Set up per-app Virtual Private Network (VPN) for iOS/iPadOS devices in Intune

In Microsoft Intuneyou can create and use Virtual Private Networks (VPNs) assigned to an app. This feature is called per-app VPN. You choose the managed apps that can use your VPN on devices managed by Intune. When you use per-app VPNsend users automatically connect through the VPNand get access to organizational resourceslike documents.

This feature applies to:

iOS 9 and newer
iPadOS 13.0 and newer

Check your VPN provider's documentation to see if your VPN supports per-app VPN.

This article shows you how to create a per-app VPN profileand assign this profile to your apps. Use these steps to create a seamless per-app VPN experience for your end users. For most VPNs that support per-app VPNthe user opens an appand automatically connects to the VPN.

Some VPNs allow username and password authentication with per-app VPN. Meaningusers need to enter a username and password to connect to the VPN.

Important

On iOS/iPadOSper-app VPN isn't supported for IKEv2 VPN profiles.

Per-app VPN with Microsoft Tunnel or Zscaler

Microsoft Tunnel and Zscaler Private Access (ZPA) integrate with Microsoft Entra ID for authentication. When using Tunnel or ZPAyou don't need the trusted certificate or SCEP or PKCS certificate profiles (described in this article).

If you have a per-app VPN profile set up for Zscalerthen opening one of the associated apps doesn't automatically connect to ZPA. Insteadthe user needs to sign into the Zscaler app. Thenremote access is limited to the associated apps.

Prerequisites

Your VPN vendor can have other requirements for per-app VPNlike specific hardware or licensing. Be sure to check with their documentationand meet those prerequisites before setting up per-app VPN in Intune.
Export the trusted root certificate .cer file from your VPN server. You add this file to the trusted certificate profile you create in Intunedescribed in this article.

To export the file:
1. On your VPN serveropen the administration console.
2. Confirm that your VPN server uses certificate-based authentication.
3. Export the trusted root certificate file. It has a .cer extension.
4. Add the name of the certificate authority (CA) that issued the certificate for authentication to the VPN server.
  
  If the CA presented by the device matches a CA in the Trusted CA list on the VPN serverthen the VPN server successfully authenticates the device.
To prove its identitythe VPN server presents the certificate to the device. The device must accept the certificate without prompting the user. To confirm the automatic approval of the certificateyou create a trusted certificate profile in Intune (in this article). The Intune trusted certificate profile must include the VPN server's root certificate (.cer file) issued by the Certification Authority (CA).
Sign into the Microsoft Intune admin center with an account that has the Policy and Profile Manager built-in role. For more information on the built-in rolesgo to Role-based access control for Microsoft Intune.

Step 1 - Create a group for your VPN users

Create or choose an existing group in Microsoft Entra ID. This group:

Must include the users or devices that will use per-app VPN.
Will receive all the Intune policies you create in this article.

For the steps to create a new groupgo to Add groups to organize users and devices.

Step 2 - Create a trusted certificate profile

Import the VPN server's root certificate issued by the CA into an Intune profile. This root certificate is the .cer file you exported in Prerequisites (in this article). The trusted certificate profile instructs the iOS/iPadOS device to automatically trust the CA that the VPN server presents.

Sign in to the Microsoft Intune admin center.
Select Devices > Manage devices > Configuration > Create > New policy.
Enter the following properties:
- Platform: Select iOS/iPadOS.
- Profile type: Select Trusted certificate.
Select Create.
In Basicsenter the following properties:
- Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For examplea good profile name is iOS/iPadOS trusted certificate profile for myApp.
- Description: Enter a description for the profile. This setting is optionalbut recommended.
Select Next.
In Configuration settingsselect the folder iconand browse to your VPN certificate (.cer file) that you exported from your VPN administration console.
Select Nextand continue creating the trusted certificate profile. You can save the profile and assign it later.

When you're ready to assign the profileassign this profile to the group you created in Step 1 - Create a group for your VPN users (in this article). When you assign the profilethe users or devices in the group receive the policy the next time they check-in with the Intune service.

Step 3 - Create a SCEP or PKCS certificate profile

The trusted root certificate profile you created in step 2 allows the device to automatically trust the VPN Server.

In this next stepcreate the SCEP or PKCS certificate profile in Intune. The SCEP or PKCS certificate provides credentials from the iOS/iPadOS VPN client to the VPN server. The certificate allows the device to silently authenticate without prompting for a username and password.

To configure and assign the client authentication certificate in Intunego to one of the following articles:

Be sure to configure the certificate for client authentication. You can set client authentication directly in SCEP certificate profiles (Extended key usage list > Client authentication). For PKCSset client authentication in the certificate template in the certificate authority (CA).

Create a SCEP certificate profile in Microsoft Intune and Intune admin center. Include the subject name formatkey usageextended key usageand more.

Step 4 - Create a per-app VPN profile

This VPN profile includes the SCEP or PKCS certificate that has the client credentialsthe VPN connection informationand the per-app VPN flag that enables the per-app VPN used by the iOS/iPadOS application.

In the Microsoft Intune admin centerselect Devices > Manage devices > Configuration > Create > New policy.
Enter the following properties and select Create:
- Platform: Select iOS/iPadOS.
- Profile type: Select VPN.
In Basicsenter the following properties:
- Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later. For examplea good profile name is iOS/iPadOS per-app VPN profile for myApp.
- Description: Enter a description for the profile. This setting is optionalbut recommended.
In Configuration settingsconfigure the following settings:
- Connection type: Select your VPN client app.
- Base VPN: Configure your settings. iOS/iPadOS VPN settings describes all the settings. When using per-app VPNbe sure you configure the following properties as listed:
  - Authentication method: Select Certificates.
  - Authentication certificate: Select an existing SCEP or PKCS certificate > OK.
  - Split tunneling: Select Disable to force all traffic to use the VPN tunnel when the VPN connection is active.
  For information on the other settingsgo to iOS/iPadOS VPN settings.
- Automatic VPN > Type of automatic VPN > Per-app VPN
Select Nextand continue creating the VPN profile.

Step 5 - Associate an app with the VPN profile

After adding your VPN profileassociate the app and Microsoft Entra group to the profile.

In the Microsoft Intune admin centerselect Apps > All Apps.
Select an app from the list > Properties > Assignments > Edit.
Go to the Required or Available for enrolled devices section.
Select Add group > Select the group you created in Step 1 - Create a group for your VPN users (in this article) > Select.
In VPNsselect the per-app VPN profile you created in Step 4 - Create a per-app VPN profile (in this article).
Select OK > Save.

When all of the following conditions existan association between an app and a profile remains until the user requests a reinstall from the Company Portal app:

The app was targeted with available install intentand
The profile and the app are assigned to the same groupand
The end user requested the app install in the Company Portal app. This request results in the app and profile being installed on the deviceand
You remove or change the per-app VPN configuration from the app assignment.

When all of the following conditions existan association between an app and a profile is removed during the next device check-in:

The app was targeted with required install intentand
The profile and the app are assigned to the same groupand
You remove the per-app VPN configuration from the app assignment.

Verify the connection on the iOS/iPadOS device

With your per-app VPN set up and associated with your appverify the connection works from a device.

Before you attempt to connect

Make sure you deploy all the policies described in this article to the same group. Otherwisethe per-app VPN experience won't work.
If you're using the Pulse Secure VPN app or a custom VPN client appthen you can choose to use app-layer or packet-layer tunneling:
- For app-layer tunnelingset the ProviderType value to app-proxy.
- For packet-layer tunnelingset ProviderType value to packet-tunnel.
Check your VPN provider's documentation to make sure you're using the correct value.

Connect using the per-app VPN

Verify the zero-touch experience by connecting without having to select the VPN or type your credentials. The zero-touch experience means:

The device doesn't ask you to trust the VPN server. Meaningthe user doesn't see the Dynamic Trust dialog box.
The user doesn't have to enter credentials.
When the user opens one of the associated appsthe user's device is connected to the VPN.

To review iOS/iPadOS settingsgo to VPN settings for iOS/iPadOS devices in Microsoft Intune.
To learn more about VPN setting and Intunego to configure VPN settings in Microsoft Intune.

Feedback

Was this page helpful?

Last updated on 2026-04-14