Product Documentation

VPN device policy

Apr 17, 2018

You can add a device policy in XenMobile to configure virtual private network (VPN) settings that enable users’ devices to connect securely to corporate resources. You can configure the VPN policy for the following platforms. Each platform requires a different set of values, which are described in detail in this article.

To add or configure this policy, go to Configure > Device Policies. For more information, see Device policies.

iOS settings

Image of Device Policies configuration screen

  • Connection name: Type a name for the connection.
  • Connection type: In the list, click the protocol to be used for this connection. The default is L2TP.
    • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
    • PPTP: Point-to-Point Tunneling.
    • IPSec: Your corporate VPN connection.
    • Cisco Legacy AnyConnect: This connection type requires that the Cisco Legacy AnyConnect VPN client is installed on the user device. Cisco is phasing out the Cisco Legacy AnyConnect client that was based on a now deprecated VPN framework. For more information, see the XenMobile support article https://support.citrix.com/article/CTX227708.

      To use the current Cisco AnyConnect client, use a Connection type of Custom SSL. For required settings, see “Configure Custom SSL protocol” in this section.

    • Juniper SSL: Juniper Networks SSL VPN client.
    • F5 SSL: F5 Networks SSL VPN client.
    • SonicWALL Mobile Connect: Dell unified VPN client for iOS.
    • Ariba VIA: Ariba Networks Virtual Internet Access client.
    • IKEv2 (iOS only): Internet Key Exchange version 2 for iOS only.
    • Citrix VPN: Citrix VPN client for iOS.
    • Custom SSL: Custom Secure Socket Layer. This connection type is required for the Cisco AnyConnect client that has a bundle ID of com.cisco.anyconnect. Specify a Connection name of Cisco AnyConnect.

The following sections list the configuration options for each of the preceding connection types.

Configure L2TP Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Select either Password authentication or RSA SecureID authentication.
  • Shared secret: Type the IPSec shared secret key.
  • Send all traffic: Select whether to send all traffic over the VPN. The default is Off.

Configure PPTP Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Select either Password authentication or RSA SecureID authentication.
  • Encryption level: In the list, click an encryption level. The default is None.
    • None: Use no encryption.
    • Automatic: Use the strongest encryption level supported by the server.
    • Maximum (128-bit): Always use 128-bit encryption.
  • Send all traffic: Select whether to send all traffic over the VPN. The default is Off.

Configure IPSec Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Shared Secret or Certificate for the type of authentication for this connection. The default is Shared Secret.
  • If you enable Shared Secret, configure these settings:
    • Group name: Type an optional group name.
    • Shared secret: Type an optional shared secret key.
    • Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default is Off.
    • Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default is Off.
  • If you enable Certificate, configure these settings:
    • Identity credential: In the list, click the identity credential to use. The default is None.
    • Prompt for PIN when connecting: Select whether to require users to enter their PIN when connecting to the network. The default is Off.
    • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 9.0 and later.
  • On-demand match app enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
  • Safari domains: Click Add to add a Safari domain name.

Configure Cisco Legacy AnyConnect Protocol for iOS

To transition from the Cisco Legacy AnyConnect client to the new Cisco AnyConnect client, use the Custom SSL protocol.

  • Provider bundle identifier: For the Legacy AnyConnect client, the bundle ID is com.cisco.anyconnect.gui.
  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Group: Type an optional group name.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure Juniper SSL Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Realm: Type an optional realm name.
  • Role: Type an optional role name.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure F5 SSL Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure SonicWALL Protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Logon group or domain: Type an optional logon group or domain.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you set this option to ON, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure Ariba VIA protocol for iOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure IKEv2 protocols for iOS

This section includes settings used for the IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration protocols.

  • Allow user to disable automatic connection: For the AlwaysOn protocols. Select whether to allow users to turn off automatic connection to the network on their devices. The default is Off.

  • Host name or IP address for server: Type the server name or IP address for the VPN server.

  • Local Identifier: The FQDN or IP address for the IKEv2 client. This field is required.

  • Remote Identifier: The FQDN or IP address for the VPN server. This field is required.

  • Machine Authentication: Choose Shared Secret or Certificate for the type of authentication for this connection. The default is Shared Secret.

    • If you choose Shared Secret, type an optional shared secret key.

    • If you choose Certificate, choose an Identity credential to use. The default is None.

  • Extended Authentication Enabled: Select whether to enable Extended Authentication Protocol (EAP). If you choose On, type the User account and Authentication password. (iOS 8.0 and later)

  • Dead Peer Detection Interval: Choose how often a peer device is contacted to ensure that the peer device remains reachable. The default is None. Options are: (iOS 8.0 and later)

    • None: Disable dead peer detection.

    • Low: Contact peer every 30 minutes.

    • Medium: Contact peer every 10 minutes.

    • High: Contact peer every 1 minute.

  • Disable Mobility and Multihoming: Choose whether to disable this feature. (iOS 9.0+)

  • Use IPv4/IPv6 internal subnet attributes: Choose whether to enable this feature. (iOS 9.0+)

  • Disable redirects: Choose whether to disable redirects. (iOS 9.0+)

  • Enable NAT keepalive while the device is asleep: For the AlwaysOn protocols. Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular interval when the device is awake. If this setting is on, the chip sends keepalive packets even while the device is asleep. The default interval is 20 seconds over WiFi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter. (iOS 9.0+)

  • NAT keepalive Interval (seconds): Defaults to 20 seconds. (iOS 9.0+)

  • Enable Perfect Forward Secrecy: Choose whether to enable this feature. (iOS 9.0+)

  • DNS server IP addresses: Optional. A list of DNS server IP address strings. These IP addresses can include a mixture of IPv4 and IPv6 addresses. Click Add to type an address.

  • Domain name: Optional. The primary domain of the tunnel. (iOS 10.0+)

  • Search domains: Optional. A list of domain strings used to qualify single-label host names fully.

  • Append supplemental match domains to resolver’s list: Optional. Determines whether to append the domains in the supplemental match domains list to the list of search domains for the resolver. 0 means append; 1 means don’t append. Default is 0.

  • Supplemental match domains: Optional. A list of domain strings used to determine which DNS queries are to use the DNS resolver settings contained in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver of the tunnel. Hosts not in one of the domains in this list get resolved by using the default resolver of the system.

If this parameter contains an empty string, that string is used as the default domain. This is how a split-tunnel configuration can direct all DNS queries first to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the default route of the network, the DNS servers listed become the default resolver. In that case, the supplemental match domains list is ignored.

  • IKE SA Parameters and Child SA Parameters. Configure these settings for each Security Association (SA) parameters option:

    • Encryption Algorithm: In the list, click the IKE encryption algorithm to use. The default is 3DES.

    • Integrity Algorithm: In the list, click the integrity algorithm to use. The default is SHA1-96.

    • Diffie Hellman Group: In the list, click the Diffie Hellman group number. The default is 2.

    • LifeTime in Minutes: Type an integer between 10 and 1440 representing the SA lifetime (rekey interval). The default is 1440 minutes.

  • Service Exceptions: For the AlwaysOn protocols. Service exceptions are system services that are exempt from AlwaysOn VPN. Configure these service exceptions settings:

    • Voice Mail: In the list, click how to handle the voice mail exception. The default is Allow traffic via tunnel.

    • AirPrint: In the list, click how to handle the AirPrint exception. The default is Allow traffic via tunnel.

    • Allow traffic from captive web sheet outside the VPN tunnel: Select whether to allow users to connect to public hotspots outside the VPN tunnel. The default is Off.

    • Allow traffic from all captive networking apps outside the VPN tunnel: Select whether to allow all hotspot networking apps outside the VPN tunnel. The default is Off.

    • Captive networking app bundle identifiers: For each hotspot networking app bundle identifier that users are allowed to access, click Add and type the hotspot networking app Bundle Identifier. Click Save to save the app bundle identifier.

  • Per-app VPN. Configure these settings for IKEv2 connection types.

    • Enable per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 9.0 and later.
    • On-demand match app enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: Click Add to add a Safari domain name.
  • Proxy configuration: Choose how the VPN connection routes through a proxy server. Default is None.

Configure Citrix VPN protocol for iOS

The Citrix VPN client is available in the Apple Store here.

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you set this option to ON, configure the following settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
  • Custom XML: For each custom XML parameter you want to add, click Add and specify the key/value pairs. Available parameters are:
    • disableL3: Disables system level VPN. Allows only per app VPN. No Value is needed.
    • useragent: Associates with this device policy any NetScaler policies that are targeted to VPN plugin clients. The Value for this key is automatically appended to the VPN plugin for the requests initiated by the plugin.

Configure Custom SSL protocol for iOS

To transition from the Cisco Legacy AnyConnect client to the Cisco AnyConnect client:

  1. Configure the VPN device policy with the Custom SSL protocol. Deploy the policy to iOS devices.
  2. Upload the Cisco AnyConnect client from https://itunes.apple.com/us/app/cisco-anyconnect/id1135064690?mt=8 , add the app to XenMobile Server, and then deploy the app to iOS devices.
  3. Remove the old VPN device policy from iOS devices.

Settings:

  • Custom SSL identifier (reverse DNS format): Set to the bundle identifier. For the Cisco AnyConnect client, use com.cisco.anyconnect.
  • Provider Bundle Identifier: If the app specified in Custom SSL identifier has multiple VPN providers of the same type (App proxy or Packet tunnel), then specify this bundle identifier. For the Cisco AnyConnect client, use com.cisco.anyconnect.
  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for iOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you set this option to ON, configure the following settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Provider Type: A provider type indicates whether the provider is a VPN service or proxy service. For VPN service, choose Packet tunnel. For proxy service, choose App proxy. For the Cisco AnyConnect client, choose Packet tunnel.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
  • Custom XML: For each custom XML parameter you want to add, click Add and do the following:
    • Parameter name: Type the name of the parameter to be added.
    • Value: Type the value associated with Parameter name.
    • Click Save to save the parameter or click Cancel to not save the parameter.

Configure Enable VPN on demand options for iOS

  • On Demand Domain: For each domain and associated action to be taken when users connect to them that you want to add, click Add to and do the following:
  • Domain: Type the domain to be added.
  • Action: In the list click one of the possible actions:
    • Always establish: The domain always triggers a VPN connection.
    • Never establish: The domain never triggers a VPN connection.
    • Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails, such as when the DNS server cannot resolve the domain, redirects to a different server, or times out.
    • Click Save to save the domain or click Cancel to not save the domain.
  • On demand rules
    • Action: In the list, click the action to be taken. The default is EvaluateConnection. Possible actions are:
      • Allow: Allow VPN on demand to connect when triggered.
      • Connect: Unconditionally initiate a VPN connection.
      • Disconnect: Remove the VPN connection and do not reconnect on demand as long as the rule matches.
      • EvaluateConnection: Evaluate the ActionParameters array for each connection.
      • Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
    • DNSDomainMatch: For each domain against which a device’s search domain list can match that you want to add, click Add to and do the following:
      • DNS Domain: Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
      • Click Save to save the domain or click Cancel to not save the domain.
    • DNSServerAddressMatch: For each IP address to which any of the network’s specified DNS servers can match that you want to add, click Add and do the following:
      • DNS Server Address: Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
      • Click Save to save the DNS server address or click Cancel to not save the DNS server address.
    • InterfaceTypeMatch: In the list, click the type of primary network interface hardware in use. The default is Unspecified. Possible values are:
      • Unspecified: Matches any network interface hardware. This is the default.
      • Ethernet: Matches only Ethernet network interface hardware.
      • WiFi: Matches only WiFi network interface hardware.
      • Cellular: Matches only Cellular network interface hardware.
    • SSIDMatch: For each SSID to match against the current network that you want to add, click Add and so the following.
      • SSID: Type the SSID to add. If the network is not a WiFi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
      • Click Save to save the SSID or click Cancel to not save the SSID.
    • URLStringProbe: Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
    • ActionParameters : Domains: For each domain that EvaluateConnection checks that you want to add, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
    • ActionParameters : DomainAction: In the list, click the VPN behavior for the specified ActionParameters : Domains domains. The default is ConnectIfNeeded. Possible actions are:
      • ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails, such as when the DNS server cannot resolve the domain, redirects to a different server, or times out.
      • NeverConnect: The domain never triggers a VPN connection.
    • Action Parameters: RequiredDNSServers: For each DNS server IP address to be used for resolving the specified domains, click Add and do the following:
      • DNS Server: Valid only when ActionParameters : DomainAction = ConnectIfNeeded. Type the DNS server to add. This server need not be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server should be either an internal DNS server or a trusted external DNS server.
      • Click Save to save the DNS server or click Cancel to not save the DNS server.
    • ActionParameters : RequiredURLStringProbe: Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response. Valid only when ActionParameters : DomainAction = ConnectIfNeeded.
    • OnDemandRules : XML content: Type, or copy and paste, XML configuration on demand rules.
      • Click Check Dictionary to validate the XML code. You will see Valid XML in green text below the XML content text box if the XML is valid; otherwise, you will see an error message in orange text describing the error.
  • Proxy
    • Proxy configuration: In the list, click how the VPN connection routes through a proxy server. The default is None.
      • If you enable Manual, configure these settings:
        • Host name or IP address for the proxy server: Type the host name or IP address for the proxy server. This field is required.
        • Port for the proxy server: Type the proxy server port number. This field is required.
        • User name: Type an optional proxy server user name.
        • Password: Type an optional proxy server password.
      • If you configure Automatic, configure this setting:
        • Proxy server URL: Type the URL for the proxy server. This field is required.
  • Policy Settings
    • Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in hours).
    • If you click Select date, click the calendar to select the specific date for removal.
    • In the Allow user to remove policy list, click Always, Password required, or Never.
    • If you click Password required, next to Removal password, type the necessary password.

Configure a per-app VPN

Per-app VPN options for iOS are available for these connection types: Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix VPN, and Custom SSL.

To configure a per-app VPN:

  1. In Configure > Device Policies, create a VPN policy. For example:

    Image of Device Policies configuration screen

    Image of Device Policies configuration screen

    A per-app VPN policy for Secure Hub has the following setting requirements:

    • Connection Name: Set to XenMobile. XenMobile uses the Connection Name as the VPN provider localized description. Secure Hub uses the VPN localized description to differentiate the device-wide provider from the per-app provider.

    • Connection type: Set to Custom SSL.

    • Custom SSL Identifier: Set to the bundle identifier of Secure Hub.

    • Provider Bundle Identifier: Set to the bundle identifier of the Secure Hub network extension. That bundle identifier is the Secure Hub bundle identifier, specified in Custom SSL identifier, with .NE appended.

    • Provider Type: Set to Packet tunnel.

  2. In Configure > Device Policies, create an App Attributes policy to associate an app to the per-app VPN policy. For Per-app VPN identifier, choose the name of the VPN policy created in Step 1. For Managed app bundle ID, choose from the app list or type the app bundle ID. (If you deploy an iOS App Inventory policy, the app list contains apps.)

    Image of Device Policies configuration screen

macOS settings

Image of Device Policies configuration screen

  • Connection name: Type a name for the connection.
  • Connection type: In the list, click the protocol to be used for this connection. The default is L2TP.
    • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
    • PPTP: Point-to-Point Tunneling.
    • IPSec: Your corporate VPN connection.
    • Cisco AnyConnect: Cisco AnyConnect VPN client.
    • Juniper SSL: Juniper Networks SSL VPN client.
    • F5 SSL: F5 Networks SSL VPN client.
    • SonicWALL Mobile Connect: Dell unified VPN client for iOS.
    • Ariba VIA: Ariba Networks Virtual Internet Access client.
    • Citrix VPN: Citrix VPN client.
    • Custom SSL: Custom Secure Socket Layer.

The following sections list the configuration options for each of the preceding connection types.

Configure L2TP Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Select one of Password authentication, RSA SecureID authentication, Kerberos authentication, CryptoCard authentication. The default is Password authentication.
  • Shared secret: Type the IPSec shared secret key.
  • Send all traffic: Select whether to send all traffic over the VPN. The default is Off.

Configure PPTP Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User Account: Type an optional user account.
  • Select one of Password authentication, RSA SecureID authentication, Kerberos authentication, CryptoCard authentication. The default is Password authentication.
  • Encryption level: Select the desired encryption level. The default is None.
    • None: Use no encryption.
    • Automatic: Use the strongest encryption level supported by the server.
    • Maximum (128-bit): Always use 128-bit encryption.
  • Send all traffic: Select whether to send all traffic over the VPN. The default is Off.

Configure IPSec Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Shared Secret or Certificate for the type of authentication for this connection. The default is Shared Secret.
    • If you enable Shared Secret authentication, configure these settings:
      • Group name: Type an optional group name.
      • Shared secret: Type an optional shared secret key.
      • Use hybrid authentication: Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default is Off.
      • Prompt for password: Select whether to prompt users for their passwords when they connect to the network. The default is Off.
    • If you enable Certificate authentication, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to require users to enter their PIN when connecting to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.

Configure Cisco AnyConnect Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Group: Type an optional group name.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
    • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
      • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
      • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
        • Domain: Type the domain to be added.
        • Click Save to save the domain or click Cancel to not save the domain.

Configure Juniper SSL Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Realm: Type an optional realm name.
  • Role: Type an optional role name.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure the following settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure F5 SSL Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure SonicWALL Protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Logon group or domain: Type an optional logon group or domain.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure Ariba VIA protocol for macOS

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is Off.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is Off. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication. The default is Off.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.

Configure Citrix VPN protocol for macOS

The Citrix VPN client is available in the Apple Store here.

  • Server name or IP address: Type the server name or IP address for the VPN server.
  • User account: Type an optional user account.
  • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
  • Per-app VPN: Select whether to enable per-app VPN. The default is Off. Available only on iOS 7.0 and later. If you enable this option, configure these settings:
    • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
  • Custom XML: For each custom XML parameter you want to add, click Add and specify the key/value pairs. Available parameters are:
    • disableL3: Disables system level VPN. Allows only per app VPN. No Value is needed.
    • useragent: Associates with this device policy any NetScaler policies that are targeted to VPN plugin clients. The Value for this key is automatically appended to the VPN plugin for the requests initiated by the plugin.

Configure Custom SSL protocol for macOS

  • Custom SSL identifier (reverse DNS format): Type the SSL identifier in reverse DNS format. This field is required.
  • Server name or IP address: Type the server name or IP address for the VPN server. This field is required.
  • User account: Type an optional user account.
    • Authentication type for the connection: In the list, click either Password or Certificate for the type of authentication for this connection. The default is Password.
    • If you enable Password, type an optional authentication password in the Auth password field.
    • If you enable Certificate, configure these settings:
      • Identity credential: In the list, click the identity credential to use. The default is None.
      • Prompt for PIN when connecting: Select whether to prompt users for their PIN when they connect to the network. The default is OFF.
      • Enable VPN on demand: Select whether to enable triggering a VPN connection when users connect to the network. The default is OFF. For information on configuring settings when Enable VPN on demand is On, see Configure Enable VPN on demand settings for macOS.
    • Per-app VPN: Select whether to enable per-app VPN. The default is Off. If you enable this option, configure these settings:
      • On-demand match enabled: Select whether per-app VPN connections are triggered automatically when apps linked to the per-app VPN service initiate network communication.
      • Safari domains: For each Safari domains that can trigger a per-app VPN connection you want to include, click Add and do the following:
        • Domain: Type the domain to be added.
        • Click Save to save the domain or click Cancel to not save the domain.
  • Custom XML: For each custom XML parameter you want to add, click Add and do the following:
    • Parameter name: Type the name of the parameter to be added.
    • Value: Type the value associated with Parameter name.
    • Click Save to save the domain or click Cancel to not save the domain.

Configure Enable VPN on demand options for macOS

  • On Demand Domain: For each domain and associated action to be taken when users connect to them that you want to add, click Add to and do the following:
    • Domain: Type the domain to be added.
    • Action: In the list click one of the possible actions:
      • Always establish: The domain always triggers a VPN connection.
      • Never establish: The domain never triggers a VPN connection.
      • Establish if necessary: The domain triggers a VPN connection attempt if domain name resolution fails, such as when the DNS server cannot resolve the domain, redirects to a different server, or times out.
    • Click Save to save the domain or click Cancel to not save the domain.
  • On demand rules
    • Action: In the list, click the action to be taken. The default is EvaluateConnection. Possible actions are:
      • Allow: Allow VPN on demand to connect when triggered.
      • Connect: Unconditionally initiate a VPN connection.
      • Disconnect: Remove the VPN connection and do not reconnect on demand as long as the rule matches.
      • EvaluateConnection: Evaluate the ActionParameters array for each connection.
      • Ignore: Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
    • DNSDomainMatch: For each domain against which a user device’s search domain list can match that you want to add, click Add to and do the following:
      • DNS Domain: Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
      • Click Save to save the domain or click Cancel to not save the domain.
    • DNSServerAddressMatch: For each IP address to which any of the network’s specified DNS servers can match that you want to add, click Add and do the following:
      • DNS Server Address: Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
      • Click Save to save the DNS server address or click Cancel to not save the DNS server address.
    • InterfaceTypeMatch: In the list, click the type of primary network interface hardware in use. The default is Unspecified. Possible values are:
      • Unspecified: Matches any network interface hardware. This is the default.
      • Ethernet: Matches only Ethernet network interface hardware.
      • WiFi: Matches only WiFi network interface hardware.
      • Cellular: Matches only Cellular network interface hardware.
    • SSIDMatch: For each SSID to match against the current network that you want to add, click Add and so the following.
      • SSID: Type the SSID to add. If the network is not a WiFi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
      • Click Save to save the SSID or click Cancel to not save the SSID.
    • URLStringProbe: Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
    • ActionParameters : Domains: For each domain that EvaluateConnection checks that you want to add, click Add and do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
    • ActionParameters : DomainAction: In the list, click the VPN behavior for the specified ActionParameters : Domains domains. The default is ConnectIfNeeded. Possible actions are:
      • ConnectIfNeeded: The domain triggers a VPN connection attempt if domain name resolution fails, such as when the DNS server cannot resolve the domain, redirects to a different server, or times out.
      • NeverConnect: The domain never triggers a VPN connection.
    • Action Parameters: RequiredDNSServers: For each DNS server IP address to be used for resolving the specified domains, click Add and do the following:
      • DNS Server: Valid only when ActionParameters : DomainAction = ConnectIfNeeded. Type the DNS server to add. This server need not be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server should be either an internal DNS server or a trusted external DNS server.
      • Click Save to save the DNS server or click Cancel to not save the DNS server.
    • ActionParameters : RequiredURLStringProbe: Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response. Valid only when ActionParameters : DomainAction = ConnectIfNeeded.
    • OnDemandRules : XML content: Type, or copy and paste, XML configure on demand rules.
      • Click Check Dictionary to validate the XML code. You will see Valid XML in green text below the XML content text box if the XML is valid; otherwise, you will see an error message in orange text describing the error.
  • Proxy
    • Proxy configuration: In the list, click how the VPN connection routes through a proxy server. The default is None.
      • If you enable Manual, configure these settings:
        • Host name or IP address for the proxy server: Type the host name or IP address for the proxy server. This field is required.
        • Port for the proxy server: Type the proxy server port number. This field is required.
        • User name: Type an optional proxy server user name.
        • Password: Type an optional proxy server password.
      • If you configure Automatic, configure this setting:
        • Proxy server URL: Type the URL for the proxy server. This field is required.

Android settings

Image of Device Policies configuration screen

Configure Citrix VPN protocol for Android

  • Connection name: Type a name for the VPN connection. This field is required.

  • Server name or IP address: Type the FQDN or IP address of the NetScaler Gateway.

  • Authentication type for the connection: Choose an authentication type and complete any of these fields that appear for the type:

    • User name and Password: Type your VPN credentials for the Authentication types of Password or Password and Certificate. Optional. If you don’t provide the VPN credentials, the Citrix VPN app prompts for a user name and password.

    • Identity credential: Appears for the Authentication types of Certificate or Password and Certificate.

  • Enable per-app VPN: Select whether to enable per-app VPN. If you don’t enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default is Off.

    • Whitelist or Blacklist: Choose a setting. If Whitelist, all apps in the whitelist tunnel through this VPN. If Blacklist, all apps except those on the blacklist tunnel through this VPN.

    • Application List: Specify the whitelisted or blacklisted apps. Click Add and then type a comma-separated list of app package names.

  • Custom XML: Click Add and then type custom parameters. XenMobile supports these parameters for Citrix VPN:

    • disableL3Mode: Optional. To enable this parameter, type Yes for the Value. If enabled, XenMobile doesn’t display user-added VPN connections and the user cannot add a new connection. This is a global restriction and applies to all VPN profiles.

    • userAgent: A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string gets appended to the existing Citrix VPN user agent.

Configure Cisco AnyConnect VPN protocol for Android

  • Connection name: Type a name for the Cisco AnyConnect VPN connection. This field is required.
  • Server name or IP address: Type the name or IP address of the VPN server. This field is required.
  • Backup VPN server: Type the backup VPN server information.
  • User group: Type the user group information.
  • Identity credential: In the list, select an identity credential.
  • Trusted Networks
    • Automatic VPN policy: Enable or disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled, configure these settings:
      • Trusted network policy: In the list, click the desired policy. The default is Disconnect. Possible options are:
        • Disconnect: The client terminates the VPN connection in the trusted network. This is the default.
        • Connect: The client initiates a VPN connection in the trusted network.
        • Do Nothing: The client takes no action.
        • Pause: Suspends the VPN session (rather than disconnecting it) when a user enters a network configured as trusted after establishing a VPN session outside the trusted network. When the user leaves the trusted network again, the session resumes. This eliminates the need to establish a new VPN session after leaving a trusted network.
      • Untrusted network policy: In the list, click the desired policy. The default is Connect. Possible options are:
        • Connect: The client initiates a VPN connection in the untrusted network.
        • Do Nothing: The client starts a VPN connection in the untrusted network. This option disables always-on VPN.
    • Trusted domains: For each domain suffix that the network interface may have when the client is in the trusted network, click Add to do the following:
      • Domain: Type the domain to be added.
      • Click Save to save the domain or click Cancel to not save the domain.
    • Trusted servers: For each server address that a network interface may have when the client is in the trusted network, click Add and do the following:
      • Servers: Type the server to be added.
      • Click Save to save the server or click Cancel to not save the server.

Configure Samsung SAFE settings

Image of Device Policies configuration screen

  • Connection name: Type a name for the connection.
  • Vpn type: In the list, click the protocol to be used for this connection. The default is L2TP with pre-shared key. Possible options are:
    • L2TP with pre-shared key: Layer 2 Tunneling Protocol with pre-shared key authentication. This is the default setting.
    • L2TP with certificate: Layer 2 Tunneling Protocol with certificate.
    • PPTP: Point-to-Point Tunneling.
    • Enterprise: Your corporate VPN connection. Applicable to SAFE versions earlier than 2.0.
    • Generic: A generic VPN connection. Applicable to SAFE versions 2.0 or higher.

Configure L2TP with pre-shared key protocol for Samsung SAFE

  • Host name: Type the name of the VPN host. This option is required.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • Pre-shared key: Type the pre-shared key. This option is required.

Configure L2TP with certificate protocol for Samsung SAFE

  • Host name: Type the name of the VPN host. This option is required.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • Identity credential: In the list, click the identity credential to be used. The default is None.

Configure PPTP protocol for Samsung SAFE

  • Host name: Type the name of the VPN host. This option is required.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • Enable encryption: Select whether to enable encryption on the VPN connection.

Configure Enterprise protocol for Samsung SAFE

  • Host name: Type the name of the VPN host. This option is required.
  • Enable backup server: Select whether to enable a backup VPN server. If enabled, in Backup VPN server, type the FQDN or IP address of the backup VPN server.
  • Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
    • User name: Type a user name.
    • Password: Type the user password.
  • Group name: Type an optional group name.
  • Authentication method: In the list, click the authentication method to be used. Possible options are:
    • Certificate: Use certificate authentication. This is the default. If selected, in the Identity credential list, click the credential to use. The default is None.
    • Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
    • Hybrid RSA: Use hybrid authentication using RSA certificates.
    • EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
    • EAP MSCHAPv2: Use Microsoft’s challenge-handshake authentication for mutual authentication.
  • CA certificate: In the list, click the certificate to be used. The default is None.
  • Enable default route: Select whether to enable a default route to the VPN server. The default is Off.
  • Enable smartcard authentication: Select whether to allow users to authenticate by using smart cards. The default is Off.
  • Enable mobile option: Select whether to enable mobile option. The default is Off.
  • Diffie-Hellman group value (key strength): In the list, click the key strength to be used. The default is 0.
  • Split tunnel type: In the list, click the type of split tunnel to use. The default is Auto. Possible options are:
    • Auto: Split tunneling is used automatically.
    • Manual: Split tunneling is used over the IP address and port specified on the VPN server.
    • Disabled: Split tunneling is not used.
  • SuiteB type: In the list, click the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
    • GCM-128: Use 128-bit AES-GCM encryption
    • GMAC-128: Use 128-bit AES-GMAC encryption.
    • GMAC-256: Use 256-bit AES-GMAC encryption.
    • None: Use no encryption.
  • Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure Generic protocol for Samsung SAFE

  • Host name: Type the name of the VPN host. This option is required.
  • Enable user authentication: Select whether to require user authentication. If enabled, in Password, type the user password.
  • User name: Type a user name.
  • Package Name Agent VPN: The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
  • Vpn Connection type:In the list, click either IPSEC or SSL for the connection type to be used. The default is IPSEC. The following sections describe the configuration settings for each connection type.

Configure IPSEC connection type settings for Samsung SAFE

  • Identity: Type an optional identifier for this configuration.
  • IPsec group ID type: In the list, click the IPsec group ID type to use. The default is Default. Possible options are:
    • Default
    • IPv4 address
    • Fully qualified domain name (FQDN)
    • User FQDN
    • IKE key ID
  • IKE version: In the list, click the Internet Key Exchange version to use. The default is IKEv1.
  • Authentication method: In the list, click the authentication method to be used. The default is Certificate. Possible options are:
    • Certificate: Use certificate authentication. If selected, in the Identity credential list, click the credential to use. The default is None.
    • Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
    • Hybrid RSA: Use hybrid authentication using RSA certificates.
    • EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
    • EAP MSCHAPv2: Use Microsoft’s challenge-handshake authentication for mutual authentication.
    • CAC based Authentication: Use a Common Access Card (CAC) for authentication.
  • Identity credential: In the list click the identity credential to use. The default is None.
  • CA certificate: In the list, click the certificate to be used.
  • Enable dead peer detection: Select whether to contact a peer to ensure that it remains alive. The default is Off.
  • Enable default route: Select whether to enable a default route to the VPN server.
  • Enable mobile option: Select whether to enable mobile option.
  • Ike LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
  • Diffie-Hellman group value (key strength): In the list, click the key strength to be used. The default is 0.
  • IKE Phase 1 key exchange mode: Select either Main or Aggressive for the IKE Phase 1 negotiation mode. The default is Main.
    • Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
    • Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
  • Perfect forward secrecy (PFS) value: Select whether to use PFS to require a new key exchange renegotiating a connection.
  • Split tunnel type: In the list, click the type of split tunnel to use. Possible options are:
    • Auto: Split tunneling is automatically used.
    • Manual: Split tunneling is used over the IP address and port specified on the VPN server.
    • Disabled: Split tunneling is not used.
  • IPSEC Encryption algorithm: A VPN configuration that the IPSec protocol uses.
  • IKE Encryption Algorithm: A VPN configuration that the IPSec protocol uses.
  • IKE Integrity Algorithm: A VPN configuration that the IPSec protocol uses.
  • Vendor: A personal profile for generic agents that communicate with the KNOX API.
  • Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.
  • Per App Vpn: For each per-app VPN you want to add, click Add and do the following:
    • Per App Vpn: The VPN configuration that the app uses to communicate.
    • Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.

Configure SSL connection type settings for Samsung SAFE

  • Authentication method: In the list, click the authentication method to be used. The default is Not Applicable. Possible options are:
    • Not Applicable
    • Certificate: Use certificate authentication. If selected, in the Identity credential list, click the credential to use. The default is None.
    • CAC based Authentication: Use a Common Access Card (CAC) for authentication.
  • CA certificate: In the list, click the certificate to be used.
  • Enable default route: Select whether to enable a default route to the VPN server.
  • Enable mobile option: Select whether to enable mobile option.
  • Split tunnel type: In the list, click the type of split tunnel to use. Possible options are:
    • Auto: Split tunneling is automatically used.
    • Manual: Split tunneling is used over the IP address and port specified on the VPN server.
    • Disabled: Split tunneling is not used.
  • SSL Algorithm: Type the SSL algorithm to use for client-server negotiation.
  • Vendor: A personal profile for generic agents that communicate with the KNOX API.
  • Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.
  • Per App Vpn: For each per-app VPN you want to add, click Add and do the following:
    • Per App Vpn: The VPN configuration that the app uses to communicate.
    • Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.

Configure Samsung KNOX settings

Image of Device Policies configuration screen

When you configure any policy for Samsung KNOX, it applies only inside the Samsung KNOX container.

  • Vpn Type: In the list, click the type of VPN connection to configure, either Enterprise (applicable to KNOX versions earlier than 2.0) or Generic (applicable to KNOX versions 2.0 or higher). The default is Enterprise.

The following sections list the configuration options for each of the preceding connection types.

Configure Enterprise protocol for Samsung KNOX

  • Connection name: Type a name for the connection. This field is required.
  • Host name: Type the name of the VPN host. This option is required.
  • Enable backup server: Select whether to enable a backup VPN server. If enabled, in Backup VPN server, type the FQDN or IP address of the backup VPN server.
  • Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
    • User name: Type a user name.
    • Password: Type the user password.
  • Group name: Type an optional group name.
  • Authentication method: In the list, click the authentication method to be used. Possible options are:
    • Certificate: Use certificate authentication. For certificate authentication, also select the credential to use from the Identity credential list.
    • Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
    • Hybrid RSA: Use hybrid authentication using RSA certificates.
    • EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
    • EAP MSCHAPv2: Use Microsoft’s challenge-handshake authentication for mutual authentication.
  • CA certificate: In the list, click the certificate to be used.
  • Enable default route: Select whether to enable a default route to the VPN server.
  • Enable smartcard authentication: Select whether to allow users to authenticate by using smart cards. The default is Off.
  • Enable mobile option: Select whether to enable mobile option.
  • Diffie-Hellman group value (key strength): In the list, click the key strength to be used. The default is 0.
  • Split tunnel type: In the list, click the type of split tunnel to use. Possible options are:
    • Auto: Split tunneling is automatically used.
    • Manual: Split tunneling is used over the IP address and port specified on the VPN server.
    • Disabled: No split tunneling is used.
  • SuiteB type: In the list, click the level of NSA Suite B encryption to use. Possible options are:
    • GCM-128: Use 128-bit AES-GCM encryption: This is the default.
    • GCM-256: Use 256-bit AES-GCM encryption.
    • GMAC-128: Use 128-bit AES-GMAC encryption.
    • GMAC-256: Use 256-bit AES-GMAC encryption.
    • None: Use no encryption.
  • Forward routes: Click Add to add any optional forwarding routes if your corporate VPN server supports multiple route tables.

Configure generic protocol for Samsung KNOX

  • Connection name: Type a name for the connection. This field is required.
  • Package Name Agent VPN: The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
  • Host name: Type the name of the VPN host. This option is required.
  • Enable user authentication: Select whether to require user authentication. If enabled, configure the following settings:
    • User name: Type a user name.
    • Password: Type the user password.
  • Identity: Type an optional identifier for this configuration. Only applies when Vpn Connection type = IPSEC.
  • Vpn Connection type: In the list, click either IPSEC or SSL for the connection type to be used. The default is IPSEC. The following sections describe the configuration settings for each connection type.
  • Configure IPSEC connection settings
    • Identity: Type an optional identifier for this configuration.
    • IPsec group ID type: In the list, click the IPsec group ID type to use. The default is Default. Possible options are:
      • Default
      • IPv4 address
      • Fully qualified domain name (FQDN)
      • User FQDN
      • IKE key ID
    • IKE version: In the list, click the Internet Key Exchange version to use. The default is IKEv1.
    • Authentication method: In the list, click the authentication method to be used. The default is Certificate. Possible options are:
      • Certificate: Use certificate authenticationIf selected, in the Identity credential list, click the credential to use. The default is None.
      • Pre-shared key: Use a pre-shared key. If selected, in the Pre-shared key field, type the shared secret key.
      • Hybrid RSA: Use hybrid authentication using RSA certificates.
      • EAP MD5: Authenticate the EAP peer to the EAP server, but does no mutual authentication.
      • EAP MSCHAPv2: Use Microsoft’s challenge-handshake authentication for mutual authentication.
      • CAC based Authentication: Use a Common Access Card (CAC) for authentication.
    • CA certificate: In the list, click the certificate to be used.
    • Enable dead peer detection: Select whether to contact a peer to ensure that it remains alive. The default is Off.
    • Enable default route: Select whether to enable a default route to the VPN server.
    • Enable mobile option: Select whether to enable mobile option.
    • Ike LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
    • ipsec LifeTime in Minutes: Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
    • Diffie-Hellman group value (key strength): In the list, click the key strength to be used. The default is 0.
    • IKE Phase 1 key exchange mode: Select either Main or Aggressive for the IKE Phase 1 negotiation mode. The default is Main.
      • Main: No information is exposed to potential attackers during negotiation, but is slower than Aggressive mode.
      • Aggressive: Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster than Main mode.
    • Perfect forward secrecy (PFS) value: Select whether to use PFS to require a new key exchange renegotiating a connection.
    • Split tunnel type: In the list, click the type of split tunnel to use. Possible options are:
      • Auto: Split tunneling is automatically used.
      • Manual: Split tunneling is used over the IP address and port specified on the VPN server.
      • Disabled: Split tunneling is not used.
    • SuiteB Type: In the list, click the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
      • GCM-128: Use 128-bit AES-GCM encryption.
      • GCM-256: Use 256-bit AES-GCM encryption.
      • GMAC-128: Use 128-bit AES-GMAC encryption.
      • GMAC-256: Use 256-bit AES-GMAC encryption.
      • None: Use no encryption.
    • IPSEC Encryption algorithm: VPN configuration that the IPSec protocol uses.
    • IKE Encryption Algorithm: VPN configuration that the IPSec protocol uses.
    • IKE Integrity Algorithm: VPN configuration that the IPSec protocol uses.
    • Knox: Configurations for Samsung KNOX only.
    • Vendor: A personal profile for generic agents that communicate with the KNOX API.
    • Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
      • Forward route: Type the IP address for the forwarding route.
      • Click Save to save the route or click Cancel to not save the route.
    • Per App Vpn: For each per-app VPN you want to add, click Add and do the following:
      • Per App Vpn: The VPN configuration the app uses to communicate.
      • Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.
  • Configure SSL connection settings
    • Authentication method: In the list, click the authentication method to use. Possible options are:
      • Not Applicable: No authentication method applies. This is the default.
      • Certificate: Use certificate authentication. This is the default. If selected, in the Identity credential list, click the credential to use. The default is None.
      • CAC based Authentication: Use a Common Access Card (CAC) for authentication.
    • CA certificate: In the list, click the certificate to be used.
    • Enable default route: Select whether to enable a default route to the VPN server.
    • Enable mobile option: Select whether to enable mobile option.
    • Split tunnel type: In the list, click the type of split tunnel to use. Possible options are:
      • Auto: Split tunneling is automatically used.
      • Manual: Split tunneling is used over the IP address and port specified.
      • Disabled: No split tunneling is used.
    • SuiteB Type: In the list, click the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
      • GCM-128: Use 128-bit AES-GCM encryption.
      • GCM-256: Use 256-bit AES-GCM encryption.
      • GMAC-128: Use 128-bit AES-GMAC encryption.
      • GMAC-256: Use 256-bit AES-GMAC encryption.
      • None: Use no encryption: Type the SSL algorithm to use for client-server negotiation.
    • SSL Algorithm: Type the SSL algorithm to use for client-server negotiation.
    • Knox: Configurations for Samsung KNOX only.
    • Vendor: A personal profile for generic agents that communicate with the KNOX API.
    • Forward routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
      • Forward route: Type the IP address for the forwarding route.
      • Click Save to save the route or click Cancel to not save the route.
    • Per App Vpn: For each per-app VPN you want to add, click Add and do the following:
      • Per App Vpn: The VPN configuration the app uses to communicate.
      • Click Save to save the per-app VPN or click Cancel to not save the per-app VPN.

Windows Phone settings

Image of Device Policies configuration screen

These settings are supported only on Window 10 and later supervised phones.

  • Connection name: Enter a name for the connection. This field is required.
  • Profile type: In the list, click either Native or Plugin. The default is Native. The following sections describe the settings for each of these options.
  • Configure Native profile type settings: These settings apply to the VPN built into users’ Windows phones.
    • VPN server name: Type the FQDN or IP address for the VPN server. This field is required.
    • Tunneling protocol: In the list, click the type of VPN tunnel to use. The default is L2TP. Possible options are:
      • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
      • PPTP: Point-to-Point Tunneling.
      • IKEv2: Internet Key Exchange version 2.
    • Authentication method: In the list, click the authentication method to use. The default is EAP. Possible options are:
      • EAP: Extended Authentication Protocol.
      • MSChapV2: Use Microsoft challenge-handshake authentication for mutual authentication. This option is not available when you select IKEv2 for the tunnel type. When you choose MSChapV2, an Automatically use Windows credentials option appears; the default is Off.
    • EAP method: In the list, click the EAP method to be used. The default is TLS. This field is not available when MSChapV2 authentication is enabled. Possible options are:
      • TLS: Transport Layer Security
      • PEAP: Protected Extensible Authentication Protocol
    • DNS Suffix: Type the DNS suffix.
    • Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
    • Require smart card certificate: Select whether to require a smart card certificate. The default is OFF.
    • Automatically select client certificate: Select whether to automatically choose the client certificate to use for authentication. The default is OFF. This option is unavailable when Require smart card certificate is enabled.
    • Remember credential: Select whether to cache the credential. The default is OFF. When enabled, credentials are cached whenever possible.
    • Always on VPN: Select whether the VPN is always on. The default is OFF. When enabled, the VPN connection remains on until the user manually disconnects.
    • Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.
  • Configure Plugin protocol type: These settings apply to VPN plug-ins obtained from the Windows Store and installed on users’ devices.
    • Server address: Type the URL, host name, or IP address for the VPN server.
    • Client app ID: Type the package family name for the VPN plug-in.
    • Plugin Profile XML: Select the custom VPN plugin profile to be used by clicking Browse and navigating to the file’s location. Contact the plugin provider for format and details.
    • DNS Suffix: Type the DNS suffix.
    • Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
    • Remember credential: Select whether to cache the credential. The default is OFF. When enabled, credentials are cached whenever possible.
    • Always on VPN: Select whether the VPN is always on. The default is OFF. When enabled, the VPN connection remains on until the user manually disconnects.
    • Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.

Windows Desktop/Tablet settings

Image of Device Policies configuration screen

  • Connection name: Enter a name for the connection. This field is required.
  • Profile type: In the list, click either Native or Plugin. The default is Native.
  • Configure Native profile type: These setting apply to the VPN built into users’ Windows devices.
    • Server address: Type the FQDN or IP address for the VPN server. This field is required.
    • Remember credential: Select whether to cache the credential. The default is Off. When enabled, credentials are cached whenever possible.
    • DNS Suffix: Type the DNS suffix.
    • Tunnel type: In the list, click the type of VPN tunnel to use. The default is L2TP. Possible options are:
      • L2TP: Layer 2 Tunneling Protocol with pre-shared key authentication.
      • PPTP: Point-to-Point Tunneling.
      • IKEv2: Internet Key Exchange version 2.
    • Authentication method: In the list, click the authentication method to use. The default is EAP. Possible options are:
      • EAP: Extended Authentication Protocol.
      • MSChapV2: Use Microsoft’s challenge-handshake authentication for mutual authentication. This option is not available when you select IKEv2 for the tunnel type.
    • EAP method: In the list, click the EAP method to be used. The default is TLS. This field is not available when MSChapV2 authentication is enabled. Possible options are:
      • TLS: Transport Layer Security
      • PEAP: Protected Extensible Authentication Protocol
    • Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
    • Require smart card certificate: Select whether to require a smart card certificate. The default is Off.
    • Automatically select client certificate: Select whether to automatically choose the client certificate to use for authentication. The default is Off. This option is unavailable when you enable Require smart card certificate.
    • Always on VPN: Select whether the VPN is always on. The default is Off. When enabled, the VPN connection remains on until the user manually disconnects.
    • Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.
  • Configure Plugin profile type: These settings apply to VPN plug-ins obtained from the Windows Store and installed on users’ devices.
    • Server address: Type the FQDN or IP address for the VPN server. This field is required.
    • Remember credential: Select whether to cache the credential. The default is Off. When enabled, credentials are cached whenever possible.
    • DNS Suffix: Type the DNS suffix.
    • Client app ID: Type the package family name for the VPN plug-in.
    • Plugin Profile XML: Select the custom VPN plugin profile to be used by clicking Browse and navigating to the file’s location. Contact the plugin provider for format and details.
    • Trusted networks: Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
    • Always on VPN: Select whether the VPN is always on. The default is Off. When enabled, the VPN connection remains on until the user manually disconnects.
    • Bypass For Local: Type the address and port number to allow local resources to bypass the proxy server.

Configure Amazon settings

Image of Device Policies configuration screen

  • Connection name: Enter a name for the connection.
  • Vpn type: Click the connection type. Possible options are:
    • L2TP PSK: Layer 2 Tunneling Protocol with pre-shared key authentication. This is the default.
    • L2TP RSA: Layer 2 Tunneling Protocol with RSA authentication.
    • IPSEC XAUTH PSK: Internet Protocol Security with pre-shared key and extended authentication.
    • IPSEC HYBRID RSA: Internet Protocol Security with hybrid RSA authentication.
    • PPTP: Point-to-Point Tunneling.

The following sections list the configuration options for each of the preceding connection types.

Configure L2TP PSK settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • L2TP Secret: Type the shared secret key.
  • IPSec Identifier: Type the name of the VPN connection that users see on their devices when connecting.
  • IPSec pre-shared key: Type the secret key.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure L2TP RSA settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • L2TP Secret: Type the shared secret key.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list, click the server certificate to be used.
  • CA certificate: In the list, click the CA certificate to be used.
  • Identity credential: In the list, click the identity credential to be used.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure IPSEC XAUTH PSK settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • IPSec Identifier: Type the name of the VPN connection that users see on their devices when connecting.
  • IPSec pre-shared key: Type the shared secret key.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure IPSEC AUTH RSA settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list, click the server certificate to be used.
  • CA certificate: In the list, click the CA certificate to be useg.
  • Identity credential: In the list, click the identity credential to be useg.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure IPSEC HYBRID RSA settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • Server certificate: In the list, click the server certificate to be used.
  • CA certificate: In the list, click the CA certificate to be used.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.

Configure PPTP settings for Amazon

  • Server address: Type the IP address for the VPN server.
  • User name: Type an optional user name.
  • Password: Type an optional password.
  • DNS search domains: Type the domains against which a user device’s search domain list can match.
  • DNS servers: Type the IP addresses of DNS servers to be used for resolving the specified domains.
  • PPP encryption (MPPE): Select whether to enable data encryption with Microsoft Point-to-Point Encryption (MPPE). The default is Off.
  • Forwarding routes: If your corporate VPN server supports forwarding routes, for each forwarding route to use, click Add and do the following:
    • Forward route: Type the IP address for the forwarding route.
    • Click Save to save the route or click Cancel to not save the route.