Create VPN profiles in Intune
Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a VPN connection profile to initiate a connection with the VPN server. Use VPN profiles in Microsoft Intune to assign VPN settings to users and devices in your organization, so they can easily and securely connect to the network.
For example, assume that you want to provision all iOS devices with the settings required to connect to a file share on the corporate network. You create a VPN profile that contains the settings to connect to the corporate network. Then you assign this profile to all users who have iOS devices. The users see the VPN connection in the list of available networks, and can connect with minimal effort.
You can use Intune custom configuration polices to create VPN profiles for the following platforms:
- Android 4 and later
- Enrolled devices that run Windows 8.1 and later
- Windows Phone 8.1 and later
- Enrolled devices that run Windows 10 desktop
- Windows 10 Mobile
- Windows Holographic for Business
VPN connection types
You can create VPN profiles using the following connection types:
Android for Work
|iOS||macOS||Windows Phone 8.1||Windows 8.1||Windows 10|
|Check Point Capsule VPN||Yes||Yes||Yes||Yes||Yes||Yes|
|SonicWall Mobile Connect||Yes||Yes||Yes||Yes||Yes||Yes|
|F5 Edge Client||Yes||Yes||Yes||Yes||Yes||Yes|
|Palo Alto Networks GlobalProtect||No||Yes||No||No||No||Yes|
|Citrix||Yes (Android only)||Yes||No||No||No||Yes|
Before you can use VPN profiles assigned to a device, you must install the applicable VPN app for the profile. You can use the information in the What is app management in Microsoft Intune? article to help you assign the app by using Intune.
Learn how to create custom VPN profiles by using URI settings in Create a profile with custom settings.
Create a device profile containing VPN settings
- Sign in to the Azure portal.
- Select All services, filter on Intune, and select Microsoft Intune.
- Select Device configuration > Profiles > Create profile.
- Enter a Name and Description for the VPN profile.
- From the Platform drop-down list, select the device platform to which you want to apply VPN settings. Currently, you can choose one of the following platforms for VPN device settings:
- Android for Work
- Windows Phone 8.1
- Windows 8.1 and later
- Windows 10 and later
- From the Profile type drop-down list, choose VPN.
- Depending on the platform you chose, the settings you can configure are different. Go to one of the following topics for detailed settings for each platform:
- Android and Android for Work settings
- iOS settings
- macOS settings
- Windows Phone 8.1 settings
- Windows 8.1 settings
- Windows 10 settings (including Windows Holographic for Business)
- When you're done, Create your profile
The profile is created and appears on the profiles list. To assign this profile to groups, see assign device profiles.
Methods of securing VPN profiles
VPN profiles can use a number of different connection types and protocols from different manufacturers. These connections are typically secured through one of two methods.
When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user’s device to connect. The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.
For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Microsoft Intune.
User name and password
The user authenticates to the VPN server by providing a user name and password.