Configure device VPN settings to remotely and securely access corporate infrastructure. You can also configure Per-app VPN connections that limit traffic through the VPN to specific applications and set the VPN to automatically connect whenever the specified application is launched.

Note:

This payload is only available to devices using Windows Phone 8.1 or Windows 10 Mobile. If you want to use this payload, you must download and install the free update.

To create a VPN profile: 

  1. Navigate to Devices > Profiles > List View > Add and select Add Profile.

  2. Select Windows and then select Windows Phone.

  3. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  4. Select the VPN payload.
  5. Configure the VPN settings.

    Settings Descriptions
    Connection Info
    Connection Name Enter the name of the VPN connection.
    Connection Type

    Select the type of VPN connection:

    The connection type will support all third-party VPN providers available on the Windows store.

    Server Enter the VPN server, hostname, or IP Address.
    Advanced Connection Settings Enable to configure advanced routing rules for device VPN connections.
    Routing Addresses

    Select Add to enter the IP Addresses and Subnet Prefix Size of the VPN server.

    You may add additional routing addresses as needed.

    DNS Routing Rules

    Select Add to enter the Domain Name on which the VPN server is hosted. Enter the DNS Servers and Web Proxy Servers to use for each specific domain.

    Routing Policy Select Split Tunnel to allow traffic to use the VPN or the local network connection. Select Force Tunnel to force all traffic through the VPN.
    Proxy Select Auto Detect to automatically detect any proxy servers used by the VPN. Select Manual to configure the proxy server.
    Server

    Enter the IP Address for the proxy server.

    Displays when Proxy is set to Manual.

    Proxy Server Config URL

    Enter the URL for the proxy server configuration settings.

    Displays when Proxy is set to Manual.

    Bypass proxy for local Enable to bypass the proxy server when the device detects it is on the local network.
    Authentication
    Authentication Type

    Select the authentication protocol for the VPN:

    • EAP – Allows for various authentication methods.
    • Machine Certificate – Detects a client certificate in the device certificate store to use for authentication.
    Protocols

    Select the type of EAP authentication:

    • EAP-TLS – Smart Card or client certificate authentication
    • PEAP
    • EAP-MSCHAPv2 – Username and Password
    • Custom Configuration – Allows all EAP configurations
    • EAP-TTLS
     
    Credential Type

    Select Use Certificate to use a client certificate. Select Use Smart Card to use a Smart Card to authenticate.

    Displays when EAP Type is set to EAP-TLS.

    Simple Certificate Selection

    Enable to simplify the list of certificates from which the user selects. The certificates are grouped by the entity that the certificate was issued for and the most recently issued certificate is presented.

    Displays when EAP Type is set to EAP-TLS.

    Use Windows Log On Credentials

    Enable to use the same credentials as the Windows device.

    Displays when EAP Type is set to EAP-MSCHAPv2.

    Identity Privacy

    Enter the value to send servers before the client authenticates the server's identity.

    Displays when EAP Type is set to EAP-TTLS.

    Inner Authentication Method

    Select the authentication method for inner identity authentication.

    Displays when EAP Type is set to EAP-TTLS.

    Enable Fast Reconnect

    Enable to reduce the delay in time between an authentication request by a client and the response from the server.

    Displays when EAP Type is set to PEAP.

    Enable Identity Privacy Enable to protect the user identity until the client authenticates with the server.
    VPN Traffic Rules
    Per-app VPN Rules Select Add to add traffic rules for specific Legacy and Modern applications. For more information on Per-app VPN, see Using Per-app VPN.
    Application ID

    Enter the application package family name to specify the app the traffic rules apply to.

    • Package Family Name example: AirWatchLLC.AirWatchMDMAgent_htcwkw4rx2gx4
    VPN On Demand Enable to have the VPN connection automatically connect when the application is launched.
    Routing Policy

    Select the routing policy for the app.

    • Allow Direct Access to External Resources allows for both VPN traffic and traffic through the local network connection.
    • Force All Traffic Through VPN forces all traffic through the VPN.
    DNS Routing Rules

    Enable to add DNS routing rules for the app traffic.

    Select Add to add Filter Types and Filter Values for the routing rules. Only traffic from the specified app that matches these rules can be sent through the VPN.

    • IP Address: A list of comma separated values specifying remote IP address ranges to allow.
    • Ports: A list of comma separated values specifying remote port ranges to allow. For example, 100-120, 200, 300-320. Ports are only valid when the protocol is set to TCP or UDP.
    • IP Protocol: Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.

    For more information on how these filters and policies function and the logic used, see Using Per-app VPN.

    Device Wide VPN Rules

    Select Add to add traffic rules for the entire device.

    Select Add to add Filter Types and Filter Values for the routing rules. Only traffic that matches these rules can be sent through the VPN.

    Policies
    Remember Credentials Enable to remember the end user's login credentials.
    Always On Enable to force the VPN connection to always be on. This will turn the VPN connection back on when the network connection disconnects and reconnects.
    VPN Lockdown

    Enable to force the VPN to always be on, never be disconnected, disable any network access if the VPN is not connected, and prevent connection or modification to other VPN profiles.

    Trusted Network Enter, separated by commas, trusted network addresses. The VPN does not connect when a trusted network connection is detected.
    WP8 Split Tunnel

    Enable to allow end users to use a split tunnel VPN.

    This field applies to Windows Phone 8.1 devices only.

    Bypass for Local

    Enable to bypass the VPN connection for local intranet traffic. For example, you do not use the VPN connection if you are also connected to your work network connection at the office.

    This field applies to Windows Phone 8.1 devices only.

    Connection Type

    Select the connection type you want to allow.

    Always ON leaves the VPN connection running at all times.

    This field applies to Windows Phone 8.1 devices only.

    Trusted Network Detection

    Enable to use Trusted Network Detection when connecting to the VPN.

    This field applies to Windows Phone 8.1 devices only.

    Idle Disconnection Time

    Set the maximum amount of time that can pass without connectivity requests before automatically disconnecting the VPN.

    This field applies to Windows Phone 8.1 devices only.

    VPN On Demand - Windows Phone 8.1 devices only
    Allows Apps

    Select Add to define apps to have all their traffic secured over the VPN.

    You may add as many apps as you like.

    Allowed Networks

    Select Add to define networks.

    All traffic over configured networks are secured over the VPN.

    You may add as many networks as you like.

    Excluded Apps

    Select Add to define excluded apps.

    All traffic to these apps are NOT secured over the VPN.

    You may add as many excluded apps as you like.

    Excluded Networks

    Select Add to define excluded networks.

    All traffic over excluded networks are NOT secured over the VPN.

    You may add as many excluded networks as you like.

    DNS Suffix Search List

    Select Add to define the DNS Suffix Search List.

    DNS suffixes are appended to short name URLs for DNS resolution and connectivity.

    You may add as many DNS suffixes as you like.

  6. Select Save & Publish.