Product Documentation

VPN device policies

Apr 10, 2015

You can add a device policy in XenMobile to configure virtual private network (VPN) settings that enable users' devices to connect securely to corporate resources. You can configure the VPN policy for the following platforms: iOS, Android, Samsung SAFE, Samsung KNOX, Windows 8.1 Tablets, and Amazon. Each platform requires a different set of values, which are described in detail in this article.

To add a VPN device policy

  1. In the XenMobile console, click Configure > Device Policies. The Device Policies page appears.


    Policies page

  2. Click Add. The Add a New Policy dialog box appears.


    Select VPN policy

  3. Click VPN. The VPN Policy page appears.


    Policy information page

  4. In the Policy Information pane, enter the following information:
    1. Policy Name: Type a descriptive name for the policy.
    2. Description: Type an optional description of the policy.
    3. Click Next.
  5. Under Platforms, select the platform or platforms you want to add.

    If you selected iOS, configure these settings:


    VPN for iOS

    1. Connection name: Type a name for the connection.
    2. Connection type: In the list, click the protocol to be used for this connection.
      • L2TP — Layer 2 Tunneling Protocol with pre-shared key authentication. This is the default setting.
      • PPTP — Point-to-Point Tunneling.
      • IPSec — Your corporate VPN connection.
      • Cisco AnyConnect — Cisco AnyConnect VPN client.
      • Juniper SSL — Juniper Networks SSL VPN client.
      • F5 SSL — F5 Networks SSL VPN client.
      • SonicWALL Mobile Connect — Dell unified VPN client for iOS.
      • Ariba VIA — Ariba Networks Virtual Internet Access client.
      • IKEv2 (iOS only) — Internet Key Exchange version 2 for iOS only.
      • Custom SSL — Custom Secure Socket Layer.

      The following sections list the configuration options for each of the preceding connection types.

      Configure the following options for the L2TP protocol

      1. Select either Password authentication or RSA SecureID authentication.
      2. Authentication password: Type an optional authentication password.
      3. Password authentication: Select whether password authentication is on or off.
      4. Send all traffic: Select whether to send all traffic over the VPN.
      Configure the following options for the PPTP protocol
      1. Select either Password authentication or RSA SecureID authentication.
      2. Authentication password: Type an optional authentication password.
      3. Password authentication: Select whether password authentication is on or off.
      4. Encryption level: Select the desired encryption level.
      5. Send all traffic: Select whether to send all traffic over the VPN.
      Configure the following options for the IPSec protocol
      1. Authentication password: Type an optional authentication password.
      2. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the Cisco AnyConnect protocol
      1. Authentication password: Type an optional authentication password.
      2. Group: Type an optional group name.
      3. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the Juniper SSL protocol
      1. Authentication password: Type an optional authentication password.
      2. Realm: Type an optional realm name.
      3. Role: Type an optional role name.
      4. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the F5 SSL protocol
      1. Authentication password: Type an optional authentication password.
      2. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the SonicWALL Mobile Connect protocol
      1. Authentication password: Type an optional authentication password.
      2. Logon group or domain: Type an optional logon group or domain.
      3. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the Ariba VIA protocol
      1. Authentication password: Type an optional authentication password.
      2. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Password authentication OFF OFF OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
      Prompt for password OFF
      Auth password Optional
      Configure the following options for the IKEv2 protocol (iOS only)
      1. Authentication password: Type an optional authentication password.
      2. Password authentication: Select whether password authentication is on or off.
      3. Always-on VPN: Select whether the VPN connection is always on.

        The following options apply only when Always-on VPN = ON.

      4. Server name or iP address: Type the server name or IP address for the VPN server.
      5. User Account: Type an optional user account.
      6. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Shared secret Optional
      Use hybrid authentication OFF
      Prompt for password OFF
      Allow user to disable automatic connection OFF OFF OFF
      Local identifier Required Required Required
      Remote identifier Required Required Required
      Extended Authentication Enabled OFF OFF OFF
      Dead Peer Detection Interval None None None
      Encryption Algorithm 2DES 2DES 2DES
      Integrity Algorithm SHA1-96 SHA1-96 SHA1-96
      DIffie Hellman Group 2 2 2
      LifeTime in Minutes 1440 1440 1440
      Voice Mail Allow traffic via tunnel Allow traffic via tunnel Allow traffic via tunnel
      Allow traffic from captive web sheet outside the VPN OFF OFF OFF
      Allow traffic from all captive networking apps outside the VPN tunnel OFF OFF OFF
      AirPrint Allow traffic via tunnel Allow traffic via tunnel Allow traffic via tunnel
      Captive networking app bundle identifieres Optional Optional Optional
      Configure the following options for the Custom SSL protocol
      1. Custom SSL identifier (reverse DNS format): Type the SSL identifier in reverse DNS format.
      2. Authentication password: Type an optional authentication password.
      3. Password authentication: Select whether password authentication is on or off.
      4. Authentication type for the connection: Select the type of authentication for this connection.

      The following table lists the options available for each connection type. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Password Certificate Shared Secret
      Group name Optional
      Prompt for password OFF
      Auth password Optional OFF
      Identity credential None
      Prompt for PIN when connecting OFF
      Enable VPN on demand OFF
      On Demand Domain Required if Enable VPN on demand = ON
      Use hybrid authentication OFF
    3. Enable per-app VPN: Enable or disable per-app VPN (available for iOS 7 and later). If enabled, enable or disable On-demand match enabled.
    4. Safari domains: Click Add to add a Safari domain that lets the app crate a secure per-app VPN connection through Safari.
    5. Custom XML: Click Add to enter Parameter name and Value pairs to customize the configuration.
    6. Proxy configuration: In the list, select how the VPN connection routes through a proxy server and configure any additional options.

      The following table lists the options available for Manual and Automatic; None does not require further configuration. Each cell lists the default value for an option when an option exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.

      Manual Automatic
      Host name or IP address fro the proxy server Required
      Port for the proxy server Required
      User name Optional
      Password Optional
      Proxy server URL Required
    Policy Settings


    Policy removal settings

    1. Under Policy Settings, next to Remove policy, click either Select date or Duration until removal (in days).
    2. If you click Select date, click the calendar to select the specific date for removal.
    3. In the Allow user to remove policy list, click Always, Password required, or Never.
    4. If you click Password required, next to Removal password, type the necessary password.

    If you selected Android, configure these settings:


    VPN for Android

    1. Connection name: Type a name for the Cisco AnyConnect VPN connection.
    2. Server name or IP address: Enter the name or IP address of the VPN server.
    3. Backup VPN server: Enter the backup VPN server information.
    4. User group: Enter the user group information.
    5. Identity credential: In the list, select an identity credential.
    6. Automatic VPN policy: Enable or disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled, enter the following information:
      • Trusted network policy: In the list, click the desired policy.
      • Untrusted network policy: In the list, click the desired policy.

    If you selected Samsung SAFE, configure these settings:


    VPN for Samsung SAFE

    1. Connection name: Type a name for the connection.
    2. Connection type: In the list, click the protocol to be used for this connection:
      • L2TP with pre-shared key — Layer 2 Tunneling Protocol with pre-shared key authentication. This is the default setting.
      • L2TP with certificate — Layer 2 Tunneling Protocol with certificate.
      • PPTP — Point-to-Point Tunneling.
      • Enterprise — Your corporate VPN connection.
      The following table lists the configuration options for each of the preceding connection types. Each cell lists the default value for an option when a default exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.
      L2TP with pre-shared key L2TP with certificate PPTP Enterprise
      Host name Required Required Required Required
      Enable backup server Off
      Backup VPN server Required if Enable backup server = On
      User name Optional Optional Optional Optional
      Password Optional Optional Optional Optional
      Group name Optional
      IPsec group ID type Default
      IKE version IKEv1
      Authentication method Certificate (default) Pre-shared key Hybrid RSA EAP MD5 EAP MSCHAPv2
      Identity credential Required None None
      CA certificate Select certificate
      Enable dead peer detection Off
      Enable default route Off
      Enable smartcard authentication Off
      Enable user authentification Off
      Enable mobile option Off
      Diffie-Hellman group value (key strength) 0
      IKE Phase 1 key exchange mode Main
      Perfect forwared secrecy (PFS) value Off
      Split tunnel type Auto
      SuiteB Type GCM-128
      Pre-shared key Required Optional
      Enable encryption Off
    3. Forward routes: Add any optional forwarding routes if your corporate VPN server supports multiple route tables.

    If you selected Samsung KNOX, configure these settings:


    VPN for Samsung KNOX

    1. Connection name: Enter a name for the connection.
    2. Host name: Enter the host name.
    3. Enable backup server: Select whether to enable a backup VPN server. An additional field appears when you select this option. Enter the backup server information.
    4. User name: Enter an optional user name.
    5. Password: Enter an optional password.
    6. Group name: Enter an optional group name.
    7. IPsec group ID type: In the list, click the IPsec group ID type.
    8. IKE version: In the list, click the IKE version.
    9. Authentication method: In the list, click the authentication method.
      • Certificate — Certificate-based authentication
      • Pre-shared key — Authentication using a pre-shared key
      • Hybrid RSA — Hybrid authentication using RSA certificates
      • EAP MD5 — Extensible Authentication Protocol using MD5 hash function
      • EAP MSCHAPv2 — Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2
      The following table lists the configuration options for each of the preceding connection types. Each cell lists the default value for an option when a default exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.
      Certificate Pre-shared key Hybrid RSA EAP MD5 EAP MSCHAPv2
      Pre-shared key Required
      Identity credential None None
      CA certificate Required Required Required Required Required
      Enable dead peer detection OFF OFF OFF OFF OFF
      Enable default route OFF OFF OFF OFF OFF
      Enable smartcard authentication OFF OFF OFF OFF OFF
      Enable user authentication OFF OFF OFF OFF OFF
      Enable mobile option OFF OFF OFF OFF OFF
      DIfffie-Hellman group value (key strength) 0 0 0 0 0
      IKE Phase 1 key exchange mode Main Main Main Main Main
      Perfect forward secrecy (PFS) value OFF OFF OFF OFF OFF
      Split tunnel type Auto Auto Auto Auto Auto
      SuiteB Type GCM-128 GCM-128 GCM-128 GCM-128 GCM-128
    10. Forward route: Add any optional forwarding routes if your corporate VPN server supports multiple route tables.

    If you selected Windows 8.1 tablet, configure these settings:


    VPN for Windows 8.1 tablet

    1. Connection name: Enter a name for the connection.
    2. Connection type: In the list, click the connection type.
      • SonicWALL — Dell unified VPN client for Windows
      • Check Point — Check Point Software Technologies SSL VPN client
      • Juniper — Juniper Networks SSL VPN client
      • Microsoft — Microsoft VPN client
      • F5 — F5 Networks SSL VPN client
      The following table lists the configuration options for each of the preceding connection types. Each cell lists the default value for an option when a default exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.
      SonicWALL Check Point Juniper Microsoft F5
      Server address Optional Optional Optional Optional Optional
      Remember credential OFF OFF OFF OFF OFF
      Split tunneling OFF OFF OFF OFF OFF
      Idle connection lifetime (seconds) Required Required Required Required Required
      DNS suffix Required Required Required Required Required
      Automatically start connections OFF OFF OFF OFF
      DNS server Required Required Required Required
      Client app ID Required Required Required Required
      Checkpoint port Required
      Checkpoint name Required
      Checkpoint timeout Required
      Enable single sign-on OFF
      Enable network optimization OFF
      Enable compression OFF
      Require smart card certificate OFF
      Automatically select client certificate OFF
      Enable client logging OFF
      Enable packet capture OFF
      Use single sign-on credentials OFF
      Make connection available to all users OFF
      Tunneling protocol Required
      Authentication method Required
      VPN server name Required
      VPN friendly name Required
      Automatically detect settings OFF
      Bypass porxy server for local addresses OFF
      Automatically use Windows credentials OFF
      Client certificate issuer Required

    If you selected Amazon, configure these settings:


    VPN device policy for Amazon

    1. Connection name: Enter a name for the connection.
    2. Connection type: Click the connection type.
      • L2TP PSK — Layer 2 Tunneling Protocol with pre-shared key authentication
      • L2TP RSA — Layer 2 Tunneling Protocol with RSA authentication
      • IPSEC XAUTH PSK — Internet Protocol Security with pre-shared key and extended authentication
      • IPSEC XAUTH RSA — Internet Protocol Security with RSA and extended authentication
      • IPSEC HYBRID RSA — Internet Protocol Security with hybrid RSA authentication
      • PPTP — Point-to-Point Tunneling
      The following table lists the configuration options for each of the preceding connection types. Each cell lists the default value for an option when a default exists; otherwise, the cell indicates whether the option is not applicable (–), required, or optional.
      L2TP PSK L2TP RSA IPSEC XAUTH PSK IPSEC XAUTH RSA IPSEC HYBRID RSA PPTP
      Server address Required Required Required Required Required Required
      User name Optional Optional Optional Optional Optional Optional
      Password Optional Optional Optional Optional Optional Optional
      L2TP Secret Optional Optional
      IPSec identifier Optional Optional
      IPSec pre-shared key Optional Optional
      DNS search domains Optional Optional Optional Optional Optional Optional
      DNS servers Optional Optional Optional Optional Optional Optional
      Forwarding routes Optional Optional Optional Optional Optional Optional
      Server certificate Select Select Select
      CA certificate Select Select Select
      Identity credential Required Required
      PPP encryption MMPE) OFF
    3. Forwarding route: Add any optional forwarding routes if your corporate VPN server supports multiple route tables.
  6. After you finish configuring the settings for one or more platforms and then click Next, the VPN Policy assignment page appears.
  7. Next to Choose delivery groups, type to find a delivery group or select a group or groups in the list to which you want to assign the policy. The groups you select appear in the right-hand Delivery groups to receive app assignment list.


    Policy assignment page

  8. Expand Deployment Schedule and then configure the following settings:
    1. Next to Deploy, click ON to schedule deployment or click OFF to prevent deployment. The default option is ON. If you choose OFF, no other options need to be configured.
    2. Next to Deployment schedule, click Now or Later. The default option is Now.
    3. If you click Later, click the calendar icon and then select the date and time for deployment.
    4. Next to Deployment condition, click On every connection or click Only when previous deployment has failed. The default option is On every connection.
    5. Next to Deploy for always-on connection, click ON or OFF. The default option is OFF.
      Note: This option applies when you have configured the scheduling background deployment key in Settings > Server Properties. The always-on option is not available for iOS devices.
    Note: The deployment schedule you configure is the same for all platforms. Any changes you make apply to all platforms, except for Deploy for always on connection, which does not apply to iOS.


    Deployment schedule

  9. Click Save to save the policy.