Create a VPN profile using Microsoft Intune (Standalone) via Custom OMA-URI’s

Microsoft Intune allows you to deploy several VPN connection profiles to Windows Phone 8.1 devices. The available options are:

  • Juniper Pulse
  • F5 Edge Client
  • Dell SonicWALL Mobile Connect
  • CheckPoint Mobile VPN

If you want to deploy another type, e.g. IKEv2 based – it’s possible to use custom URI’s. In order to create one, select “Policy” on the left side of the management portal, navigate to “Configuration Policies” and select “Windows Phone OMA-URI Policy”.

clip_image002

After creating a new policy, add the custom URI’s like shown in the screenshot below.

clip_image004

Below is a set of example settings.  Be careful with the data types and formatting (e.g. XML).

Type

OMA-URI

Value

string

./Vendor/MSFT/VPN/MYVPNTEST/Server

vpn.contoso.com

string

./Vendor/MSFT/VPN/MYVPNTEST/SecuredResources/DNSSuffix

dns.contoso.com

string

./Vendor/MSFT/VPN/MYVPNTEST/TunnelType

IKEv2

string

./Vendor/MSFT/VPN/MYVPNTEST/Authentication/Method

EAP

string

./Vendor/MSFT/VPN/MYVPNTEST/Proxy/Manual/Server

proxy.contoso.com

int

./Vendor/MSFT/VPN/MYVPNTEST/Proxy/Manual/Port 

8080

bool

./Vendor/MSFT/VPN/MYVPNTEST/Proxy/Manual/BypassProxyForLocal 

True

bool

./Vendor/MSFT/VPN/MYVPNTEST/Policies/SplitTunnel 

false

bool

./Vendor/MSFT/VPN/MYVPNTEST/Policies/BypassForLocal

false

bool

./Vendor/MSFT/VPN/MYVPNTEST/Policies/TrustedNetworkDetection 

false

string

./Vendor/MSFT/VPN/MYVPNTEST/Policies/ConnectionType 

manual

string - XML

./Vendor/MSFT/VPN/MYVPNTEST/Authentication/EAP

(see below for contents – doesn’t fit this table)

This should go into the “Value” field of “EAP” mentioned above:

<EapHostConfig xmlns=" http://www.microsoft.com/provisioning/EapHostConfig ">
<EapMethod>
<Type xmlns="
http://www.microsoft.com/provisioning/EapCommon ">13</Type>
<VendorId xmlns="
http://www.microsoft.com/provisioning/EapCommon ">0</VendorId>
<VendorType xmlns="
http://www.microsoft.com/provisioning/EapCommon ">0</VendorType>
<AuthorId xmlns="
http://www.microsoft.com/provisioning/EapCommon ">0</AuthorId>
</EapMethod>
<Config xmlns="
http://www.microsoft.com/provisioning/EapHostConfig ">
<Eap xmlns="
http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1 ">
<Type>13</Type>
<EapType xmlns="
http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1 ">
<CredentialsSource>
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
</CertificateStore>
</CredentialsSource>
<ServerValidation>
<DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation>
<ServerNames></ServerNames>
</ServerValidation>
<DifferentUsername>false</DifferentUsername>
<PerformServerValidation xmlns="
http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2 ">
false</PerformServerValidation>
<AcceptServerName xmlns="
http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2 ">
false</AcceptServerName>
</EapType>
</Eap>
</Config>
</EapHostConfig>

Special thanks goes out to James Lieurance (MSFT) who supplied the OMA-URI’s.