Workspace ONE UEM powered by AirWatch allows you to add a resource dedicated to providing a virtual private network (VPN). A VPN enables users to send and receive data across public networks as though they were connected directly to a private network.

For an overview, see Resources.

Procedure

  1. Navigate to Devices > Profiles & Resources > Resources and select Add Resource followed by VPN and complete the following settings.
    Setting Description
    Resource Details
    Resource Name Name of the profile to be displayed in the Workspace ONE UEM console.
    Description A brief description of the profile that indicates its purpose.
    Connection Info
    Connection Type Select the type of secure connection from the drop-down listing.
    Server Enter the server URL.
  2. Click Next to proceed to the Platforms selection. Choose among the following supported platforms, opting for either the default settings or Advanced Settings.
    • iOS
      • Settings Description
        Connection Info
        Account Enter the name of the VPN account.
        Disconnect on Idle (min). Allow the VPN to auto-disconnect after a specific amount of time. Support for this value depends on the VPN provider.
        Send All Traffic. Select to force all traffic through the specified network.
        Per App VPN Rules Select to enable and configure Per App VPN rules.
        Connect Automatically. Select to allow the VPN to connect automatically to Safari Domains. This option appears when the Per App VPN Rules check box is selected.
        Provider Type Select the type of Per-App VPN provider. Determine how to tunnel traffic, either through an application layer or IP layer by selecting between AppProxy and PacketTunnel. This option appears when the Per App VPN Rules check box is selected.
        Safari Domains Enter each domain to which you want the Per-App VPN to connect automatically. These domains are internal sites that trigger an automatic VPN connection. This option appears when the Per App VPN Rules check box is selected.
        Authentication
        User Authentication Authenticate end users by either uploading a Certificate or by requiring a Password for VPN access.
        Group Name Enter the Workspace ONE UEM group name.
        Password Available only when User Authentication is set to Password. Enter the password for the Workspace ONE UEM Group Name.
        Identity Certificate This setting is only available when User Authentication is set to Certificate. Select Add A Certificate to either name and upload a certificate file or select an existing certificate authority using a certificate template.
        Enable VPN On Demand. This setting is only available when User Authentication is set to Certificate. Enable VPN On Demand to use certificates to establish VPN connections automatically.
        Use new On-Demand keys. This setting is only available when User Authentication is set to Certificate. Enable the option to activate a VPN connection when end users access any of the specified domains.
        Match Domain or Host. This setting is only available when User Authentication is set to Certificate. Enter a domain or hostname that, when accessed by an end user, triggers the activation of a VPN connection.
        On-Demand Action This setting is only available when User Authentication is set to Certificate. Select the domain-specific on-demand action that takes place when end users activate a VPN connection. Select among Always Establish, Never Establish, and Establish if Needed.
        Proxy
        Proxy Select among None, Manual, and Auto.
        Proxy Server Auto Config URL Available only when Proxy is Auto. Enter the URL of the Wi-Fi proxy that the device uses to connect.
        Server Available only when Proxy is Manual. Enter the name of the proxy server to which your devices connect.
        Port Available only when Proxy is Manual. Include the port number of the proxy server through which the device connects to the proxy server.
        User name Available only when Proxy is Manual. Enter a user name recognized by the proxy server.
        Password Available only when Proxy is Manual. Enter the password that corresponds to the user name entered.
        Vendor Configurations
        Vendor Keys

        Create custom keys using the vendor config dictionary.

        Key Enter the specific key provided by the vendor.
        Value Enter the VPN value for each key.
    • Android
      • Setting Description
        Authentication
        Identify Certificate. Enter the certificate credentials used to authenticate the connection by selecting Add a Certificate.
        Credential Source Select the source of the credentials. Select between Upload, Defined Certificate Authority, and User Certificate.
        Credential Name Available when Credential Source is set to Upload. Enter the name of the uploaded credential.
        Certificate Available when Credential Source is set to Upload. Click Upload to select a certificate file from your device.
        Certificate Authority Available when Credential Source is set to Defined Certificate Authority. Select the certificate authority from a drop-down listing.
        Certificate Template Available when Credential Source is set to Defined Certificate Authority. This setting auto-populates based on your selection in the Certificate Authority setting.
        S/MIME Available when Credential Source is set to User Certificate. Select between the user-centric S/MIME Signing certificate or S/MIME Encryption certificate.
        Enable VPN On Demand
        Enable VPN On Demand.

        Enable VPN On Demand to use certificates to establish VPN connections automatically.

        Enable VPN by entering the name of the app and selecting the plus sign to the left of the magnifying glass icon. You can enter more than one application.

  3. Click Next to proceed to the Assignment section.
  4. Assign the resource to devices by completing the following settings.
    Setting Description
    Assignment Type

    Determines how the resource is deployed to devices.

    • Auto – The resource is deployed to all devices automatically.
    • Optional – An end user can optionally install the resource from the Self-Service Portal (SSP), or it can be deployed to individual devices at the discretion of the administrator.
    Managed By The organization group with administrative access to the resource.
    Assigned Groups

    Refers to the group to which you want the device resource added. Includes an option to create a new smart group which can be configured with specs for minimum OS, device models, ownership categories, organization groups and more.

    Exclusions If Yes is selected, a new text box Excluded Groups displays which enables you to select those groups you want to exclude from the assignment of this resource.
    View Device Assignment After you have made a selection in the Assigned Group text box, you may select this button to preview a list of all devices to which this resource is assigned, taking the smart group assignments and exclusions into account.