Use a Microsoft Intune custom profile to create a per-app VPN profile for Android devices
Important
Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on December 31, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, see Ending support for Android device administrator on GMS devices.
You can create a per-app VPN profile for Android 8.0 and later devices that are enrolled in Intune. First, create a VPN profile that uses either the Pulse Secure or Citrix connection type. Then, create a custom configuration policy that associates the VPN profile with specific apps.
This feature applies to:
- Android device administrator (DA) enrolled in Intune
To use per-app VPN on Android Enterprise devices, use an app configuration policy. App configuration policies support more VPN client apps. On Android Enterprise devices, you can use the steps in this article. But, it's not recommended, and you're limited to only Pulse Secure and Citrix VPN connections.
After you assign the policy to your Android DA device or user groups, users should start the Pulse Secure or Citrix VPN client. Then, the VPN client allows only traffic from the specified apps to use the open VPN connection.
Note
Only the Pulse Secure and Citrix connection types are supported for Android device administrator. On Android Enterprise devices, use an app configuration policy.
Prerequisites
- To create the policy, at a minimum, sign into the Microsoft Intune admin center with an account that has the Policy and Profile Manager built-in role. For more information on the built-in roles, go to Role-based access control for Microsoft Intune.
- The device must be enrolled and MDM managed by Intune. For information on the enrollment options for Android devices, go to Android enrollment guide for Microsoft Intune.
Step 1 - Create a VPN profile
Sign in to the Microsoft Intune admin center.
Select Devices > Manage devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select Android device administrator.
- Profile type: Select VPN.
Select Create.
In Basics, enter the following properties:
- Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is Android DA per-app VPN profile for entire company.
- Description: Enter a description for the profile. This setting is optional, but recommended.
Select Next.
In Configuration settings, configure the settings you want in the profile:
Take note of the Connection Name value you enter when creating the VPN profile. This name is needed in the next step. In this example, the connection name is MyAppVpnProfile.
Select Next, and continue creating your profile. For more information, go to Create a VPN profile.
Step 2 - Create a custom configuration policy
Sign in to the Microsoft Intune admin center.
Select Devices > Manage devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select Android device administrator.
- Profile type: Select Custom.
Select Create.
In Basics, enter the following properties:
- Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later. For example, a good profile name is Android DA - OMA-URI VPN.
- Description: Enter a description for the profile. This setting is optional, but recommended.
Select Next.
In Configuration settings > OMA-URI Settings, select Add. Enter the following OMA-URI values:
- Name: Enter a name for your setting.
- Description: Enter a description for the profile. This setting is optional, but recommended.
- OMA-URI: Enter
./Vendor/MSFT/VPN/Profile/*Name*/PackageList
, where Name is the connection name you noted in Step 1. In this example, the string is./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/PackageList
. - Data type: Enter String.
- Value: Enter a semicolon-separated list of packages to associate with the profile. For example, if you want Excel and the Google Chrome browser to use the VPN connection, enter
com.microsoft.office.excel;com.android.chrome
.
Your settings look similar to the following settings:
Select Next, and continue creating your profile. For more information, go to Create a VPN profile.
Set your blocked and allowed app list (optional)
Use the BLACKLIST value to enter a list of apps that can't use the VPN connection. All other apps connect through the VPN. Or, use the WHITELIST value to enter a list of apps that can use the VPN connection. Apps that aren't on the list don't connect through the VPN.
- On the Custom OMA-URI Settings pane, choose Add.
- Enter a setting name.
- In OMA-URI, enter
./Vendor/MSFT/VPN/Profile/*Name*/Mode
, where Name is the VPN profile name you noted in Step 1. In our example, the string is./Vendor/MSFT/VPN/Profile/MyAppVpnProfile/Mode
. - In Data type, enter String.
- In Value, enter BLACKLIST or WHITELIST.
Step 3 - Assign both policies
Assign both device profiles to the required users or devices.
Resources
- For a list of all the Android device administrator VPN settings, go to Android device settings to configure VPN.
- To learn more about VPN settings and Intune, go to configure VPN settings in Microsoft Intune.