Category filter

How to configure VPN Settings on Android Devices

A Virtual Private Network (VPN) lets the users access the organization network remotely. It enhances security by allowing the users to send data through a private network. A private network is created virtually across the public network, and the interaction is done via this virtual network. To start a connection with a VPN server, devices use a VPN connection profile. Hexnode UEM allows you to configure VPN profiles for Android devices. Once configured, the VPN connection will be listed among the available networks.

Notes:

  • This feature is available on Pro and higher subscription plans.
  • VPN can be configured only on Samsung Knox devices.

Configure VPN Settings

  1. Login to your Hexnode UEM Portal.
  2. Go to Policies.
  3. Select an existing policy or create a new one by clicking on New Policy.
  4. From Android > Networks, select VPN and click on Configure.

You will have the following options to be configured.


Configure VPN for Android device using mdm
Settings Description
Profile Name Provide a name to identify VPN on the device. Among the list of available connections, this will be the displayed name for the VPN.
Server Provide the domain name of the server or the IP address of the server to which the devices get connected.
Connection Type Select the connection type to be used. The remaining settings changes in accordance with the selected connection type. The available connection types are PPTP, L2TP/IPSec PSK, IPSec Xauth PSK, IPSec IKEv2 PSK, L2TP/IPSec RSA, IPSec Xauth RSA, IPSec Hybrid RSA and IPSec IKEv2 RSA.
Username Provide the Username for authenticating the VPN Server. This field supports the use of wildcards. The supported wildcard is %name%.
Password Provide the password of the account used for authenticating the VPN Server. Note: Username and password is required to sign into the VPN server. The credentials provided here authenticates the user’s device to get connected with the VPN.

The following options will be enabled when Show advanced options is clicked.

Settings Description
DNS search domains Provide the internal DNS domain to be used, once the connection is established.
DNS servers Provide the internal DNS server to be used, once the connection is established.
Forwarding routes Provide the forwarding route to send the traffic through the VPN interface to the destination. Forwarding routing is required to tell the devices to send traffic to the destination through the VPN interface.

Based on the Connection Type selected, you will have the following options to be configured.

Configuring PPTP Connection

PPTP Connection
PPTP Settings Description
PPP encryption (MPPE) Check this option to enable PPP (Point-to-Point Protocol) encryption on the android devices.

Configuring L2TP/IPSec PSK Connection

L2TP/IPSec PSK Connection
L2TP/IPSec PSK Settings Description
L2TP secret A second password required to establish a connection. Also known as pre-shared key, the shared secret is previously known to the device and the VPN server, and no one else. This key is used just to establish a connection and not used for encryption.
IPSec pre-shared key Provide the pre-shared key for IPSec connection type. This key is used only for authentication and not for encryption.
IPSec Identifier Provide the IPSec Identifier to establish the VPN authentication.

Configuring IPSec Xauth PSK Connection

IPSec Xauth PSK Connection
IPSec Xauth PSK Settings Description
IPSec pre-shared key Input the pre-shared key required for IPSec connection type. It is used only for authenticating the connection and not for encryption.
IPSec Identifier Provide the IPSec Identifier to establish the VPN authentication.

Configuring IPSec IKEv2 PSK Connection

IPSec IKEv2 PSK Connection
IPSec IKEv2 PSK Settings Description
IPSec pre-shared key IPSec connection type requires the pre-shared key to authenticate the connection. Note that this key is not used for encryption.
IPSec Identifier Provide the IPSec Identifier to establish the VPN authentication.

Configuring L2TP/IPSec RSA Connection

L2TP/IPSec RSA Connection
L2TP/IPSec RSA Settings Description
L2TP secret L2TP secret, also known as the pre-shared key, is the alternate password for establishing the connection. It is a shared secret previously known only to the VPN server and the device. This pre-shared key can be used only for establishing the connection and not for encryption.
Ca Certificate Select the Certificate Authority (Ca) trusted certificate for establishing L2TP/IPSec RSA connection. The assigned trusted certificate authenticates the device to establish a connection to the VPN server. It must be previously uploaded under Android > Security > Certificates.
User Certificate Select the user certificate required for establishing L2TP/IPSec RSA connection. Users can assure their identity for remote VPN access by using user certificates. This certificate must be previously uploaded under Android > Security > Certificates.

Configuring IPSec Xauth RSA Connection

IPSec Xauth RSA Connection
IPSec Xauth RSA Settings Description
Ca Certificate Choose the Certificate Authority (Ca) trusted certificate uploaded under Android > Security > Certificate for authenticating the connection. It is this certificate that establishes the connection between the device and the VPN server.
User Certificate Select the user certificate required for establishing IPSec Xauth RSA connection. Users can assure their identity for remote VPN access by using user certificates. This certificate must be previously uploaded under Android > Security > Certificates.

Configuring IPSec Hybrid RSA Connection

IPSec Hybrid RSA Connection
IPSec Hybrid RSA Settings Settings
Ca Certificate For establishing IPSec Hybrid RSA connection, select the Certificate Authority (Ca) trusted certificate uploaded under Android > Security > Certificate. This certificate authenticates the device to establish a connection with the VPN server.

Configuring IPSec IKEv2 RSA Connection

IPSec IKEv2 RSA Connection
IPSec IKEv2 RSA Settings Description
User Certificate Select the user certificate required for establishing IPSec IKEv2 RSA connection. Users can assure their identity for remote VPN access by using user certificates. This certificate must be previously uploaded under Android > Security > Certificates.

Always-on VPN for Android

You can configure the VPN network to be always-on on the device by checking Always-on option. Selecting this option makes the device get connected to the VPN network always. This option is available for all the connection types except PPTP.

Associate Policies with Devices / Groups

If the policy has not yet been saved.

  1. Navigate to Policy Targets.
  2. Click on +Add Devices.
  3. Select the devices and click OK.
  4. Click on Save to apply the policies to devices.

Apart from devices, you can also associate the policies with device groups, user and user groups from “Policy Targets”.

If the policy has been saved, you can associate it by another method.

  1. From Policies tab, check the policies to be associated.
  2. Click on Manage → Associate Targets and select the device.
  3. Click on Associate to apply policy to the devices.

What happens at the device end?

Once the policy is associated with the device, the pushed VPN network will be visible in the VPN section of the Settings app of the device. The user can connect to the configured network without authenticating with the network password.

Warning:


VPN won’t be configured if the device is not secured with a password. If the password is not set on the device and once the VPN policy has been associated, a prompt appears to set the password. VPN can then be configured after setting a device password.


Exception:

If Web Content Filtering is applied, features like VPN and tethering may have conflicts. This behavior is expected on Samsung Knox devices.

  • Managing Android Devices