VPN on demand is the process of automatically establishing a VPN connection for specific domains. For increased security and ease of use, VPN on demand uses certificates for authentication instead of simple passcodes.

To distribute certificates through the UEM console during configuration and set up of VPN on demand:

  1. Ensure your certificate authority and certificate templates in the Workspace ONE UEM are properly configured for certificate distribution.
  2. Make your third-party VPN application of choice available to end users by pushing it to devices or recommending it in your enterprise App Catalog.
  3. Navigate to Devices > Profiles & Resources > Profiles and select Add. Select Apple macOS, and then select whether this profile will apply to only the enrollment user on the device ( User Profile), or the entire device ( Device Profile).
  4. Configure the profile's General settings.

    These settings determine how the profile deploys and who receives it. For more information on General settings, see Add General Profile Settings.

  5. Select the VPN payload and configure settings as outlined above.

  6. Specify the Connection Info for a connection type that supports certificate authentication: IPSec (Cisco), F5 SSL, Custom SSL, or F5 Access .
    • Server – Enter the hostname or IP address of the server for connection.
    • Account – Enter the name of the VPN account.
  7. Authentication – Select a certificate to authenticate the device.
  8. Identity Certificate – Select the appropriate credentials.
  9. Include User PIN – Select this check box to ask the end user to enter a device PIN.
  10. Check the Enable VPN On Demand box. Add the Domains, and choose the On-Demand Action.
    • Always Establish – Initiates a VPN connection regardless of whether the page can be accessed directly or not.
    • Never Establish – Does not initiate a VPN connection for addresses that match the specified the domain. However, if the VPN is already active, it may be used.
    • Establish if Needed – Initiates a VPN connection only if the specified page cannot be reached directly.

      Important:

      For wildcard characters, do not use the asterisk (*) symbol. Instead, use a dot in front of the domain. For example, .air-watch.com.

  11. Select Save and Publish. After the profile installs on a user's device, a VPN connection prompt will automatically display whenever the user navigates to a site that requires it, such as SharePoint.