Always on VPN - Deploy the VPN Profile in client Devices with Intune

All the previous articles for the Always on VPN are for the users and devices connected in your local network. Today we have lot of BYOD that users use to connect in the company and work.

MS Intune is a great tool that can use manage these devices and deploy the VPN Profiles in your client device and give him the option to connect secure with your Company.

 

Before start to create the Configuration Profile for the VPN in Intune we must create a VPN Profile in a PC and test that can be connected with our VPN Server.

In the PC that you have create the VPN Profile open a Powershell as Administrator and run the following commands that will extract the EAP configuration in an XML file 

# Step 1 - Export the EAP Configuration in an XML File

  •  Run the Get-VpnConnection  to identify the VPN Name 

Get-VpnConnection

 

  • Use a variable to add the vpn connection with the following command
    $Vpn = Get-VpnConnection -Name [ VPN connection name]

  • Use the following commands to extract the EAP configuration in an XML file
    $eap = $Vpn.EapConfigXmlStream.InnerXml | Out-File .\eapconfig.xml -Encoding ASCII
  • The file should be like this
  • Keep it  because you will need it while create the Configuration Profile  in the Intune

 

 

# Step 2 - Create the Configuration Profile in the Intune

We have the Eap Configuration in the XM format. Let's go create the Configuration Profile for the VPN

  • Open the M365 Tenant
  • Click in Admin
Always on Vpn Profile in Intune

 

  • From the Admin Center click in Endpoint Manager
Always on Vpn Profile in Intune

 

  • From the left side click in Devices
Always on Vpn Profile in Intune

 

  • Scroll down and find the Configuration Profiles
Always on Vpn Profile in Intune

 

  • Click Create Profile
Always on Vpn Profile in Intune

 

  • In the Platform select Windows 10 and later
  • In the Profile Type select Templates
Always on Vpn Profile in Intune

 

  • Scroll down to find out the VPN and selected
Always on Vpn Profile in Intune

 

  • Click Create
  • Type a  Name that you want. Click Next
Always on Vpn Profile in Intune

 

  • Expand the Base VPN
  • Type the Connection Name of the VPN Profile that you want to have it
  • Fill the VPN Server address with the FQDN. My VPN Server Address is rdg.askme4tech.com
  • If it's the only VPN Server change to True in the Default Server.
Always on Vpn Profile in Intune

 

  • In the Connection Type select the IKEv2
  • Change the Configuration of the Always on VPN and Remember credentials at each logon as you prefer
  • In the Authentication Method select the EAP.
  • In the Text Box  copy/paste the XML content from the file which extracted in the beginning.
Always on Vpn Profile in Intune

 

 

# Step 2 - Define Additional Settings for the VPN Profile

The above are the requirement settings to create the VPN Profile.

But you have some additional Settings that can use.  I will not dig into details but you can explore it and use it. These are the 

  • Apps and Traffic Rule
  • Conditional Settings -- To add another one Level of Security
  • DNS Settings
  • Proxy - Only if you know that clients use a specific Proxy to connect in the Internet and must be configure it behind the VPN Profile
  • Split Tunneling - Enable it if you need certain traffic web traffic to use the VPN Tunnel
  • Trusted Network Detection

You can do any configuration and click Next

Always on Vpn Profile in Intune

 

 

 

# Step 3 - Assign the Vpn Profile 

 

  • Click Add Groups
  • Select the Group with the users that wants to apply to VPN Profile.
Always on Vpn Profile in Intune

 

  • Click next. For now we don't need to apply any Application Rule. Click Next
Always on Vpn Profile in Intune

 

  • Click Create
Always on Vpn Profile in Intune

 

That's it.

From now a VPN Profile will be create in the members of the Group that has assign.

It's not very difficult to configure it. 

Have a nice weekend

Disqus Comments