Configure device VPN settings to access corporate infrastructure remotely and securely. You can also limit traffic through the VPN by configuring Per-app VPN connections. Then set the VPN to connect automatically whenever the specified application is launched.

Settings Descriptions
Connection Info
Advanced Connection Settings Configure advanced routing rules for device VPN connections.
Routing Addresses

Select Add to enter the IP Addresses and Subnet Prefix Size for the VPN connection. You may add additional routing addresses as needed.

Available when Advanced Connection Settings is enabled.

DNS Routing Rules

Select Add to enter the Domain Name on which the VPN server is hosted. Enter the Domain Name, DNS Servers, and Web Proxy Servers for each specific domain.

Available when Advanced Connection Settings is enabled.

Routing Policy Allow traffic to use the local network connection by selecting Allow Direct Access to External Resources. Conversely, select Force All Traffic Through VPN to send all traffic through the VPN. Available when Advanced Connection Settings is enabled.
Proxy Select Auto Detect to detect any proxy servers used by the VPN automatically. Select Manual to configure the proxy server. Available when Advanced Connection Settings is enabled.
Proxy Auto Config URL Enter the URL for the proxy auto config. Available only when Proxy is set to Auto Detect.
Server

Enter the URL for the proxy server configuration settings.

Displays when Proxy is set to Manual

Port

Enter the port number used to access the proxy server.

Displays when Proxy is set to Manual.

Bypass proxy for local Bypass the proxy server when the device detects it is on the local network.
Authentication
Authentication Type

Select the authentication protocol for the VPN.

  • EAP – Allows for various authentication methods.
  • Machine Certificate – Detects a client certificate in the device certificate store to use for authentication.
Protocols

Select the type of EAP authentication.

  • EAP-TLS – Smart Card or client certificate authentication.
  • EAP-MSCHAPv2 – User name and Password.
Credential Type

Select Use Certificate to use a client certificate. Select Use Smart Card to use a Smart Card to authenticate.

Displays when the Protocols option is set to EAP-TLS.

Simple Certificate Selection

Simplify the list of certificates from which the user selects. The most recently issued certificate is presented and the entity for which the certificate was issued groups the certificates.

Displays when the Protocols option is set to EAP-TLS.

Use Windows login Credentials

Use the same credentials as the Windows device.

Displays when the Protocols option is set to EAP-MSCHAPv2.

VPN Traffic Rules
App Identifier

Specify the App to which the traffic rules apply by entering the application package family name.

  • Package Family Name, for example: AirWatchLLC.AirWatchMDMAgent_htcwkw4rx2gx4
VPN On Demand Automatically connect using VPN when the application is launched.
Routing Policy

Select the routing policy for the app.

  • Allow Direct Access to External Resources allows for both VPN traffic and traffic through the local network connection.
  • Force All Traffic Through VPN forces all traffic through the VPN.
VPN Traffic Filters

Add traffic filters for specific Legacy and Modern applications.

Select Add New Filter to add Filter Types and Filter Values for the routing rules. Only traffic from the specified app that matches these rules can be sent through the VPN.

  • IP Protocol – Numeric value 0–255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
  • IP Address – A list of comma-separated values specifying remote IP address ranges to allow.
  • Ports – A list of comma-separated values specifying remote port ranges to allow. For example, 100–120, 200, 300–320. Ports are only valid when the protocol is set to TCP or UDP.
  • LocalPorts – A list of comma-separated values specifying local port ranges through which traffic is allowed.
  • LocalAddress – A list of comma-separated values specifying local IP addresses through which traffic is allowed.
Device Wide VPN Rules

Select Add to add traffic rules for the entire device.

Select Add to add Filter Types and Filter Values for the routing rules. Only traffic that matches these rules can be sent through the VPN.

Policies
Remember Credentials Remember the end user's login credentials.
Always On Force the VPN connection on, which activates the VPN connection when the network connection disconnects and reconnects.
VPN Lockdown

Force the VPN on, disable any network access if the VPN is not connected, and prevent a connection or modification to other VPN profiles.

Trusted Network Enter trusted network addresses separated by commas. The VPN does not connect when a trusted network connection is detected.
Split Tunnel

Allow end users to use a split tunnel VPN.

This text box applies to Windows Phone 8.1 devices only.

Bypass for Local

Bypass the VPN connection for local intranet traffic. For example, you do not use the VPN connection if you are also connected to your work network connection at the office.

This text box applies to Windows Phone 8.1 devices only.

Trusted Network Detection

Use Trusted Network Detection when connecting to the VPN.

This text box applies to Windows Phone 8.1 devices only.

Connection Type

Select the connection type you want to allow.

Always ON leaves the VPN connection running always.

This text box applies to Windows Phone 8.1 devices only.

Idle Disconnection Time

Set the maximum amount of time that can pass without connectivity requests before automatically disconnecting the VPN.

This text box applies to Windows Phone 8.1 devices only.

VPN On Demand
Allows Apps

Select Add to define apps to have all their traffic secured over the VPN.

You may add as many apps as you like.

Allowed Networks

Select Add to define networks.

All traffic over configured networks is secured over the VPN.

You may add as many networks as you like.

Excluded Apps

Select Add to define excluded apps.

All traffic to these apps is NOT secured over the VPN.

You may add as many excluded apps as you like.

Excluded Networks

Select Add to define excluded networks.

All traffic over excluded networks is NOT secured over the VPN.

You may add as many excluded networks as you like.

DNS Suffix Search List

Select Add to define the DNS Suffix Search List.

DNS suffixes are appended to shortened URLs for DNS resolution and connectivity.

You may add as many DNS suffixes as you like.