Add VPN settings to Apple devices in Microsoft Intune

• If you need these devices to access on-premises resources using modern authentication and Conditional Accessthen you can use the Microsoft Tunnelwhich supports split tunneling.

• These settings are available for all enrollment types except user enrollment. User enrollment is limited to per-app VPN. For more information on the enrollment typessee iOS/iPadOS enrollment.

• The available settings depend on the VPN client you choose. Some settings are only available for specific VPN clients.

• These settings are available for all enrollment types. For more information on the enrollment typesgo to macOS enrollment.

Connection type

Select the VPN connection type from the following list of vendors:

• Connection name: End users see this name when they browse their device for a list of available VPN connections.

• Custom domain name (Zscaler only): Prepopulate the Zscaler app's sign-in field with the domain your users belong to. For exampleif a username is [email protected]then the contoso.net domain statically appears in the field when the app opens. If you don't enter a domain namethen the domain portion of the UPN in Microsoft Entra ID is used.

• VPN server address: The IP address or fully qualified domain name (FQDN) of the VPN server that devices connect with. For exampleenter 192.168.1.1 or vpn.contoso.com.

• Organization's cloud name (Zscaler only): Enter the cloud name where your organization is provisioned. The URL you use to sign in to Zscaler has the name.

• Authentication method: Choose how devices authenticate to the VPN server.

  • Certificates: Under Authentication certificateselect an existing SCEP or PKCS certificate profile to authenticate the connection. Configure certificates provides some guidance about certificate profiles.

  • Username and password: End users must enter a username and password to sign in to the VPN server.

    Note

    If username and password are used as the authentication method for Cisco IPsec VPNthey must deliver the SharedSecret through a custom Apple Configurator profile.

  • Derived credential: Use a certificate that's derived from a user's smart card. If no derived credential issuer is configuredIntune prompts you to add one. For more informationsee Use derived credentials in Microsoft Intune.

• Excluded URLs (Zscaler only): When connected to the Zscaler VPNthe listed URLs are accessible outside the Zscaler cloud. You can add up to 50 URLs.

• Split tunneling: Enable or Disable to let devices decide which connection to usedepending on the traffic. For examplea user in a hotel uses the VPN connection to access work filesbut uses the hotel's standard network for regular web browsing.

• VPN identifier (Custom VPNZscalerand Citrix): An identifier for the VPN app you're usingand is supplied by your VPN provider.

• Enter key/value pairs for your organization's custom VPN attributes (Custom VPNZscalerand Citrix): Add or import Keys and Values that customize your VPN connection. Rememberthese values are typically supplied by your VPN provider.

• Enable network access control (NAC) (Cisco AnyConnectCitrix SSOF5 Access): When you choose I agreethe device ID is included in the VPN profile. This ID can be used for authentication to the VPN to allow or prevent network access.

  When using Cisco AnyConnect with ISEmake sure you:

  • Integrate ISE with Intune for NAC as described at Configure Microsoft Intune as an MDM Server in the Cisco Identity Services Engine Administrator Guideif you haven't already.
  • Enable NAC in the VPN profile.

  Important

  The network access control (NAC) service is deprecated and replaced with Microsoft's latest NAC servicewhich is the Compliance Retrieval Service (CR Service). To support changes within Cisco ISEIntune changed the device ID format. Soyour existing profiles with the original NAC service will stop working.

  To use the CR Service and prevent downtime with your VPN connectionredeploy this same VPN device configuration profile. No changes are needed to the profile. You only need to redeploy. When the device syncs with Intune service and receives the VPN configuration profilethen the CR Service changes are automatically deployed to the device. Andyour VPN connections should continue to work.

  When using Citrix SSO with Gatewaymake sure you:

  • Confirm you're using Citrix Gateway 12.0.59 or higher.
  • Confirm your users have Citrix SSO 1.1.6 or later installed on their devices.
  • Integrate Citrix Gateway with Intune for NAC. See the Integrating Microsoft Intune/Enterprise Mobility Suite with NetScaler (LDAP+OTP Scenario) Citrix deployment guide.
  • Enable NAC in the VPN profile.

  When using F5 Accessmake sure you:

  • Confirm you're using F5 BIG-IP 13.1.1.5 or later.
  • Integrate BIG-IP with Intune for NAC. See the Overview: Configuring APM for device posture checks with endpoint management systems F5 guide.
  • Enable NAC in the VPN profile.

  For the VPN partners that support device IDthe VPN clientsuch as Citrix SSOcan get the ID. Thenit can query Intune to confirm the device is enrolledand if the VPN profile is compliant or not compliant.

  • To remove this settingrecreate the profileand don't select I agree. Thenreassign the profile.

• Enter key and value pairs for the NetMotion Mobility VPN attributes (NetMotion Mobility only): Enter or import key and value pairs. These values might be supplied by your VPN provider.

• Microsoft Tunnel site (Microsoft Tunnel only): Select an existing site. The VPN client connects to the public IP address or FQDN of this site.

  For more informationsee Microsoft Tunnel for Intune.

• Deployment channel: Select how you want to deploy the profile. This setting also determines the keychain where the authentication certificates are storedso it's important to select the proper channel. It's not possible to edit the deployment channel after you deploy the profile. To change ityou must create a new profile.

  Note

  We recommend rechecking the deployment channel setting in existing profiles when the linked authentication certificates are up for renewal to ensure the intended channel is selected. If it isn'tcreate a new profile with the correct deployment channel.

  You have two options:

  • User channel: Always select the user deployment channel in profiles with user certificates. This option stores certificates in the user keychain.
  • Device channel: Always select the device deployment channel in profiles with device certificates. This option stores certificates in the system keychain.

• Connection name: Enter a name for this connection. End users see this name when they browse their device for the list of available VPN connections.

• VPN server address: Enter the IP address or fully qualified domain name of the VPN server that devices connect to. For exampleenter 192.168.1.1 or vpn.contoso.com.

• Authentication method: Choose how devices authenticate to the VPN server. Your options:

  • Certificates: Under Authentication certificateselect a SCEP or PKCS certificate profile you previously created to authenticate the connection. For more information about certificate profilesgo to How to configure certificates. Choose the certificates that align with your deployment channel selection. If you selected the user channelyour certificate options are limited to user certificate profiles. If you selected the device channelyou have both user and device certificate profiles to choose from. Howeverwe recommend always selecting the certificate type that aligns with the selected channel. Storing user certificates in the system keychain increases security risks.
  • Username and password: End users must enter a username and password to sign into the VPN server.

• Connection type: Select the VPN connection type from the following list of vendors:

  • Check Point Capsule VPN

  • Cisco AnyConnect

  • SonicWall Mobile Connect

  • F5 Access

  • NetMotion Mobility

  • Custom VPN: Select this option if your VPN vendor isn't listed. Also configure:

    • VPN identifier: Enter an identifier for the VPN app you're using. This identifier is supplied by your VPN provider.
    • Enter key and value pairs for the custom VPN attributes: Add or import Keys and Values that customize your VPN connection. These values are typically supplied by your VPN provider.

• Split tunneling: Enable lets devices decide which connection to use depending on the traffic. For examplea user in a hotel uses the VPN connection to access work filesbut use the hotel's standard network for regular web browsing. Disable lets all traffic use the VPN tunnel when the VPN connection is active.

IKEv2 settings

These settings apply when you choose Connection type > IKEv2.

• Always-on VPN: Enable sets a VPN client to automatically connect and reconnect to the VPN. Always-on VPN connections stay connected or immediately connect when the user locks their devicethe device restartsor the wireless network changes. When set to Disable (default)always-on VPN for all VPN clients is disabled. When enabledalso configure:

  • Network interface: All IKEv2 settings only apply to the network interface you choose. Your options:

    • Wi-Fi and Cellular (default): The IKEv2 settings apply to the Wi-Fi and cellular interfaces on the device.
    • Cellular: The IKEv2 settings only apply to the cellular interface on the device. Select this option if you're deploying to devices with the Wi-Fi interface disabled or removed.
    • Wi-Fi: The IKEv2 settings only apply to the Wi-Fi interface on the device.

  • User to disable VPN configuration: Enable lets users turn off always-on VPN. Disable (default) prevents users from turning it off.​ The default value for this setting is the most secure option.

  • Voicemail: Choose what happens with voicemail traffic when always-on VPN is enabled. Your options:

    • Force network traffic through VPN (default): This setting is the most secure option.
    • Allow network traffic to pass outside VPN
    • Drop network traffic

  • AirPrint: Choose what happens with AirPrint traffic when always-on VPN is enabled. Your options:

    • Force network traffic through VPN (default): This setting is the most secure option.
    • Allow network traffic to pass outside VPN
    • Drop network traffic

  • Cellular services: On iOS 13.0+choose what happens with cellular traffic when always-on VPN is enabled. Your options:

    • Force network traffic through VPN (default): This setting is the most secure option.
    • Allow network traffic to pass outside VPN
    • Drop network traffic

  • Allow traffic from non-native captive networking apps to pass outside VPN: A captive network refers to Wi-Fi hotspots typically found in restaurants and hotels. Your options:

    • No: Forces all Captive Networking (CN) app traffic through the VPN tunnel​.

    • Yesall apps: Allows all CN app traffic to bypass the VPN​.

    • Yesspecific apps: Add a list of CN apps whose traffic can bypass the VPN​. Enter the bundle identifiers of CN app. For exampleenter com.contoso.app.id.package.

      To get the bundle ID of an app added to Intuneyou can use the Intune admin center.

  • Traffic from Captive Websheet app to pass outside VPN: Captive WebSheet is a built-in web browser that handles captive sign-on. Enable allows the browser app traffic to bypass the VPN. Disable (default) forces WebSheet traffic to use the always-on VPN. The default value is the most secure option.

  • Network address translation (NAT) keepalive interval (seconds): To stay connected to the VPNthe device sends network packets to remain active. Enter a value in seconds on how often these packets are sentfrom 20-1440. For exampleenter a value of 60 to send the network packets to the VPN every 60 seconds. By defaultthis value is set to 110 seconds.

  • Offload NAT keepalive to hardware when device is asleep: When a device is asleepEnable (default) has NAT continuously send keep-alive packets so the device stays connected to the VPN. Disable turns off this feature.

• Remote identifier: Enter the network IP addressFQDNUserFQDNor ASN1DN of the IKEv2 server. For exampleenter 10.0.0.3 or vpn.contoso.com. Typicallyyou enter the same value as the Connection name (in this article). Butit does depend on your IKEv2 server settings.

• Local identifier: Enter the device FQDN or subject common name of the IKEv2 VPN client on the device. Oryou can leave this value empty (default). Typicallythe local identifier should match the user or device certificate's identity. The IKEv2 server might require the values to match so it can validate the client's identity.

• Client Authentication type: Choose how the VPN client authenticates to the VPN. Your options:

  • User authentication (default): User credentials authenticate to the VPN.
  • Machine authentication: Device credentials authenticate to the VPN.

• Authentication method: Choose the type of client credentials to send to the server. Your options:

  • Certificates: Uses an existing certificate profile to authenticate to the VPN. Be sure this certificate profile is already assigned to the user or device. Otherwisethe VPN connection fails.

    • Certificate type: Select the type of encryption used by the certificate. Be sure the VPN server is configured to accept this type of certificate. Your options:
      • RSA (default)
      • ECDSA256
      • ECDSA384
      • ECDSA521

  • Shared secret (Machine authentication only): Allows you to enter a shared secret to send to the VPN server.

    • Shared secret: Enter the shared secretalso known as the pre-shared key (PSK). Be sure the value matches the shared secret configured on the VPN server.

• Server certificate issuer common name: Allows the VPN server to authenticate to the VPN client. Enter the certificate issuer common name (CN) of the VPN server certificate that's sent to the VPN client on the device. Be sure the CN value matches the configuration on the VPN server. Otherwisethe VPN connection fails.

• Server certificate common name: Enter the CN for the certificate itself. If left blankthe remote identifier value is used.

• Dead peer detection rate: Choose how often the VPN client checks if the VPN tunnel is active. Your options:

  • Not configured: Uses the iOS/iPadOS system defaultwhich might be the same as choosing Medium.
  • None: Disables dead peer detection.
  • Low: Sends a keepalive message every 30 minutes.
  • Medium (default): Sends a keepalive message every 10 minutes.
  • High: Sends a keepalive message every 60 seconds.

• TLS version range minimum: Enter the minimum TLS version to use. Enter 1.01.1or 1.2. If left blankthe default value of 1.0 is used. When using user authentication and certificatesyou must configure this setting.

• TLS version range maximum: Enter the maximum TLS version to use. Enter 1.01.1or 1.2. If left blankthe default value of 1.2 is used. When using user authentication and certificatesyou must configure this setting.

• Perfect forward secrecy: Select Enable to turn on perfect forward secrecy (PFS). PFS is an IP security feature that reduces the impact if a session key is compromised. Disable (default) doesn't use PFS.

• Certificate revocation check: Select Enable to make sure the certificates aren't revoked before allowing the VPN connection to succeed. This check is best-effort. If the VPN server times out before determining if the certificate is revokedaccess is granted. Disable (default) doesn't check for revoked certificates.

• Use IPv4/IPv6 internal subnet attributes: Some IKEv2 servers use the INTERNAL_IP4_SUBNET or INTERNAL_IP6_SUBNET attributes. Enable forces the VPN connection to use these attributes. Disable (default) doesn't force the VPN connection to use these subnet attributes.

• Mobility and multihoming (MOBIKE): MOBIKE allows VPN clients to change their IP address without recreating a security association with the VPN server. Enable (default) turns on MOBIKEwhich can improve VPN connections when traveling between networks. Disable turns off MOBIKE.

• Redirect: Enable (default) redirects the IKEv2 connection if a redirect request is received from the VPN server.​ Disable prevents the IKEv2 connection from redirecting if a redirect request is received from the VPN server.​

• Maximum transmission unit: Enter the maximum transmission unit (MTU) in bytesfrom 1-65536. When set to Not configured or left blankIntune doesn't change or update this setting. By defaultApple might set this value to 1280.

  This setting applies to:

  • iOS/iPadOS 14 and newer

• Security association parameters: Enter the parameters to use when creating security associations with the VPN server:

  • Encryption algorithm: Select the algorithm you want:

    • DES
    • 3DES
    • AES-128
    • AES-256 (default)
    • AES-128-GCM
    • AES-256-GCM

    Note

    If you set the encryption algorithm to AES-128-GCM or AES-256-GCMthen the AES-256 default is used. This is a known issueand will be fixed in a future release. There is no ETA.

  • Integrity algorithm: Select the algorithm you want:

    • SHA1-96
    • SHA1-160
    • SHA2-256 (default)
    • SHA2-384
    • SHA2-512

  • Diffie-Hellman group: Select the group you want. Default is group 2.

  • Lifetime (minutes): Enter how long the security association stays active until the keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440.

• Child security association parameters: iOS/iPadOS allows you to configure separate parameters for the IKE connectionand any child connections. Enter the parameters used when creating child security associations with the VPN server:

  • Encryption algorithm: Select the algorithm you want:

    • DES
    • 3DES
    • AES-128
    • AES-256 (default)
    • AES-128-GCM
    • AES-256-GCM

    Note

    If you set the encryption algorithm to AES-128-GCM or AES-256-GCMthen the AES-256 default is used. This is a known issueand will be fixed in a future release. There is no ETA.

• Integrity algorithm: Select the algorithm you want:

  • SHA1-96
  • SHA1-160
  • SHA2-256 (default)
  • SHA2-384
  • SHA2-512

  Also configure:

  • Diffie-Hellman group: Select the group you want. Default is group 2.
  • Lifetime (minutes): Enter how long the security association stays active until the keys are rotated. Enter a whole value between 10 and 1440 (1440 minutes is 24 hours). Default is 1440.

Type of automatic VPN: Select the VPN type you want to configure - On-demand VPN or per-app VPN. Make sure you only use one option. Using them both simultaneously causes connection issues. When set to Not configured (default)Intune doesn't change or update this setting.

On-demand VPN feature in Automatic VPN

On-demand VPN uses rules to automatically connect or disconnect the VPN connection. When your devices attempt to connect to the VPNit looks for matches in the parameters and rules you createsuch as a matching domain name. If there's a matchthen the action you choose runs.

For exampleyou can create a condition where the VPN connection is only used when a device isn't connected to a company Wi-Fi network. Orif a device can't access a DNS search domain you enterthen the VPN connection isn't started.

• On-demand rules > Add: Select Add to add a rule. If there isn't an existing VPN connectionthen use these settings to create an on-demand rule. If there's a match to your rulethen the device does the action you select.

  • I want to do the following: If there's a match between the device value and your on-demand rulethen select the action you want the device to do. Your options:

    • Establish VPN: If there's a match between the device value and your on-demand rulethen the device connects to the VPN.

    • Disconnect VPN: If there's a match between the device value and your on-demand rulethen the VPN connection is disconnected.

    • Evaluate each connection attempt: If there's a match between the device value and your on-demand rulethen use the Choose whether to connect setting to decide what happens for each VPN connection attempt:

      • Connect if needed: If the device is on an internal networkor if there's already an established VPN connection to the internal networkthen the on-demand VPN won't connect. These settings aren't used.

        If there isn't an existing VPN connectionthen for each VPN connection attemptdecide if users should connect using a DNS domain name. This rule only applies to domains in the When users try to access these domains list. All other domains are ignored.

        • When users try to access these domains: Enter one or more DNS domainslike contoso.com. If users try to connect to a domain in this listthen the device uses DNS to resolve the domains you enter. If the domain doesn't resolvemeaning it doesn't have access to internal resourcesthen it connects to the VPN on-demand. If the domain does resolvemeaning it already has access to internal resourcesthen it doesn't connect to the VPN.

          When users try to access these domains setting is empty	The device uses the DNS servers configured on the network connection service (Wi-Fi/ethernet) to resolve the domain. The idea is that these DNS servers are public servers. The domains in the When users try to access these domains list are internal resources. Internal resources aren't on public DNS servers and can't be resolved. Sothe device connects to the VPN. Nowthe domain is resolved using the VPN connection's DNS servers and the internal resource is available. If the device is on the internal networkthen the domain resolvesand a VPN connection isn't created because the internal domain is already available. You don't want to waste VPN resources on devices already on the internal network.
          When users try to access these domains setting is populated	The DNS servers in the list are used to resolve the domains in the list. The idea is the opposite of the first row (When users try to access these domains setting is empty). For instancethe When users try to access these domains list has internal DNS servers. A device on an external network can't route to the internal DNS servers. The name resolution times outand the device connects to the VPN on-demand. Now the internal resources are available. Remember this information only applies to domains in the When users try to access these domains list. All other domains are resolved with public DNS servers. When the device is connected to the internal networkthe DNS servers in the list are accessibleand there's no need to connect to the VPN.

        ---

        • Use the following DNS servers to resolve these domains (optional): Enter one or more DNS server IP addresseslike 10.0.0.22. The DNS servers you enter are used to resolve the domains in the When users try to access these domains setting.

        • When this URL is unreachableforce-connect the VPN: Optional. Enter an HTTP or HTTPS probing URL that the rule uses as a test. For exampleenter https://probe.Contoso.com. This URL is probed every time a user tries to access a domain in the When users try to access these domains setting. The user doesn't see the URL string probe site.

          If the probe fails because the URL is unreachable or doesn't return a 200 HTTP status codethen the device connects to the VPN.

          The idea is that the URL is only accessible on the internal network. If the URL can be accessedthen a VPN connection isn't needed. If the URL can't be accessedthen the device is on an external networkand it connects to the VPN on-demand. Once the VPN connection is establishedinternal resources are available.

      • Never connect: For each VPN connection attemptwhen users try to access the domains you enterthen the device never connects to the VPN.

        • When users try to access these domains: Enter one or more DNS domainslike contoso.com. If users try to connect to a domain in this listthen a VPN connection isn't created. If they try to connect to a domain not in this listthen the device connects to the VPN.

    • Ignore: If there's a match between the device value and your on-demand rulethen a VPN connection is ignored.

  • I want to restrict to: In the I want to do the following settingif you select Establish VPNDisconnect VPNor Ignorethen select the condition that the rule must meet. Your options:

    • Specific SSIDs: Enter one or more wireless network names that the rule applies to. This network name is the Service Set Identifier (SSID). For exampleenter Contoso VPN.
    • Specific search domains: Enter one or more DNS domains that the rule applies to. For exampleenter contoso.com.
    • All domains: Select this option to apply your rule to all domains in your organization.

  • But only if this URL probe succeeds: Optional. Enter a URL that the rule uses as a test. For exampleenter https://probe.Contoso.com. If the device accesses this URL without redirectionthen the VPN connection is started. Andthe device connects to the target URL. The user doesn't see the URL string probe site.

    For examplethe URL tests the VPN's ability to connect to a site before the device connects to the target URL through the VPN.

• Block users from disabling automatic VPN: Your options:

  • Not configured: Intune doesn't change or update this setting.
  • Yes: Prevents users from turning off automatic VPN. It forces users to keep the automatic VPN enabled and running.
  • No: Allows users to turn off automatic VPN.

  This setting applies to:

  • iOS 14 and newer
  • iPadOS 14 and newer

Per-app VPN feature in Automatic VPN

Enables per-app VPN by associating this VPN connection with a specific app. When the app runsthe VPN connection starts. You can associate the VPN profile with an app when you assign the app software or program. For more informationsee How to assign and monitor apps.

Per-app VPN isn't supported on an IKEv2 connection. For more informationsee set up per-app VPN for iOS/iPadOS devices.

• Provider Type: Only available for Pulse Secure and Custom VPN.

  When using per-app VPN profiles with Pulse Secure or a Custom VPNchoose app-layer tunneling (app-proxy) or packet-level tunneling (packet-tunnel):

  • app-proxy: Select this option for app-layer tunneling.
  • packet-tunnel: Select this option for packet-layer tunneling.

  If you're not sure which option to usethen check your VPN provider's documentation.

• Safari URLs that will trigger this VPN: Add one or more web site URLs. When these URLs are visited using the Safari browser on the devicethe VPN connection is automatically established. For exampleenter contoso.com.

• Associated Domains: Enter associated domains in the VPN profile to use with this VPN connection.

  For more informationsee associated domains.

• Excluded Domains: Enter domains that can bypass the VPN connection when per-app VPN is connected. For exampleenter contoso.com. Traffic to the contoso.com domain uses the public Internet even if the VPN is connected.

• Block users from disabling automatic VPN: Your options:

  • Not configured: Intune doesn't change or update this setting.
  • Yes: Prevents users from turning off the Connect On Demand toggle within the VPN profile settings. It forces users to keep per-app VPN or on-demand rules enabled and running.
  • No: Allows users to turn off the Connect On Demand togglewhich disables per-app VPN and on-demand rules.

  This setting applies to:

  • iOS 14 and newer
  • iPadOS 14 and newer

Select the type of automatic VPN you want. Your options:

• Not configured: Intune doesn't change or update this setting.

• On-demand VPN: On-demand VPN uses rules to automatically connect or disconnect the VPN connection. When your devices attempt to connect to the VPNit looks for matches in the parameters and rules you createlike a matching IP address or domain name. If there's a matchthen the action you choose runs.

  For examplecreate a condition where the VPN connection is only used when a device isn't connected to a company Wi-Fi network. Orif a device can't access a DNS search domain you enterthen the VPN connection isn't started.

  • Add: Select this option and add a rule.

  • I want to do the following: If there's a match between the device value and your on-demand rulethen select the action. Your options:

    • Connect VPN
    • Disconnect VPN
    • Evaluate each connection attempt
    • Ignore

  • I want to restrict to: Select the condition that the rule must meet. Your options:

    • Specific SSIDs: Enter one or more wireless network names that the rule applies. This network name is the Service Set Identifier (SSID). For exampleenter Contoso VPN.
    • Specific search domains: Enter one or more DNS domains that the rule applies. For exampleenter contoso.com.
    • All domains: Select this option to apply your rule to all domains in your organization.

  • But only if this URL probe succeeds: Optional. Enter a URL that the rule uses as a test. If the device accesses this URL without redirectionthen the VPN connection is started. Andthe device connects to the target URL. The user doesn't see the URL string probe site.

    For examplea URL string probe is an auditing Web server URL that checks device compliance before connecting the VPN. Orthe URL tests the VPN's ability to connect to a site before the device connects to the target URL through the VPN.

• Block users from disabling automatic VPN: Your options:

  • Not configured: Intune doesn't change or update this setting.
  • Yes: Prevents users from turning off automatic VPN. It forces users to keep the automatic VPN enabled and running.
  • No: Allows users to turn off automatic VPN.

  This setting applies to:

  • macOS 11 and newer (Big Sur)

• Per-app VPN: Enables per-app VPN by associating this VPN connection with a macOS app. When the app runsthe VPN connection starts. You can associate the VPN profile with an app when you assign the software. For more informationgo to How to assign and monitor apps.

  • Safari URLs that will trigger this VPN: Add one or more web site URLs. When these URLs are visited using the Safari browser on the devicethe VPN connection is automatically established.

  • Associated Domains: Enter associated domains in the VPN profile that automatically start the VPN connection. For exampleenter contoso.com. Devices in the contoso.com domain automatically start the VPN connection.

    For more informationgo to associated domains.

  • Excluded Domains: Enter domains that can bypass the VPN connection when per-app VPN is connected. For exampleenter contoso.com. Devices in the contoso.com domain won't start or won't use the per-app VPN connection. Devices in the contoso.com domain use the public Internet.

  • Prevent users from disabling automatic VPN: Your options:

    • Not configured: Intune doesn't change or update this setting.
    • Yes: Prevents users from turning off automatic VPN. It forces users to keep the automatic VPN enabled and running.
    • No: Allows users to turn off automatic VPN.

    This setting applies to:

    • macOS 11 and newer (Big Sur)

Per-app VPN

These settings apply to the following VPN connection types:

• Microsoft Tunnel

Settings:

• Per-app VPN: Enable associates a specific app to this VPN connection. When the app runstraffic automatically routes through the VPN connection. You can associate the VPN profile with an app when you assign the software. For more informationsee How to assign and monitor apps.

  For more informationsee Microsoft Tunnel for Intune.

• Safari URLs that will trigger this VPN: Add one or more web site URLs. When these URLs are visited using the Safari browser on the devicethe VPN connection is automatically established. For exampleenter contoso.com.

• Associated Domains: Enter associated domains in the VPN profile to use with this VPN connection.

  For more informationsee associated domains.

• Excluded Domains: Enter domains that can bypass the VPN connection when per-app VPN is connected. For exampleenter contoso.com. Traffic to the contoso.com domain uses the public Internet even if the VPN is connected.