在 Intune 中创建 VPN 配置文件以连接到 VPN 服务器Create VPN profiles to connect to VPN servers in Intune

虚拟专用网络 (VPN) 可让用户安全远程访问你的组织网络。Virtual private networks (VPNs) give users secure remote access to your organization network. 设备使用 VPN 连接配置文件来启动与 VPN 服务器的连接。Devices use a VPN connection profile to start a connection with the VPN server. Microsoft Intune 中的“VPN 配置文件”将 VPN 设置分配到你组织中的用户和设备。VPN profiles in Microsoft Intune assign VPN settings to users and devices in your organization. 使用这些设置,用户能够轻松安全地连接到你的组织网络。Use these settings so users can easily and securely connect to your organizational network.

例如,你希望用连接到组织网络上的文件共享所需的设置来配置所有 iOS/iPadOS 设备。For example, you want to configure all iOS/iPadOS devices with the required settings to connect to a file share on the organization network. 创建包含这些设置的 VPN 配置文件。You create a VPN profile that includes these settings. 然后,将此配置文件分配到拥有 iOS/iPadOS 设备的所有用户。Then, you assign this profile to all users who have iOS/iPadOS devices. 用户能在可用网络的列表中看到 VPN 连接,并可以轻松连接。The users see the VPN connection in the list of available networks, and can connect with minimal effort.

备注

iOS/iPadOS 和 macOS 的用户注册仅支持每应用 VPNUser enrollment for iOS/iPadOS and macOS only supports per-app VPN.

备注

可使用 Intune 自定义配置策略为以下平台创建 VPN 配置文件:You can use Intune custom configuration policies to create VPN profiles for the following platforms:

  • Android 4 及更高版本Android 4 and later
  • 运行 Windows 8.1 和更高版本的已注册设备Enrolled devices that run Windows 8.1 and later
  • 运行 Windows 10 桌面版的已注册设备Enrolled devices that run Windows 10 desktop
  • Windows Holographic for BusinessWindows Holographic for Business

VPN 连接类型VPN connection types

可以使用以下连接类型创建 VPN 配置文件:You can create VPN profiles using the following connection types:

  • 自动Automatic

    • Windows 10Windows 10
  • Check Point Capsule VPNCheck Point Capsule VPN

    • Android 设备管理员Android device administrator
    • Android 企业工作配置文件Android Enterprise work profiles
    • Android Enterprise 完全托管和公司拥有的工作配置文件:使用应用配置策略Android Enterprise fully managed and corporate-owned work profile: Use app configuration policy
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
    • Windows 10Windows 10
    • Windows 8.1Windows 8.1
  • Cisco AnyConnectCisco AnyConnect

    • Android 设备管理员Android device administrator
    • Android 企业工作配置文件Android Enterprise work profiles
    • Android Enterprise 完全托管和公司拥有的工作配置文件Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
  • Cisco (IPSec)Cisco (IPSec)

    • iOS/iPadOSiOS/iPadOS
  • Citrix SSOCitrix SSO

  • 自定义 VPNCustom VPN

    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS

    要使用 URI 设置创建自定义 VPN 配置文件,请参阅创建具有自定义设置的配置文件Create custom VPN profiles using URI settings in Create a profile with custom settings.

  • F5 AccessF5 Access

    • Android 设备管理员Android device administrator
    • Android 企业工作配置文件Android Enterprise work profiles
    • Android Enterprise 完全托管和公司拥有的工作配置文件Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
    • Windows 10Windows 10
    • Windows 8.1Windows 8.1
  • IKEv2IKEv2

    • iOS/iPadOSiOS/iPadOS
    • Windows 10Windows 10
  • L2TPL2TP

    • Windows 10Windows 10
  • NetMotion MobilityNetMotion Mobility

    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
  • 帕洛阿尔托网络全局保护Palo Alto Networks GlobalProtect

  • PPTPPPTP

    • Windows 10Windows 10
  • 脉冲安全Pulse Secure

    • Android 设备管理员Android device administrator
    • Android 企业工作配置文件Android Enterprise work profiles
    • Android Enterprise 完全托管和公司拥有的工作配置文件Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOSiOS/iPadOS
    • Windows 10Windows 10
    • Windows 8.1Windows 8.1
  • SonicWall Mobile ConnectSonicWall Mobile Connect

    • Android 设备管理员Android device administrator
    • Android 企业工作配置文件Android Enterprise work profiles
    • Android Enterprise 完全托管和公司拥有的工作配置文件Android Enterprise fully managed and corporate-owned work profile
    • iOS/iPadOSiOS/iPadOS
    • macOSmacOS
    • Windows 10Windows 10
    • Windows 8.1Windows 8.1
  • ZscalerZscaler

重要

在你能够使用已分配到设备的 VPN 配置文件之前,必须安装适用于该配置文件的 VPN 应用。Before you can use VPN profiles assigned to a device, you must install the applicable VPN app for the profile. 若要使用 Intune 分配应用,请参阅什么是 Microsoft Intune 中的应用管理?To help you assign the app using Intune, see What is app management in Microsoft Intune?.

创建配置文件Create the profile

  1. 登录到 Microsoft 终结点管理器管理中心Sign in to the Microsoft Endpoint Manager admin center.

  2. 选择“设备” > “配置文件” > “创建配置文件”。Select Devices > Configuration profiles > Create profile.

  3. 输入以下属性:Enter the following properties:

    • 平台:选择设备平台。Platform: Choose the platform of your devices. 选项包括:Your options:
      • Android 设备管理员Android device administrator
      • Android Enterprise > 公司拥有的完全托管式专用工作配置文件Android Enterprise > Fully Managed, Dedicated, and Corporate-Owned Work Profile
      • Android Enterprise > 工作配置文件Android Enterprise > Work profile
      • iOS/iPadOSiOS/iPadOS
      • macOSmacOS
      • Windows 10 及更高版本Windows 10 and later
      • Windows 8.1 及更高版本Windows 8.1 and later
    • 配置文件:选择“VPN”。Profile: Select VPN.
  4. 选择“创建”。Select Create.

  5. 在“基本信息”中,输入以下属性:In Basics, enter the following properties:

    • 名称:输入配置文件的描述性名称。Name: Enter a descriptive name for the profile. 为配置文件命名,以便稍后可以轻松地识别它们。Name your profiles so you can easily identify them later. 例如,配置文件名称最好是“整个公司的 VPN 配置文件”。For example, a good profile name is VPN profile for entire company.
    • 描述:输入配置文件的说明。Description: Enter a description for the profile. 此设置是可选的,但建议进行。This setting is optional, but recommended.
  6. 选择“下一步”。Select Next.

  7. 在“配置设置”中,根据所选择的平台,可配置的设置有所不同。In Configuration settings, depending on the platform you chose, the settings you can configure are different. 选择平台,进行详细设置:Select your platform for detailed settings:

  8. 选择“下一步”。Select Next.

  9. 在“作用域标记”(可选)中,分配一个标记以将配置文件筛选到特定 IT 组(如 US-NC IT TeamJohnGlenn_ITDepartment)。In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. 有关范围标记的详细信息,请参阅将 RBAC 和范围标记用于分布式 ITFor more information about scope tags, see Use RBAC and scope tags for distributed IT.

    选择“下一步”。Select Next.

  10. 在“分配”中,选择将接收配置文件的用户或组。In Assignments, select the user or groups that will receive your profile. 有关分配配置文件的详细信息,请参阅分配用户和设备配置文件For more information on assigning profiles, see Assign user and device profiles.

    选择“下一步”。Select Next.

  11. 在“查看并创建”中查看设置。In Review + create, review your settings. 选择“创建”时,将保存所做的更改并分配配置文件。When you select Create, your changes are saved, and the profile is assigned. 该策略也会显示在配置文件列表中。The policy is also shown in the profiles list.

保护 VPN 配置文件Secure your VPN profiles

VPN 配置文件可以使用来自不同制造商的多种不同的连接类型和协议。VPN profiles can use a number of different connection types and protocols from different manufacturers. 这些连接通常通过以下方法进行保护。These connections are typically secured through the following methods.

证书Certificates

在创建 VPN 配置文件时,选择之前已在 Intune 中创建的 SCEP 或 PKCS 证书配置文件。When you create the VPN profile, you choose a SCEP or PKCS certificate profile that you previously created in Intune. 该配置文件又称为身份证书。This profile is known as the identity certificate. 用于对你创建的受信任的身份证书配置文件(或根证书)进行身份验证,以允许用户的设备进行连接。It's used to authenticate against a trusted certificate profile (or root certificate) that you create to allow the user's device to connect. 受信任的证书会分配到对 VPN 连接(通常是 VPN 服务器)进行身份验证的计算机。The trusted certificate is assigned to the computer that authenticates the VPN connection, typically, the VPN server.

如果对 VPN 配置文件使用基于证书的身份验证,请将 VPN 配置文件、证书配置文件和受信任的根配置文件部署到同一组。If you use certificate-based authentication for your VPN profile, then deploy the VPN profile, certificate profile, and trusted root profile to the same groups. 此分配可确保每台设备都能识别证书颁发机构的合法性。This assignment makes sure each device recognizes the legitimacy of your certificate authority.

有关如何在 Intune 中创建和使用证书配置文件的详细信息,请参阅如何使用 Microsoft Intune 配置证书For more information about how to create and use certificate profiles in Intune, see How to configure certificates with Microsoft Intune.

备注

VPN 身份验证不支持使用“PKCS 导入的证书”配置文件类型添加的证书。Certificates added using the PKCS imported certificate profile type aren't supported for VPN authentication. VPN 身份验证支持使用“PKCS 证书”配置文件类型添加的证书。Certificates added using the PKCS certificates profile type are supported for VPN authentication.

用户名和密码User name and password

用户通过提供用户名和密码向 VPN 服务器进行身份验证。The user authenticates to the VPN server by providing a user name and password.

后续步骤Next steps

配置文件已创建,但它尚未起到任何作用。Once the profile is created, it isn't doing anything yet. 下一步,向某些设备分配配置文件监视其状态Next, assign the profile to some devices, and monitor its status.

也可以在 Android 设备管理员/Android EnterpriseiOS/iPadOS 设备上创建并使用每应用 VPN。You can also create and use per-app VPNs on Android device administrator/Android Enterprise and iOS/iPadOS devices.