A virtual private network (VPN) connection provides devices a secure and encrypted tunnel to an internal network, effectively allowing each device to function as seamlessly as if they were using the network on-site.

For Samsung Knox enabled devices, configuring Per App VPN for container applications secures the network traffic specifically for those applications inside the Knox container.


  1. Navigate to Devices > Profiles & Resources > Profiles > Add > Add Profile > Android (Legacy).
  2. Select Container.
  3. Configure the profile's General settings. These General profile settings determine how the profile is deployed and who receives it.
  4. Select the VPN payload.
  5. Configure the VPN profile as desired. These text boxes defined in the table vary depending on the Client Type selected from the Connection Info section. This table details all configurations available.
    Setting Description
    Client Type

    Determine the VPN provider.

    Connection Name

    Enter the name of the connection displayed on the device.

    Server Specify the Hostname or IP address for the server.
    Enforce Service Validation Establish trust relationship between server and device.
    Server Suffix Designate the domain in which the authenticating server must belong.
    Use Authentication

    Enable this text box to require user credentials for VPN access. The selected Client Type determines applicable text boxes displayed in this section.

    The following text boxes displays upon selection:

    • Username – Enter the username users are required to enter at setup.
    • Password – Enter a password provided to users.
    Connection Type

    Select the type of certificate used to authenticate the VPN.

    Identity Certificate Use the drop down to select the credentials for authenticating the connection.
    Root Certificate Specify the trust certificate authority.
    Enable Advanced Configurations Select the check box to display more options to configurable your VPN profile based on the selected client type.
    Backup Server Name Enter the name of the server to connect to in the event the primary VPN gateway fails.
    Default Route Enabled Enable to ensure that all network traffic goes through the tunnel.
    IKE Version Internet Key Exchange (IKE) protocol version for setting up security association.
    Dead Peer Detection Enable dead peer detection to allow the KeyVPN client to detect a dead IKE peer.
    PFS Exchange PFS Exchange (Perfect Forward Secrecy) to be enabled if the session key should be protected.
    Suite B Use Suite B cryptography for connecting to VPN for higher security.
    Phase 1 Mode Sets up a secure tunnel to authenticate and secure the IKE tunnel.
    DH Group

    (Diffie-Hellman (DH) Group)

    Sets the key strength used in phase 1 during key exchange. The higher the group number, the more secure the key exchange. You can select Default or a specific DH group: 1, 2, 5, 14, 15, 16, 17, 18, and 24.

    Split Tunnel Type Allow/disallow VPN user to access a public network and a local WAN/LAN at the same time using the same physical network.
    Forward Routes Enter an alternate destination for the split tunnel to be directed. This text box only displayd if Split Tunnel Type is set to Manual.
    Authentication Type Select the authentication types to be used with enterprise applications as certificate based or CAC based.
    Proxy Type Select whether the proxy connects by Static Proxy or Proxy Auto Configuration.
    PAC URL This text boxdisplays when Proxy Auto Configuration is selected form the Proxy Type text box.

    Enter the Host name of IP address for the proxy server.


    Specify the target port for the proxy server.

    Username Enter user credentials.
    Password Enter user credentials.

    Select the assignment level as All Container Applications or Individual Applications.

    For Individual Applications, enter the application package name (app identifier) for the apps you want to have app level VPN. Examples include:

    • Container application – sec_container_1.airwatchEmailClient.xxx
    • Application outside the container – com.airwatch.androidagent
    Enable Debug Logging Include more detailed information in the diagnostics reports for troubleshooting.
    Show Warnings Show message in case of connectivity problems or when server name can not be resolved.
  6. Set Advanced to enable more configurations, if necessary.
    1. Split Tunnel Type – Allow/disallow VPN user to access a public network and a local WAN/LAN at the same time using the same physical network.
      • Disable – Prevent end-users from access a public network and a local WAN/LAN at the same time.
      • Manual – Send specific traffic through the VPN gateway for end-users connecting to the Internet.
      • Auto – No configuration on which traffic is sent through the VPN gateway.
    2. Forward Routes
    3. Authentication Types – Select the authentication types to be used with enterprise applications:
      • Certificate Based Authentication – Uses certificates sent through the profile for authenticating into the VPN client.
      • CAC Based Authentication – Uses Common Access Card (CAC) for authentication.
  7. Select Save & Publish.