All the previous articles for the Always on VPN are for the users and devices connected in your local network. Today we have lot of BYOD that users use to connect in the company and work.
MS Intune is a great tool that can use manage these devices and deploy the VPN Profiles in your client device and give him the option to connect secure with your Company.
Before start to create the Configuration Profile for the VPN in Intune we must create a VPN Profile in a PC and test that can be connected with our VPN Server.
In the PC that you have create the VPN Profile open a Powershell as Administrator and run the following commands that will extract the EAP configuration in an XML file
# Step 1 - Export the EAP Configuration in an XML File
Run the Get-VpnConnection to identify the VPN Name
Use a variable to add the vpn connection with the following command
$Vpn = Get-VpnConnection -Name [ VPN connection name]
- Use the following commands to extract the EAP configuration in an XML file
$eap = $Vpn.EapConfigXmlStream.InnerXml | Out-File .\eapconfig.xml -Encoding ASCII
- The file should be like this
- Keep it because you will need it while create the Configuration Profile in the Intune
# Step 2 - Create the Configuration Profile in the Intune
We have the Eap Configuration in the XM format. Let's go create the Configuration Profile for the VPN
- Open the M365 Tenant
- Click in Admin
- From the Admin Center click in Endpoint Manager
- From the left side click in Devices
- Scroll down and find the Configuration Profiles
- Click Create Profile
- In the Platform select Windows 10 and later
- In the Profile Type select Templates
- Scroll down to find out the VPN and selected
- Click Create
- Type a Name that you want. Click Next
- Expand the Base VPN
- Type the Connection Name of the VPN Profile that you want to have it
- Fill the VPN Server address with the FQDN. My VPN Server Address is rdg.askme4tech.com
- If it's the only VPN Server change to True in the Default Server.
- In the Connection Type select the IKEv2
- Change the Configuration of the Always on VPN and Remember credentials at each logon as you prefer
- In the Authentication Method select the EAP.
- In the Text Box copy/paste the XML content from the file which extracted in the beginning.
# Step 2 - Define Additional Settings for the VPN Profile
The above are the requirement settings to create the VPN Profile.
But you have some additional Settings that can use. I will not dig into details but you can explore it and use it. These are the
- Apps and Traffic Rule
- Conditional Settings -- To add another one Level of Security
- DNS Settings
- Proxy - Only if you know that clients use a specific Proxy to connect in the Internet and must be configure it behind the VPN Profile
- Split Tunneling - Enable it if you need certain traffic web traffic to use the VPN Tunnel
- Trusted Network Detection
You can do any configuration and click Next
# Step 3 - Assign the Vpn Profile
- Click Add Groups
- Select the Group with the users that wants to apply to VPN Profile.
- Click next. For now we don't need to apply any Application Rule. Click Next
- Click Create
From now a VPN Profile will be create in the members of the Group that has assign.
It's not very difficult to configure it.
Have a nice weekend