Create VPN profiles to connect to VPN servers in Intune

Important

On October 22, 2022, Microsoft Intune ended support for devices running Windows 8.1. Technical assistance and automatic updates on these devices aren't available.

If you currently use Windows 8.1, then we recommend moving to Windows 10/11 devices. Microsoft Intune has built-in security and device features that manage Windows 10/11 client devices.

Important

Microsoft Intune is ending support for Android device administrator management on devices with access to Google Mobile Services (GMS) on August 30, 2024. After that date, device enrollment, technical support, bug fixes, and security fixes will be unavailable. If you currently use device administrator management, we recommend switching to another Android management option in Intune before support ends. For more information, read Ending support for Android device administrator on GMS devices.

Virtual private networks (VPNs) give users secure remote access to your organization network. Devices use a VPN connection profile to start a connection with the VPN server. VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization. Use these settings so users can easily and securely connect to your organizational network.

This feature applies to:

  • Android device administrator

  • Android Enterprise personally owned devices with a work profile

  • iOS/iPadOS

  • macOS

  • Windows 10

  • Windows 11

    Important

    For Windows 11 devices, there is an issue between the Windows 11 client and the Windows VPNv2 CSP. A device with one or more Intune VPN profiles loses its VPN connectivity when the device processes multiple changes to VPN profiles for the device simultaneously. When the device checks-in with Intune a second time, it processes the VPN profile changes, and connectivity is restored.

    The following changes can cause a loss of VPN functionality:

    • Changes to a VPN profile that was previously processed by the Windows 11 device. This action deletes the original profile, and applies the updated profile.
    • Two new VPN profiles apply to the device at the same time.
    • An active VPN profile is removed at the same time a new VPN profile is assigned.

    This issue doesn't apply when:

    • A Windows 11 device doesn't have an existing VPN profile assigned, and it receives one Intune VPN profile.
    • Windows 11 devices with a VPN profile assigned, and are assigned another VPN profile with no other profile changes.
    • A Windows 10 device upgrades to Windows 11, and if there are no changes to that device's VPN profiles. After the upgrade to Windows 11, any changes to the devices VPN profiles or adding new VPN profiles will trigger the issue.

    This issue and warning remain until Windows updates the Windows 11 client that resolves this issue.

  • Windows 8.1 and newer

For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share on the organization network. You create a VPN profile that includes these settings. You assign this profile to all users who have iOS/iPadOS devices. The users see the VPN connection in the list of available networks, and can connect with minimal effort.

This article lists the VPN apps you can use, shows you how to create a VPN profile, and includes guidance on securing your VPN profiles. You must deploy the VPN app before you create the VPN profile. If you need help with deploying apps using Microsoft Intune, see What is app management in Microsoft Intune?.

Before you begin

Step 1 - Deploy your VPN app

Before you can use VPN profiles assigned to a device, you must install the VPN app. This VPN app connects to your VPN server.

There are different VPN apps available. On user devices, you deploy the VPN app your organization uses. After the VPN app is deployed, then you create and deploy a VPN device configuration profile that configures the VPN server settings, including the VPN server name (or FQDN) and authentication method.

Some platforms and VPN apps require an app configuration policy to preconfigure the VPN app, instead of a VPN device configuration profile. This section also lists the platforms and VPN apps that must use an app configuration policy.

To help you assign the app using Intune, see Add apps to Microsoft Intune.

VPN connection types

You can create VPN profiles using the following VPN connection types:

  • Automatic

    • Windows 10/11
  • Check Point Capsule VPN

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
    • iOS/iPadOS
    • macOS
    • Windows 10/11
    • Windows 8.1
  • Cisco AnyConnect

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10/11
  • Cisco (IPSec)

    • iOS/iPadOS
  • Citrix SSO

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile: Use app configuration policy
    • Android Enterprise fully managed and corporate-owned work profiles: Use app configuration policy
    • iOS/iPadOS
    • Windows 10/11
  • Custom VPN

    • iOS/iPadOS
    • macOS

    Create custom VPN profiles using URI settings in Create a profile with custom settings.

  • F5 Access

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10/11
    • Windows 8.1
  • IKEv2

    • iOS/iPadOS
    • Windows 10/11
  • L2TP

    • Windows 10/11
  • Microsoft Tunnel

    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
  • NetMotion Mobility

    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
  • Palo Alto Networks GlobalProtect

  • PPTP

    • Windows 10/11
  • Pulse Secure

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • Windows 10/11
    • Windows 8.1
  • SonicWall Mobile Connect

    • Android device administrator
    • Android Enterprise personally owned devices with a work profile
    • Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOS
    • macOS
    • Windows 10/11
    • Windows 8.1
  • Zscaler

Step 2 - Create the profile

After the VPN app is assigned to the device, this next step creates the device configuration policy that configures the VPN connection. If your VPN app connection type uses an app configuration policy to configure the app, then skip this step.

  1. Sign in to the Microsoft Intune admin center.

  2. Select Devices > Configuration > Create.

  3. Enter the following properties:

    • Platform: Choose the platform of your devices. Your options:
      • Android device administrator
      • Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile
      • Android Enterprise > Personally-owned work profile
      • iOS/iPadOS
      • macOS
      • Windows 10 and later
      • Windows 8.1 and later
    • Profile type: Select VPN. Or, select Templates > VPN.
  4. Select Create.

  5. In Basics, enter the following properties:

    • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is VPN profile for entire company.
    • Description: Enter a description for the profile. This setting is optional, but recommended.
  6. Select Next.

  7. In Configuration settings, depending on the platform you chose, the settings you can configure are different. Select your platform for detailed settings:

  8. Select Next.

  9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, see Use RBAC and scope tags for distributed IT.

    Select Next.

  10. In Assignments, select the user or groups that receive your profile. For more information on assigning profiles, see Assign user and device profiles.

    Select Next.

  11. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Secure your VPN profiles

VPN profiles can use many different connection types and protocols from different manufacturers. These connections are typically secured through the following methods.

Certificates

When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user's device to connect. The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.

If you use certificate-based authentication for your VPN profile, then deploy the VPN profile, certificate profile, and trusted root profile to the same groups. This assignment makes sure each device recognizes the legitimacy of your certificate authority.

For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Microsoft Intune.

Note

Certificates added using the PKCS imported certificate profile aren't supported for VPN authentication. Certificates added using the PKCS certificates profile are supported for VPN authentication.

User name and password

The user authenticates to the VPN server by providing a user name and password, or derived credentials.

Next steps