Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Microsoft Intune MDM for Android

 

Push the SMCS App to Android

Push the Skyhigh Mobile Cloud Security (SMCS) application to the Android device.

  1. Click on Client apps AppsAdd
    clipboard_e3f39b7599c239ce290807caa42bffa75.png
  2. App type → Choose Managed Google Play → Search with Mobile Cloud Security in android app store → Select the Mobile Cloud Security application. Approve &  Save and click OK → to finish the step click Sync.

Give SMCS Access to Users

  1. Client appsApps → select the Mobile Cloud Security Client from the list.
  2. Select Assignments → Add group → select the group to give access of the MCS application.

Configure SMCS

  1. Client appsApp configuration policiesAdd.
    clipboard_ec281f1332fd5b64d1241516c666bcff5.png
  2. Select Managed devices from the drop-down that appears.
    managed.png
  3. Enter a valid name for the policy, set the Platform to Android Enterprise.
  4. Select the SMCS app and then click Next.
    mcs2.png
  5. From the Configuration Settings drop-down list, select Use configuration designer, and click Add. In the right pane, select all four values, and then click OK.
    mcs3.png
  6. Enter the following values for each field and then click Next.
  • Local ID: {{IMEI}}@domain.com where domain.com is the DNS domain associated with your AzureAD tenant.
  • Remote ID: vpn.skyhigh.cloud
    The ID of the VPN Responder as provided by Skyhigh.
  • User Certificate: set_certificate_alias
  • Excluded Subnets: (Optional) Specify one or more subnets (such as 192.128.0.0/24 and 172.0.0.0/8) using space separators so that the traffic to these subnets will not be routed via VPN. 
  • Block IPv6: Enable or disable this setting based on the following values:
    • true: Specify this value to activate policy filtering.
    • false: Specify this value to deactivate policy filtering.

NOTES:

  • If there are no subnets to exclude, Skyhigh recommends removing the Excluded Subnets setting instead of entering none as the value. To remove the Excluded Subnets setting, click the three dots corresponding to Excluded Subnets and select Delete
  • Skyhigh recommends enabling the Block IPv6 setting to activate policy filtering.
  • SMCS Gateway Address: c<customer ID>.smcs.skyhigh.cloud
    You can get this information from the certificate page.
    mcs4.png 
  1. Click the drop-down to assign the policy to All users and all devices. Then click Next.
    policy2.png
  2. Click Create to confirm the policy.

Configure Always-On VPN Connection via Intune for Android

You can configure an Always-On VPN connection for Android devices using Microsoft Intune to encrypt all traffic and route it through the VPN, even when the device is not connected to your organization's network. Follow these steps to configure an Always-On VPN connection for Android devices via Intune:

  1. Create an Always-On VPN Profile
  2. Configure VPN Profile Settings
  3. Assign the VPN Profile

NOTE: Before you configure an Always-On VPN connection, make sure that you set up and enroll your device as a dedicated device, fully managed device, or corporate-owned work profile device in Intune.

 

Create an Always On-VPN Profile

You must first create an Always On-VPN Profile in Intune to configure an Always-On VPN connection for Android devices.

To create an Always On-VPN Profile:

  1. Log in to the Intune MDM admin portal. 
  2. In the Intune admin portal, go to Devices > Android > Configuration profiles.
  3. Under Policies, click Create and select New Policy
    clipboard_e6ef42c89d061d9e46f70b887b4e8141b.png
  4. On the Create a profile panel, configure the following:
    • Platform. Select Android Enterprise as the platform for the profile. 
    • Profile type. Select Device restrictions as the profile type.
  5. Click Create.
    clipboard_e2b189f431686a15b2e07f5cb4da949ce.png

Configure VPN Profile Settings

You can now configure the settings of the newly created Always On-VPN profile.

To configure the VPN profile settings:

  1. In Basics, configure the following setting:
    1. Name. Enter a descriptive name for the VPN profile.
  2. Click Next.
    clipboard_ec1a9eae30b3e44e370e5af77bd3767bb.png
  3. In Configuration settings > Connectivity, configure the following VPN settings:
    1. For Fully managed, dedicated, and corporate-owned work profile devices:
      1. Always-on VPN (work profile-level). Select Enable to activate the Always-on VPN connection for your SMCS app.
      2. VPN client. Select Custom as the VPN client. 
      3. Package ID. Enter com.skyhigh.mcs as the package ID of your SMCS app.
  4. Click Next.
    clipboard_e82bfd9fc71e4db3e5d32457cc76598a7.png

Assign the VPN Profile

After configuring the settings of the newly created Always On-VPN profile, you can assign the VPN profile to users in your organization. 

To assign the VPN profile:

  1. In Assignments, configure the following setting:
    1. Add groups. Click Add groups to assign the device restriction profile to Azure AD groups.
      clipboard_e88c697334b9b6be42c4541ea29ee5e56.png
      1.  Select groups to include. Select the Azure AD groups from the list. These groups must include the Android devices where you want to enable the Always-On VPN connection.
  2. Click Select.
    clipboard_ea314823a6c886b4c926a75e983649eaa.png
  3. In Review + create, review the configured settings of the VPN profile.

NOTE: Make sure that Always-on VPN (work profile-level) is enabled under the Configuration settings

  1. Click Create.
    clipboard_e7cd0f52aa0873660af3267bf767c2fe3.png

Once the VPN profile is created and assigned, the Always-On VPN connection is deployed and enabled on Android devices for users in the assigned groups.

  • Was this article helpful?