Configure Microsoft Intune MDM for Android
- To enroll Android devices, refer https://docs.microsoft.com/en-us/int...r-work-devices
- For Android dedicated devices, refer https://github.com/MicrosoftDocs/Int...es-fully-manag...
Push the SMCS App to Android
Push the Skyhigh Mobile Cloud Security (SMCS) application to the Android device.
- Click on Client apps → Apps → Add
- App type → Choose Managed Google Play → Search with Mobile Cloud Security in android app store → Select the Mobile Cloud Security application. Approve & Save and click OK → to finish the step click Sync.
Give SMCS Access to Users
- Client apps → Apps → select the Mobile Cloud Security Client from the list.
- Select Assignments → Add group → select the group to give access of the MCS application.
Configure SMCS
- Client apps → App configuration policies → Add.
- Select Managed devices from the drop-down that appears.
- Enter a valid name for the policy, set the Platform to Android Enterprise.
- Select the SMCS app and then click Next.
- From the Configuration Settings drop-down list, select Use configuration designer, and click Add. In the right pane, select all four values, and then click OK.
- Enter the following values for each field and then click Next.
- Local ID: {{IMEI}}@domain.com where domain.com is the DNS domain associated with your AzureAD tenant.
- Remote ID: vpn.skyhigh.cloud
The ID of the VPN Responder as provided by Skyhigh. - User Certificate: set_certificate_alias
- Excluded Subnets: (Optional) Specify one or more subnets (such as 192.128.0.0/24 and 172.0.0.0/8) using space separators so that the traffic to these subnets will not be routed via VPN.
- Block IPv6: Enable or disable this setting based on the following values:
- true: Specify this value to activate policy filtering.
- false: Specify this value to deactivate policy filtering.
NOTES:
- If there are no subnets to exclude, Skyhigh recommends removing the Excluded Subnets setting instead of entering none as the value. To remove the Excluded Subnets setting, click the three dots corresponding to Excluded Subnets and select Delete.
- Skyhigh recommends enabling the Block IPv6 setting to activate policy filtering.
- SMCS Gateway Address: c<customer ID>.smcs.skyhigh.cloud
You can get this information from the certificate page.
- Click the drop-down to assign the policy to All users and all devices. Then click Next.
- Click Create to confirm the policy.
Configure Always-On VPN Connection via Intune for Android
You can configure an Always-On VPN connection for Android devices using Microsoft Intune to encrypt all traffic and route it through the VPN, even when the device is not connected to your organization's network. Follow these steps to configure an Always-On VPN connection for Android devices via Intune:
NOTE: Before you configure an Always-On VPN connection, make sure that you set up and enroll your device as a dedicated device, fully managed device, or corporate-owned work profile device in Intune.
Create an Always On-VPN Profile
You must first create an Always On-VPN Profile in Intune to configure an Always-On VPN connection for Android devices.
To create an Always On-VPN Profile:
- Log in to the Intune MDM admin portal.
- In the Intune admin portal, go to Devices > Android > Configuration profiles.
- Under Policies, click Create and select New Policy.
- On the Create a profile panel, configure the following:
- Platform. Select Android Enterprise as the platform for the profile.
- Profile type. Select Device restrictions as the profile type.
- Click Create.
Configure VPN Profile Settings
You can now configure the settings of the newly created Always On-VPN profile.
To configure the VPN profile settings:
- In Basics, configure the following setting:
- Name. Enter a descriptive name for the VPN profile.
- Click Next.
- In Configuration settings > Connectivity, configure the following VPN settings:
- For Fully managed, dedicated, and corporate-owned work profile devices:
- Always-on VPN (work profile-level). Select Enable to activate the Always-on VPN connection for your SMCS app.
- VPN client. Select Custom as the VPN client.
- Package ID. Enter com.skyhigh.mcs as the package ID of your SMCS app.
- For Fully managed, dedicated, and corporate-owned work profile devices:
- Click Next.
Assign the VPN Profile
After configuring the settings of the newly created Always On-VPN profile, you can assign the VPN profile to users in your organization.
To assign the VPN profile:
- In Assignments, configure the following setting:
- Add groups. Click Add groups to assign the device restriction profile to Azure AD groups.
- Select groups to include. Select the Azure AD groups from the list. These groups must include the Android devices where you want to enable the Always-On VPN connection.
- Add groups. Click Add groups to assign the device restriction profile to Azure AD groups.
- Click Select.
- In Review + create, review the configured settings of the VPN profile.
NOTE: Make sure that Always-on VPN (work profile-level) is enabled under the Configuration settings.
- Click Create.
Once the VPN profile is created and assigned, the Always-On VPN connection is deployed and enabled on Android devices for users in the assigned groups.