Virtual Private Network(VPN)

A Virtual Private Network(VPN) ensures all data is transmitted via secured tunnel which means, it strictly requires authentication or a special certificate to establish connectivity. So, every enterprise prefers to configure VPN, to ensure all the corporate data is secured from hackers or unauthentic users. VPN is a necessity, without which users cannot reach the corporate network away from work. Since mobile devices have become a part of productivity, corporate data should be reachable for employees from anywhere or everywhere. As an administrator, you have the need to configure VPN for all the managed mobile devices. You can create and associate VPN profiles to devices.

VPN and VPN On-Demand

When a VPN profile is configured on a device, users have to turn on the VPN settings on the mobile device every time before accessing a secured corporate data. Since VPN runs over the Wi-Fi or cellular data, VPN connectivity turns off automatically every time the device loses connectivity with the Internet. Users have to manually turn it on, to reach the corporate data. To overcome this, you can choose VPN On-Demand. As the name signifies, VPN connectivity is established only when specific domains require it and the user need not turn VPN on manually.

You have to specify the domain for which VPN should be turned on. You can comma separate multiple domains to be added. The below mentioned table assists you with the inputs which need to be entered on the product server to configure VPN for mobile devices
The following built in VPN connection types are supported by MDM:

  • L2TP
  • PPTP
  • IPSec
  • IKEv2

In addition to the above mentioned built in VPNs, Endpoint Central also supports configuring the following plug in VPNs. These VPN require an additional app to be installed on the devices.

NOTE: These apps can also be configured over-the-air using App Configurations feature.

Juniper SSL app is not be available in the App Store. This VPN type can only be configured for devices that already have the app present in it. To configure Custom SSL VPN, the admin must manually enter the app details. All the other plug-in apps can be added using ABM and silently distributed to devices. Click here to know more about App Distribution and click here to know how to install apps silently in iOS devices.

Endpoint Central also lets you configure the following plug in VPNs that are not supported by default.

Note: If you need support for other VPNs, you can raise your request here.

Using certificate for authentication

In addition to configuring VPN on the managed devices, MDM also provides you with the option of provisioning VPN on the devices using certficate as the means of authentication. Authentication, as we all know plays as a major role in establishment of VPN connection and certificate is generally considered to be much more secure form of authentication than pre-shared key. Further, in case of large VPN networks, managing large quantity of pre-shared keys can be cumbersome. Certificates in this case is a much more scalable alternative. Additionally, pre-shared keys are bound to an IP address but certificates are not bound to an IP address, ensuring remote users with a dynamically assigned IP address can authenticate using identification information contained in the certificate. You can configure certificate as explained here and distribute them on a large scale as explained here.

The following documents will help you configure Cisco AnyConnect on your mobile devices -

Profile Description

Profile SpecificationDescription
VPN
Connection Name Specify the name, which needs to be displayed as VPN name on the end user's mobile device
Connection Type Connection type to be enabled
Server Name / IP Address Host name or IP address of the server
Local Identifier (Can be configured only if the Connection Type is configured as IKEv2) Specify the certificate identity of the user/device
Remote Identifier (Can be configured only if the Connection Type is configured as IKEv2) Specify the certificate identity of the server
Account 'User Authentication to access the VPN' (%username%) will get the appropriate user name, mapped to the device
Realm (Can be configured only if Connection Type is set as Juniper SSL/Pulse VPN) Specify the authentication realm. An authentication realm specifies the criteria users must comply with, to use the VPN service. It is a grouping of authentication resources, including authentication server, authentication policy etc., This is usually done by the network administrators.
Role (Can be configured only if Connection Type is set as Juniper SSL/Pulse VPN) Specify the user role. A user role is an entity defining user session parameters(such as session settings), personalization settings(such as bookmarks) and other enabled access features. For example, a user role may define whether or not a user can perform Web browsing.
Disconnect when the connection is idle Specify whether you want to disconnect when the VPN connection is idle. You can choose when you want to disconnect the VPN - Never or After interval.
Specify the idle time VPN connection will be automatically disconnected after the specified time of inactivity.
User Authentication Specify user authentication type as password or RSA securID
Machine Authentication (Can be configured only if Connection Type is set as IPSec(Cisco)) Specify the password to be used for machine authentication
Password (Can be configured only if User authentication is set as Password) Specify the password to be used for user authentication
Identity Certificate (Can be configured only if Machine Authentication is set as Certificate) Specify the identity certificate to be used for certificate-based authentication. You can also use SCEP for this.
Include User PIN (Can be configured only if Machine Authentication is set as Certificate) Specify whether the User PIN must be included or not.
Group Name (Can be configured only if User authentication is set as Password) Specify the group name to be used for identifying the group. The group must end with [hybrid] if Hybrid Authentication is enabled
Shared secret Specify the pre-shared secret
Use Hybrid Authentication (Can be configured only if Machine Authentication is set as Shared Secret) Enable Hybrid Authentication, a secure alternative to the regular authentication used
Prompt for password (Can be configured only if Machine Authentication is set as Shared Secret) Enable/Disable prompting password from the user
Encryption level (Can be configured only if Connection Type is set as PPTP) Specify the password to be used for user authentication
Send All traffic Routes all network traffic through VPN connection
Custom Data (Can be configured only for Connection Type that support additional configurations) Specify the custom data to include additional configurations to the VPN connection.
Plug-in identifier (Can be configured only if Connection Type is set as Custom SSL) It is the VPN extension identifier provided by the third-party vendors used to identify the apps and apply VPN on the device.
Provider Bundle identifier (Can be configured only if Connection Type is set as Custom SSL) It is the Bundle identifier of apps. Whenever the same VPN extension is used by many apps, bundle identifier of the app needs to be specified to use VPN.
App name (Can be configured only if Connection Type is set as Custom SSL) Specify the app name.
Advanced Settings (Can be configured only if Connection Type is set as IKEv2)
Dead Peer Detection(DPD) Rate DPD is used for identifying whether the connection, between the managed device and the VPN has been established or not. If the DPD is set as high, time interval for verifying the connection establishment is miniscule. If set as medium or low, the time interval increases.
Enable Perfect Forward Secrecy(PFS) Perfect Forward Secrecy(PFS) is a property, which ensures security of the past communication in case the secret keys/passwords get compromised in the future. For example, even if someone gets access to the secret key/password right now, this cannot be used for accessing previous communication.
Enable Certificate Revocation Check This can be used to verify the CA has revoked the certificate provisioned for the particular device
Disable MOBIKE MOBIKE ensures the connection with VPN gateway is active while moving from one address to another. Additionally, in case the host is connected to multiple networks, MOBIKE can be used to move traffic to a different interface if, for instance, the one currently being used stops working.
Use internal IPv4 subnet Allow/Restrict usage of internal IPv4 subnet attributes distributed.
Disable Redirect Allow/Restrict redirection of connection from one VPN gateway to another.
IKE SA Parameters(Can be configured only if Connection Type is set as IKEv2)
The Internet Key Exchange Security Association (IKE SA) is used for establishing communication between the VPN and the devices for the first time, either using certificate/pre-shared key/user name.
Encryption Algorithm The encryption technique to be used for sharing the data to establish connection. Common encryption techniques such as DES, AES, POLY, etc., are supported.
Integrity Algorithm The integrity technique to be used for sharing the data to establish connection. Common integrity techniques such as SHA, MD5 etc., are supported.
Diffie-Hellman Group Specify the group of Diffie-Hellman algorithm to be used for key exchange.
Lifetime(in minutes) Specify the maximum possible duration for the connection to be established.
Child SA Parameters(Can be configured only if Connection Type is set as IKEv2)
The Child Security Association (IKE SA) is used to secure the communication occuring between the endpoints, after the VPN connection has been established during IKE SA
Encryption Algorithm The encryption technique to be used for encryption the data being shared. Common encryption techniques such as DES, AES, POLY, etc., are supported.
Integrity Algorithm The type of integrity algorithm to be used on the data being shared. Common integrity techniques such as SHA, MD5 etc., are supported.
Diffie-Hellman Group Specify the group of Diffie-Hellman algorithm to be used for key exchange.
Lifetime(in minutes) Specify the maximum possible duration for the connection to be active.
VPN On-Demand
The device will automatically connect to the configured VPN only if the specified URL is not accessible without VPN.
Enable VPN On Demand Enabling this, switches on VPN, as when VPN connectivity is required to reach the specific server/domain and the device is not in the corporate network
Specify the Domains You have to specify the list of domains for which VPN should be enabled on-demand. You can enter multiple domain names using comma separation.
Configure Proxy
Proxy settings Configure proxy settings for VPN
Server URL (Can be configured only if Proxy is set as Automatic) Specify the URL containing the Proxy PAC.
Server (Can be configured only if Proxy is set as Manual) Proxy server name
Port (Can be configured only if Proxy is set as Manual) Port number to be used
User Name (Can be configured only if Proxy is set as Manual) User name for authentication
Password (Can be configured only if Proxy is set as Manual) Specify the password to be used.

Dynamic Variables :

The below mentioned dynamic variables are retrieved from the data provided while enrolling the device.

  • %username% - will get the appropriate user name, mapped to the device