Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Microsoft Intune MDM for Android


Push the SMCS App to Android

Push the Skyhigh Mobile Cloud Security (SMCS) application to the Android device.

  1. Click on Client apps AppsAdd
  2. App type → Choose Managed Google Play → Search with Mobile Cloud Security in android app store → Select the Mobile Cloud Security application. Approve &  Save and click OK → to finish the step click Sync.

Give SMCS Access to Users

  1. Client appsApps → select the Mobile Cloud Security Client from the list.
  2. Select Assignments → Add group → select the group to give access of the MCS application.

Configure SMCS

  1. Client appsApp configuration policiesAdd.
  2. Select Managed devices from the drop-down that appears.
  3. Enter a valid name for the policy, set the Platform to Android Enterprise.
  4. Select the SMCS app and then click Next.
  5. From the Configuration Settings drop-down list, select Use configuration designer, and click Add. In the right pane, select all four values, and then click OK.
  6. Enter the following values for each field and then click Next.
  • Local ID: {{IMEI}} where is the DNS domain associated with your AzureAD tenant.
  • Remote ID:
    The ID of the VPN Responder as provided by Skyhigh.
  • User Certificate: set_certificate_alias
  • Excluded Subnets: Configure single or multiple subnets (such as using space separators) so that the traffic to these subnets will not be routed via VPN.
  • SMCS Gateway Address: c<customer ID>
    You can get this information from the certificate page.
  1. Click the drop-down to assign the policy to All users and all devices. Then click Next.
  2. Click Create to confirm the policy.

Configure Always-On VPN Connection via Intune for Android

You can configure an Always-On VPN connection for Android devices using Microsoft Intune to encrypt all traffic and route it through the VPN, even when the device is not connected to your organization's network. Follow these steps to configure an Always-On VPN connection for Android devices via Intune:

  1. Create an Always-On VPN Profile
  2. Configure VPN Profile Settings
  3. Assign the VPN Profile

NOTE: Before you configure an Always-On VPN connection, make sure that you set up and enroll your device as a dedicated device, fully managed device, or corporate-owned work profile device in Intune.


Create an Always On-VPN Profile

You must first create an Always On-VPN Profile in Intune to configure an Always-On VPN connection for Android devices.

To create an Always On-VPN Profile:

  1. Log in to the Intune MDM admin portal. 
  2. In the Intune admin portal, go to Devices > Android > Configuration profiles.
  3. Under Policies, click Create and select New Policy
  4. On the Create a profile panel, configure the following:
    • Platform. Select Android Enterprise as the platform for the profile. 
    • Profile type. Select Device restrictions as the profile type.
  5. Click Create.

Configure VPN Profile Settings

You can now configure the settings of the newly created Always On-VPN profile.

To configure the VPN profile settings:

  1. In Basics, configure the following setting:
    1. Name. Enter a descriptive name for the VPN profile.
  2. Click Next.
  3. In Configuration settings > Connectivity, configure the following VPN settings:
    1. For Fully managed, dedicated, and corporate-owned work profile devices:
      1. Always-on VPN (work profile-level). Select Enable to activate the Always-on VPN connection for your SMCS app.
      2. VPN client. Select Custom as the VPN client. 
      3. Package ID. Enter com.skyhigh.mcs as the package ID of your SMCS app.
  4. Click Next.

Assign the VPN Profile

After configuring the settings of the newly created Always On-VPN profile, you can assign the VPN profile to users in your organization. 

To assign the VPN profile:

  1. In Assignments, configure the following setting:
    1. Add groups. Click Add groups to assign the device restriction profile to Azure AD groups.
      1.  Select groups to include. Select the Azure AD groups from the list. These groups must include the Android devices where you want to enable the Always-On VPN connection.
  2. Click Select.
  3. In Review + create, review the configured settings of the VPN profile.

NOTE: Make sure that Always-on VPN (work profile-level) is enabled under the Configuration settings

  1. Click Create.

Once the VPN profile is created and assigned, the Always-On VPN connection is deployed and enabled on Android devices for users in the assigned groups.

  • Was this article helpful?