Create VPN profiles in Intune

Virtual private networks (VPNs) give your users secure remote access to your company network. Devices use a VPN connection profile to initiate a connection with the VPN server. Use VPN profiles in Microsoft Intune to assign VPN settings to users and devices in your organization, so they can easily and securely connect to the network.

For example, assume that you want to provision all iOS devices with the settings required to connect to a file share on the corporate network. You create a VPN profile that contains the settings to connect to the corporate network. Then you assign this profile to all users who have iOS devices. The users see the VPN connection in the list of available networks, and can connect with minimal effort.

You can use Intune custom configuration polices to create VPN profiles for the following platforms:

  • Android 4 and later
  • Enrolled devices that run Windows 8.1 and later
  • Windows Phone 8.1 and later
  • Enrolled devices that run Windows 10 desktop
  • Windows 10 Mobile
  • Windows Holographic for Business

VPN connection types

You can create VPN profiles using the following connection types:

Connection type Android
Android for Work
iOS macOS Windows Phone 8.1 Windows 8.1 Windows 10
Automatic No No No No No Yes
Check Point Capsule VPN Yes Yes Yes Yes Yes Yes
Cisco AnyConnect Yes Yes Yes No No No
SonicWall Mobile Connect Yes Yes Yes Yes Yes Yes
F5 Edge Client Yes Yes Yes Yes Yes Yes
Palo Alto Networks GlobalProtect No Yes No No No Yes
Pulse Secure Yes Yes Yes Yes Yes Yes
Cisco (IPSec) No Yes No No No No
Citrix Yes (Android only) Yes No No No Yes
IKEv2 No No No No No Yes
L2TP No No No No No Yes
PPTP No No No No No Yes
Custom VPN No Yes Yes No No No

Important

Before you can use VPN profiles assigned to a device, you must install the applicable VPN app for the profile. You can use the information in the What is app management in Microsoft Intune? article to help you assign the app by using Intune.

Learn how to create custom VPN profiles by using URI settings in Create a profile with custom settings.

Create a device profile containing VPN settings

  1. Sign in to the Azure portal.
  2. Select All services, filter on Intune, and select Microsoft Intune.
  3. Select Device configuration > Profiles > Create profile.
  4. Enter a Name and Description for the VPN profile.
  5. From the Platform drop-down list, select the device platform to which you want to apply VPN settings. Currently, you can choose one of the following platforms for VPN device settings:
  • Android
  • Android for Work
  • iOS
  • macOS
  • Windows Phone 8.1
  • Windows 8.1 and later
  • Windows 10 and later
  1. From the Profile type drop-down list, choose VPN.
  2. Depending on the platform you chose, the settings you can configure are different. Go to one of the following topics for detailed settings for each platform:
  1. When you're done, Create your profile

The profile is created and appears on the profiles list. To assign this profile to groups, see assign device profiles.

Methods of securing VPN profiles

VPN profiles can use a number of different connection types and protocols from different manufacturers. These connections are typically secured through one of two methods.

Certificates

When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. This profile is known as the identity certificate. It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user’s device to connect. The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.

For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Microsoft Intune.

User name and password

The user authenticates to the VPN server by providing a user name and password.