VPN On Demand is the process of automatically establishing a VPN connection for specific domains. For increased security and ease of use, VPN On Demand uses certificates for authentication instead of simple passcodes.

Use the following instructions to distribute certificates through the UEM console during configuration and set up VPN On Demand.

  1. Ensure your certificate authority and certificate templates in Workspace ONE UEM are properly configured for certificate distribution.
  2. Make your third-party VPN application of choice available to end users by pushing it to devices or recommending it in your enterprise App Catalog.
  3. Navigate to Devices > Profiles & Resources > Profiles > Add, then iOS.
  4. Select the VPN payload from the list.
  5. Configure your base VPN profile accordingly.
  6. Select Certificate from the User Authentication drop-down menu.
    • Navigate to the Credentials payload.
      • From the Credential Source drop-down menu, select Defined Certificate Authority.
      • Select the Certificate Authority and Certificate Template from the respective drop-down menus.
    • Navigate back to the VPN payload.
  7. Select the Identity Certificate as specified through the Credentials payload if you are applying certificate authentication to the VPN profile.
  8. Select the Enable VPN On Demand box.
  9. Configure the Use the New on Demand Keys (iOS 7) to enable a VPN connection when end users access any of the domains specified:

    Setting Description
    Use new On Demand Keys (iOS 7 and higher) Select to use the new syntax that allows for specifying more granular VPN rules.
    On Demand Rule/Action

    Choose an Action to define VPN behavior to apply to the VPN connection based on the defined criteria. If the criterion is true, then the action specified takes place.

    • Evaluate Connection: Automatically establish the VPN tunnel connection based on the network settings and on the characteristics of each connection. The evaluation happens every time the VPN connects to a Web site.
    • Connect: Automatically establish the VPN tunnel connection on the next network attempt if the network criteria met.
    • Disconnect: Automatically disable the VPN tunnel connection and do not reconnect on demand if the network criteria are met.
    • Ignore: Leave the existing VPN connection, but do not reconnect on demand if the network criteria are met.
    Action Parameter

    Configure Action Parameters for specified domains to trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).

    If choosing Evaluate Connection, these options appear:

    • Choose Connect If Needed/Never Connect and enter additional information:

      • Domains – Enter the domains for which this evaluation applies.
      • URL Probe – Enter an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s hostname cannot be resolved, if the server is unreachable, or if the server does not respond with a 200 HTTP status code, a VPN connection is established in response.
      • DNS Servers – Enter an array of DNS server IP addresses to be used for resolving the specified domains. These servers need not be part of the device’s current network configuration. If these DNS servers are not reachable, a VPN connection is established in response. These DNS servers must be either internal DNS servers or trusted external DNS servers. (optional)
    Criteria/Value for Parameter
    • Interface Match – Select the type of connection that matches device's network current adapter. Values available are any, Wifi, Ethernet, and Cellular.
    • URL Probe – Enter the specified URL for criteria to be met. When criteria is met, a 200 HTTP status code is returned. This format includes protocol (https).
    • SSID Match – Enter the device's current network ID. For the criteria to be met, it must match at least one of the values in the array.
      • Use the + icon to enter multiple SSIDs as needed.
    • DNS Domain Match – Enter the device's current network search domain. A wildcard is supported (*.example.com).
    • DNS Address Match – Enter the DNS address that matches the device's current DNS server's IP address. For criteria to be met, all the device's listed IP addresses must be entered. Matching with a single wildcard is supported (17.*).

    Alternatively, choose legacy VPN On Demand:

    Setting Description
    Match Domain or Host

    On Demand Action

    • Establish if Needed or Always Establish – Initiates a VPN connection only if the specified page cannot be reached directly.
    • Never Establish – Does not establish a VPN connection for addresses that match the specified the domain. However, if the VPN is already active, it can be used.
  10. Use the + icon to add more Rules and Action Parameters as desired.

  11. Choose a Proxy type:

    Setting Description
    Proxy

    Select either Manual or Auto proxy type to configure with this VPN connection.

    Server Enter the URL of the proxy server.
    Port Enter the port used to communicate with the proxy.
    Username Enter the user name to connect to the proxy server.
    Password Enter the password for authentication.
  12. Complete Vendor Configurations. These values are unique to every VPN provider.

    Setting Description
    Vendor Keys

    Select to create custom keys to add to the vendor config dictionary.

    Key Enter the specific key provided by the vendor.
    Value Enter the VPN value for each key.
  13. Click Save and Publish. Once the profile installs on a user's device, a VPN connection prompt automatically displays whenever the user navigates to a site that requires it, such as SharePoint.