custom.
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later. For example, a good profile name is Android DA - OMA-URI VPN.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings > OMA-URI Settings, select Add. Enter the following OMA-URI values:

    • Name: Enter a name for your setting.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
    • OMA-URI: Enter ./Vendor/MSFT/VPN/Profile/*Name*/PackageList, where Name is the connection name you noted in Step 1. In this example, the string is ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList.
    • Data type: Enter String.
    • Value: Enter a semicolon-separated list of packages to associate with the profile. For example, if you want Excel and the Google Chrome browser to use the VPN connection, enter com.microsoft.office.excel;com.android.chrome.

    Your settings look similar to the following settings:

    Screenshot that shows Android device administrator per-app VPN custom policy in Microsoft Intune.

  8. Select Next, and continue creating your profile. For more information, go to Create a VPN profile.

Set your blocked and allowed app list (optional)

Use the BLACKLIST value to enter a list of apps that can't use the VPN connection. All other apps connect through the VPN. Or, use the WHITELIST value to enter a list of apps that can use the VPN connection. Apps that aren't on the list don't connect through the VPN.

  1. On the Custom OMA-URI Settings pane, choose Add.
  2. Enter a setting name.
  3. In OMA-URI, enter ./Vendor/MSFT/VPN/Profile/*Name*/Mode, where Name is the VPN profile name you noted in Step 1. In our example, the string is ./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode.
  4. In Data type, enter String.
  5. In Value, enter BLACKLIST or WHITELIST.

Step 3 - Assign both policies

Assign both device profiles to the required users or devices.

Resources