Skip to main content
Skyhigh Security

Configure Microsoft InTune for iOS

This document provides the configuration flow of pushing VPN profile to mobile device from Intune MDM (Mobile Device Management).
Assumption: Device already managed with Intune.

Creation of custom VPN Profile

  1. Login to the Intune MDM account using the URL: https://devicemanagement.microsoft.com/
    clipboard_ec8a40e4ed391064d567c32ab909fa07d.png
  2. Once logged into the account, click Device Configuration.

    21.png
     
  3. In the Device Configuration, click Profiles to create the new VPN profile. 

    llc.png
  4. Click Create Profile in the Profiles section. Refer how to create the apple configurator VPN profile.
    Create the profile by completing the required information in the fields.

    23.png
  5. Once Profile Type is selected as Custom, a window will be opened to upload the Apple Configurator profile file.

    Provide the Custom configuration profile name and upload the apple configurator (.mobileconfig) file.
    [Refer Step#4 for how to create the apple configurator VPN profile]

 

When you use the apple configurator to create a mobileconfig file, it adds the following key value pair which causes certificate installation failure. Delete this key pair to make the certificate work.

<key>DNS</key>
<dict>
<key>SupplementalMatchDomainsNoSearch</key>
<integer>0</integer>
</dict>


1.png

  1. File content looks like in below image. click OK.
    2.png
  2. Click Create.
    An example of a saved profile is shown below:
    3.png

Assign the Profile to a Managed Device

  1. In the Saved profile page, click Assignments.

    4.png
  2. From the Assign to drop down list, select the specific groups to distribute the profile. 
    6.png

3. Click Save. In the profile, click Device status in the Monitor section. Click the device in which profile got pushed.
     8.png

  1. Once the device page is opened, click Sync to activate the profile distribution action immediately.
    9.png
  2. In the profile, now device’s deployment status is Succeeded.
    10.png

Inside the Device after Publishing the Profile

  1. In the device, in Settings > General > Profiles & Device Management > <MDM Profile> >More DetailsVPN SETTINGS, our distributed profile will be visible.
    clipboard_ee06e1272f648357b0d154581cf604072.png
     
  2. Go to Settings > VPN, tick mark the profile that got pushed from Intune. Now, click Status to enable a VPN connection.
    clipboard_e469ea2f8a40e3e3707250a7123906429.png

Create a VPN Profile using Apple Configurator

  1. Install Apple Configurator 2 application in a MAC machine. and click New Profile.
    mc1.png
  2. Give specific name in the General > Name field.
    clipboard_ef4ea46aa755a8aea90889ad3e32f5802.png
     
  3. Click Certificates and upload the device certificate.
    clipboard_e2216533846f0ef78868ef2b58b5216aa.png
  4. Click on VPN and configure it with the required fields. Please refer to the table at the end of the page to configure VPN profile fields.
    Save the file. It will be saved with the .mobileconfig extension.
    clipboard_e833bb9db697412e8dcfb3f416ecf12ac.png

VPN Profile Info

Fields Values
Connection Name IOSTestProfile
Connection Type IKEv2
Server

c<customer ID>.smcs.skyhigh.cloud
You can get this information from the certificate page.

The following information is required to configure an SMCS app in the MDM of your choice.

VPN gateway address: c<customer ID>.smcs.skyhigh.cloud

Remote Identifier vpn.skyhigh.cloud
(This string is SAN (Subject Alternate Name) of server certificate)
Connection Name IOSTestProfile
Connection Type IKEv2
Local Identifier XXXXX
(This string is SAN-(Subject Alternate Name) of client certificate)
Machine Authentication Certificate
Certificate Type RSA
Server Certificate Issuer Common Name XXXX [OPTIONAL]
(This string is CN-Common Name of server root certificate)
Server Certificate Common Name vpn.skyhigh.cloud
(This string is CN-Common Name of server certificate)
Enable EAP True
Disconnect on Idle Never
EAP Authentication Certificate
Identity Certificate  Select the identity certificate
Dead Peer Detection Rate Medium
Enable Perfect Forward Secrecy (PFS) True
IKE SA Params
&
Child SA Params
Encryption Algorithm: AES-256
Encryption Algorithm: SHA2-256
Diffi e Hellman Group: 14 or, 15
Lifetime In Minutes: 1440
Connection Name IOSTestProfile
Connection Type IKEv2
Proxy Setup None

Configure Always-On VPN Connection via Intune for iOS

You can configure an Always-On VPN connection for iOS devices using Microsoft Intune to encrypt all traffic and route it through the VPN, even when the device is not connected to your organization's network. Follow these steps to configure an Always-On VPN connection for iOS devices via Intune:

  1. Create an Always-On VPN Profile
  2. Configure VPN Profile Settings
  3. Assign the VPN Profile

Create an Always On-VPN Profile

You must first create an Always On-VPN Profile in Intune to configure an Always-On VPN connection for iOS devices.

To create an Always On-VPN Profile:

  1. Log in to the Intune MDM admin portal. 
  2. In the Intune admin portal, go to Devices > Configuration profiles.
  3. Under Policies, click Create and select New Policy.
    clipboard_e56ff5bc61cca05d7b2589d8cdd8cc64f.png
  4. On the Create a profile panel, configure the following:
    1. Platform. Select iOS/iPadOS as the platform for the profile. 
    2. Profile type. Select Templates as the profile type.
      1. Template name. Select VPN as the template.
  5. Click Create.
    clipboard_eb52205d7004771e3397616e934ae3966.png

Configure VPN Profile Settings

You can now configure the settings of the newly created Always On-VPN profile.

To configure the VPN profile settings:

  1. In Basics, configure the following setting:
    1. Name. Enter a descriptive name for the VPN profile.
  2. Click Next.
    clipboard_e18b021e9b7f1040aa40688f502af428d.png
  3. In Configuration settings, configure the following VPN settings:
    1. Connection type. Select IKEv2 as the VPN connection type.
      clipboard_e4983bd2f7697bb58c9e9a81ebd076500.png
    2. Base VPN. Click Base VPN to configure the following settings: 
      1. Connection name. Enter a descriptive name for the VPN profile, which appears on the user's devices.
      2. VPN server address. Enter the address for the VPN server in the format: c<UserID>.smcs.skyhigh.cloud.
        clipboard_ee1fad557460bdabca2db16901edba4fd.png
    3. IKEv2 settings. Click IKEv2 settings to configure the following settings:
      1. Always-on VPN. Select Enable to activate the Always-on VPN connection for your SMCS app.
      2. Network interface. Select Wi-Fi and Cellular as the network interface.
        clipboard_e2022ae9884f9ca06e75715ae81b95b79.png
      3. Remote identifier. Enter vpn.skyhigh.cloud as the remote identifier.
      4. Local identifier. Select Subject common name as the local identifier.
      5. Client Authentication. Under Client Authentication, configure the following settings to authenticate the SMCS app: 
        • Client Authentication type. Select Machine authentication as the client authentication type.
        • Authentication method. Select Certificates as the authentication method.
        • Authentication certificate. Click + Select a certificate to select the required certificate, and click OK.

NOTE: You can configure additional settings for the VPN profile such as split tunneling, DNS, and more based on your organization's requirements.

 

  • Automate VPN. Select the required setting to automatically reconnect the VPN during network loss.
  • Proxy. Configure proxy settings if required.
  1. Click Next.
    clipboard_ee4ebcf7502a6bd2aa12a132b602671a1.png

Assign the VPN Profile

After configuring the settings of the newly created Always On-VPN profile, you can assign the VPN profile to users in your organization. 

To assign the VPN profile:

  1. In Assignments, configure the following setting:
    1. Add groups. Click Add groups to assign the VPN profile to Azure AD groups.
      clipboard_e9ec60f108ed7ee29e8b81d039721499a.png
      1. Select groups to include. Select the Azure AD groups from the list, and click Select.
        These groups must include the iOS devices where you want to enable the Always-On VPN connection.
  2. Click Next.
    clipboard_e925143382ed466ff0696f4df1c217d64.png
  3. In Review + create, review the configured settings of the VPN profile.

NOTE: Make sure that Always-on VPN is enabled under the Configuration settings

  1. Click Create.

Once the VPN profile is created and assigned, the Always-On VPN connection is deployed and enabled on iOS devices for users in the assigned groups.

NOTE: After enabling an Always-On VPN connection for iOS devices via Intune, users can monitor the status of the Always-On VPN connection on their iOS devices. For details, see Monitor Always-On VPN Connection on iOS Devices.

 

Monitor Always-On VPN Connection on iOS Devices

After deployment, the Always-On VPN profile installs automatically on designated iOS devices. Users can monitor the status of the Always-On VPN connection on their iOS devices.

To monitor an Always-On VPN connection:

  1. On your iOS device, go to Settings > General > VPN & Device Management > VPN.
    clipboard_ea81c31c77c375e8bdf91a82c75726b33.png
  2. You can now monitor the status of the Always-On VPN connection, which should be displayed as enabled.
  • Was this article helpful?