VPN device policy

The VPN device policy configures virtual private network (VPN) settings that enable user devices to connect securely to corporate resources. You can configure the VPN device policy for the following platforms. Each platform requires a different set of values, which are described in detail in this article.

To add or configure this policy, go toConfigure > Device Policies．For more information, seeDevice policies．

Requirements for per-app VPNs

You configure the per-app VPN feature for the following platforms through VPN policies:

• iOS
• macOS
• Android (legacy DA)
• Samsung SAFE
• Samsung Knox

To configure VPNs for Android Enterprise devices, create a Managed configurations device policy for the Citrix SSO app. SeeConfigure VPN profiles for Android Enterprise．

Per-app VPN options are available for certain connection types. The following table indicates when per-app VPN options are available.

Platform	Connection type	Remark
iOS	Cisco Legacy AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix SSO, or Custom SSL.
macOS	Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, or Custom SSL.
Android (legacy DA)	Citrix SSO
Samsung SAFE	IPSEC, SSL	VPN type set toGeneric
Samsung Knox	IPSEC, SSL	VPN type set toGeneric

To create a per-app VPN for iOS and Android (legacy DA) devices using the Citrix SSO app, you need to perform extra steps, in addition to the VPN policy configuration. Also, you must verify that the following prerequisites are met:

• On-premises Citrix Gateway
• The following applications are installed on the device:
  • Citrix SSO
  • Citrix Secure Hub

A general workflow to configure a per-app VPN for iOS and Android devices using the Citrix SSO app is as follows:

1. Configure a VPN device policy as described in this article.

   • ForiOS, seeConfigure Citrix SSO protocol for iOS．After you configure the Citrix SSO protocol for iOS through a VPN device policy, you also need to create an App Attributes policy to associate an app to the per-app VPN policy. For more information, seeConfigure a per-app VPN．

     • For theAuthentication type for the connectionfield, if you selectCertificate, you must first configure certificate-based authentication for Endpoint Management. SeeClient certificate or certificate plus domain authentication．

   • ForAndroid (legacy DA), seeConfigure the Citrix SSO protocol for Android．

     • For theAuthentication type for the connectionfield, if you selectCertificateorPassword and Certificate, you must first configure certificate-based authentication for Endpoint Management. SeeClient certificate or certificate plus domain authentication．

2. Configure Citrix ADC to accept traffic from the per-app VPN. For details, seeFull VPN setup on Citrix Gateway．

iOS settings

To prepare for device upgrades to iOS 12:

The Citrix VPN connection type in the VPN device policy for iOS doesn’t support iOS 12. Perform these steps to delete your existing VPN device policy and create a VPN device policy with the Citrix SSO connection type:

1. Delete your VPN device policy for iOS.
2. Add a VPN device policy for iOS. Important settings:
   • Connection type=Citrix SSO
   • Enable per-app VPN=On
   • Provider type=Packet tunnel
3. Add an App Attributes device policy for iOS. ForPer-app VPN identifier, chooseiOS_VPN．

• Connection name:Type a name for the connection.
• Connection type:In the list, select the protocol to be used for this connection. The default isL2TP．
  • L2TP:Layer 2 Tunneling Protocol with pre-shared key authentication.
  • PPTP:Point-to-Point Tunneling.
  • IPSec:Your corporate VPN connection.

  • Cisco Legacy AnyConnect:This connection type requires that the Cisco Legacy AnyConnect VPN client is installed on the user device. Cisco is phasing out the Cisco Legacy AnyConnect client that was based on a now deprecated VPN framework. For more information, see the support articlehttps://support.citrix.com/article/CTX227708．

    To use the current Cisco AnyConnect client, use aConnection typeof成本的m SSL．For required settings, see “Configure Custom SSL protocol” in this section.

  • Juniper SSL:Juniper Networks SSL VPN client.
  • F5 SSL:F5 Networks SSL VPN client.
  • SonicWALL Mobile Connect:Dell unified VPN client for iOS.
  • Ariba VIA:Ariba Networks Virtual Internet Access client.
  • IKEv2 (iOS only):Internet Key Exchange version 2 for iOS only.
  • AlwaysOn IKEv2:Always-on access using IKEv2.
  • AlwaysOn IKEv2 Dual Configuration:Always-on access using IKEv2 dual configuration.
  • Citrix SSO:Citrix SSO client for iOS 12 and later.
  • 成本的m SSL:成本的m Secure Socket Layer. This connection type is required for the Cisco AnyConnect client that has a bundle ID ofcom.cisco.anyconnect．Specify aConnection nameofCisco AnyConnect．You can also deploy the VPN policy and enable a Network Access Control (NAC) filter for iOS devices. The filter blocks a VPN connection for devices that have non-compliant apps installed. The configuration requires specific settings for the iOS VPN policy as described in the following iOS section. For more information about other settings required to enable the NAC filter, seeNetwork Access Control．

The following sections list the configuration options for each of the preceding connection types.

Configure L2TP Protocol for iOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Select eitherPassword authenticationorRSA SecurID authentication．
• Shared secret:Type the IPsec shared secret key.
• Send all traffic:Select whether to send all traffic over the VPN. The default isOff．

Configure PPTP Protocol for iOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Select eitherPassword authenticationorRSA SecurID authentication．
• Encryption level:In the list, select an encryption level. The default isNone．
  • None:Use no encryption.
  • Automatic:Use the strongest encryption level supported by the server.
  • Maximum (128-bit):Always use 128-bit encryption.
• Send all traffic:Select whether to send all traffic over the VPN. The default isOff．

Configure IPsec Protocol for iOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherShared SecretorCertificatefor the type of authentication for this connection. The default isShared Secret．
• If you enableShared Secret, configure these settings:
  • Group name:Type an optional group name.
  • Shared secret:Type an optional shared secret key.
  • Use hybrid authentication:Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default isOff．
  • Prompt for password:Select whether to prompt users for their passwords when they connect to the network. The default isOff．
• If you enableCertificate, configure these settings:
  • Identity credential:In the list, select the identity credential to use. The default isNone．
  • Prompt for PIN when connecting:Select whether to require users to enter their PIN when connecting to the network. The default isOff．
  • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．
• On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
• Safari domains:ClickAddto add a Safari domain name.

Configure Cisco legacy AnyConnect Protocol for iOS

To transition from the Cisco legacy AnyConnect client to the new Cisco AnyConnect client, use the Custom SSL protocol.

• Provider bundle identifier:For the Legacy AnyConnect client, the bundle ID is com.cisco.anyconnect.gui.
• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Group:Type an optional group name.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Provider type:Select whether the per-app VPN is provided as anApp proxyor as aPacket tunnel．Default isApp proxy．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure Juniper SSL Protocol for iOS

• Provider bundle identifier:If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Realm:Type an optional realm name.
• Role:Type an optional role name.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Provider type:Select whether the per-app VPN is provided as anApp proxyor as aPacket tunnel．Default isApp proxy．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure F5 SSL Protocol for iOS

• Provider bundle identifier:If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
  • Provider type:Select whether the per-app VPN is provided as anApp proxyor as aPacket tunnel．Default isApp proxy．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure SonicWALL Protocol for iOS

• Provider bundle identifier:If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Logon group or domain:Type an optional logon group or domain.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you set this option to ON, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
  • Provider type:Select whether the per-app VPN is provided as anApp proxyor as aPacket tunnel．Default isApp proxy．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure Ariba VIA protocol for iOS

• Provider bundle identifier:If your per-app VPN profile contains the bundle identifier of an app with multiple VPN providers of the same type, specify the provider to use here.
• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure IKEv2 protocols for iOS

This section includes settings used for the IKEv2, AlwaysOn IKEv2, and AlwaysOn IKEv2 Dual Configuration protocols. For the AlwaysOn IKEv2 Dual Configuration protocol, configure all these settings for both Cellular and Wi-Fi networks.

• Allow user to disable automatic connection:For the AlwaysOn protocols. Select whether to allow users to turn off automatic connection to the network on their devices. The default isOff．

• Host name or IP address for server:Type the server name or IP address for the VPN server.

• Local Identifier:The FQDN or IP address for the IKEv2 client. This field is required.

• Remote Identifier:The FQDN or IP address for the VPN server. This field is required.

• Device Authentication:ChooseShared Secret,Certificate, orDevice certificate based on device identifierfor the type of authentication for this connection. The default isShared Secret．

  • If you chooseShared Secret, type an optional shared secret key.

  • If you chooseCertificate, choose anIdentity credentialto use. The default isNone.

  • If you chooseDevice Certificate Based on Device Identifier, choose theDevice identity typeto use. The default isIMEI．To use this option, bulk import certificates using the REST API. SeeUpload certificates to iOS devices in bulk with the REST API．Only available when you selectAlways On IKEv2．

• Extended Authentication Enabled:Select whether to enable Extended Authentication Protocol (EAP). If you chooseOn, type theUser accountandAuthentication password．

• Dead Peer Detection Interval:Choose how often a peer device is contacted to ensure that the peer device remains reachable. The default isNone．Options are:

  • None:Disable dead peer detection.

  • Low:Contacts peer every 30 minutes.

  • Medium:Contacts peer every 10 minutes.

  • High:Contacts peer every 1 minute.

• Disable Mobility and Multihoming:Choose whether to disable this feature.

• Use IPv4/IPv6 internal subnet attributes:Choose whether to enable this feature.

• Disable redirects:Choose whether to disable redirects.

• Enable NAT keepalive while the device is asleep:For the AlwaysOn protocols. Keepalive packets maintain NAT mappings for IKEv2 connections. The chip sends these packets at regular intervals when the device is awake. If this setting is on, the chip sends keepalive packets even while the device is asleep. The default interval is 20 seconds over Wi-Fi and 110 seconds over cellular. You can change the interval by using the NAT keepalive interval parameter.

• NAT keepalive Interval (seconds):Defaults to 20 seconds.

• Enable Perfect Forward Secrecy:Choose whether to enable this feature.

• DNS server IP addresses:Optional. A list of DNS server IP address strings. These IP addresses can include a mixture of IPv4 and IPv6 addresses. ClickAddto type an address.

• Domain name:Optional. The primary domain of the tunnel.

• Search domains:Optional. A list of domain strings used to qualify single-label host names fully.

• Append supplemental match domains to resolver’s list:Optional. Determines whether to add the supplemental match domains list to the resolver’s list of search domains. Default isOn．

• Supplemental match domains:Optional. A list of domain strings used to determine which DNS queries are to use the DNS resolver settings contained in the DNS server addresses. This key creates a split DNS configuration where only hosts in certain domains get resolved by using the DNS resolver of the tunnel. Hosts not in one of the domains in this list get resolved by using the default resolver of the system.

If this parameter contains an empty string, then that string is the default domain. This is how a split tunnel configuration can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel is the default route of the network, the listed DNS servers become the default resolver. In that case, the supplemental match domains list is ignored.

• IKE SA ParametersandChild SA Parameters．Configure these settings for each Security Association (SA) parameters option:

  • Encryption Algorithm:In the list, select the IKE encryption algorithm to use. The default is3DES．

  • Integrity Algorithm:In the list, select the integrity algorithm to use. The default isSHA1-96．

  • Diffie Hellman Group:In the list, select the Diffie Hellman group number. The default is2．

  • ike LifeTime in Minutes:Type an integer between 10 and 1440 representing the SA lifetime (rekey interval). The default is1440minutes.

• Service Exceptions:For the AlwaysOn protocols. Service exceptions are system services that are exempt from AlwaysOn VPN. Configure these service exceptions settings:

  • Voice Mail:In the list, select how to handle the voice mail exception. The default isAllow traffic via tunnel．

  • AirPrint:In the list, select how to handle the AirPrint exception. The default isAllow traffic via tunnel．

  • Allow traffic from captive web sheet outside the VPN tunnel:Select whether to allow users to connect to public hotspots outside the VPN tunnel. The default isOff．

  • Allow traffic from all captive networking apps outside the VPN tunnel:Select whether to allow all hotspot networking apps outside the VPN tunnel. The default isOff．

  • Captive networking app bundle identifiers:For each hotspot networking app bundle identifier that users are allowed to access, clickAddand type the hotspot networking appBundle Identifier．ClickSaveto save the app bundle identifier.

• Per-app VPN．Configure these settings for IKEv2 connection types.

  • Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Safari domains:ClickAddto add a Safari domain name.

• Proxy configuration:Choose how the VPN connection routes through a proxy server. Default isNone．

Configure Citrix SSO protocol for iOS

The Citrix SSO client is available in the Apple Store athttps://apps.apple.com/us/app/citrix-sso/id1333396910．

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone.
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOFF.
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOFF.For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you set this option to ON, configure the following settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
  • Provider type:Select whether the per-app VPN is provided as anApp proxyor as aPacket tunnel．Default isApp proxy．
  • Provider type:Set toPacket tunnel．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.
• 成本的m XML:For each custom XML parameter you want to add, clickAddand specify the key/value pairs. Available parameters are:
  • disableL3:Disables system level VPN. Allows only per app VPN. NoValueis needed.
  • useragent:Associates with this device policy any Citrix Gateway policies that are targeted to VPN plug-in clients. For requests initiated by the plug-in, theValue这个关键是自动添加到VPN并不g-in.

Configure Custom SSL protocol for iOS

To transition from the Cisco Legacy AnyConnect client to the Cisco AnyConnect client:

1. Configure the VPN device policy with the Custom SSL protocol. Deploy the policy to iOS devices.
2. Upload the Cisco AnyConnect client fromhttps://apps.apple.com/us/app/cisco-anyconnect/id1135064690, add the app to XenMobile, and then deploy the app to iOS devices.
3. Remove the old VPN device policy from iOS devices.

Settings:

• 成本的m SSL identifier (reverse DNS format):Set to the bundle identifier. For the Cisco AnyConnect client, usecom.cisco.anyconnect．
• Provider Bundle Identifier:If the app specified in成本的m SSL identifierhas multiple VPN providers of the same type (App proxy or Packet tunnel), then specify this bundle identifier. For the Cisco AnyConnect client, usecom.cisco.anyconnect．
• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone.
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOFF.
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOFF.For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings for iOS．
• Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you set this option to ON, configure the following settings:
  • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
  • Provider Type:A provider type indicates whether the provider is a VPN service or proxy service. For VPN service, choosePacket tunnel．For proxy service, chooseApp proxy．For the Cisco AnyConnect client, choosePacket tunnel．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.
• 成本的m XML:For each custom XML parameter you want to add, clickAddand do the following:
  • Parameter name:Type the name of the parameter to be added.
  • Value:Type the value associated withParameter name．
  • ClickSaveto save the parameter or clickCancelto not save the parameter.

Configure the VPN device policy to support NAC

1. TheConnection typeof成本的m SSLis required for configuring the NAC filter.
2. Specify aConnection nameofVPN．
3. For成本的m SSL identifier, typecom.citrix.NetScalerGateway.ios.app
4. ForProvider bundle identifier, typecom.citrix.NetScalerGateway.ios.app.vpnplugin

The values in step 3 and 4 come from the required Citrix SSO installation for NAC filtering. You do not configure an authentication password. For more information on using the NAC function, seeNetwork Access Control．

Configure enable VPN on demand options for iOS

• On Demand Domain:For each domain and associated action to take when users connect, clickAddand do the following:
• Domain:Type the domain to be added.
• Action:In the list select one of the possible actions:
  • Always establish:The domain always triggers a VPN connection.
  • Never establish:The domain never triggers a VPN connection.
  • Establish if necessary:The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
  • ClickSaveto save the domain or clickCancelto not save the domain.
• On demand rules
  • Action:In the list, select the action to be taken. The default isEvaluateConnection.Possible actions are:
    • Allow:Allow VPN on demand to connect when triggered.
    • Connect:Unconditionally initiate a VPN connection.
    • Disconnect:Remove the VPN connection and do not reconnect on demand as long as the rule matches.
    • EvaluateConnection:Evaluate the ActionParameters array for each connection.
    • Ignore:Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
  • DNSDomainMatch:对设备的每个域搜索main list can match that you want to add, clickAddand do the following:
    • DNS Domain:Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
    • ClickSaveto save the domain or clickCancelto not save the domain.
  • DNSServerAddressMatch:For each IP address to which any of the network’s specified DNS servers can match that you want to add, clickAddand do the following:
    • DNS Server Address:Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
    • ClickSaveto save the DNS server address or clickCancelto not save the DNS server address.
  • InterfaceTypeMatch:In the list, select the type of primary network interface hardware in use. The default isUnspecified．Possible values are:
    • Unspecified:Matches any network interface hardware. This option is the default.
    • Ethernet:Matches only Ethernet network interface hardware.
    • WiFi:Matches only Wi-Fi network interface hardware.
    • Cellular:Matches only Cellular network interface hardware.
  • SSIDMatch:For each SSID to match against the current network that you want to add, clickAddand so the following.
    • SSID:Type the SSID to add. If the network is not a Wi-Fi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
    • ClickSaveto save the SSID or clickCancelto not save the SSID.
  • URLStringProbe:Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
  • ActionParameters : Domains:For each domain that EvaluateConnection checks that you want to add, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.
  • ActionParameters : DomainAction:In the list, select theVPN behaviorfor the specifiedActionParameters : Domainsdomains. The default isConnectIfNeeded．Possible actions are:
    • ConnectIfNeeded:The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
    • NeverConnect:The domain never triggers a VPN connection.
  • Action Parameters: RequiredDNSServers:For each DNS server IP address to be used for resolving the specified domains, clickAddand do the following:
    • DNS Server:Valid only whenActionParameters:DomainAction=ConnectIfNeeded．Type the DNS server to add. This server doesn’t need to be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server should be either an internal DNS server or a trusted external DNS server.
    • ClickSaveto save the DNS server or clickCancelto not save the DNS server.
  • ActionParameters : RequiredURLStringProbe:Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s host name can’t be resolved, the server is unreachable, or the server doesn’t respond, a VPN connection is established. Valid only whenActionParameters:DomainAction=ConnectIfNeeded．
  • OnDemandRules : XML content:Type, or copy and paste, XML configuration on demand rules.
    • ClickCheck Dictionaryto validate the XML code. You see Valid XML in green text below theXML contenttext box if the XML is valid. If it isn’t valid, you see an error message in orange text describing the error.
• Proxy
  • Proxy configuration:In the list, select how the VPN connection routes through a proxy server. The default isNone．
    • If you enableManual, configure these settings:
      • Host name or IP address for the proxy server:Type the host name or IP address for the proxy server. This field is required.
      • Port for the proxy server:Type the proxy server port number. This field is required.
      • User name:Type an optional proxy server user name.
      • Password:Type an optional proxy server password.
    • If you configureAutomatic, configure this setting:
      • Proxy server URL:输入代理服务器的URL。这个领域是required.
• Policy Settings
  • UnderPolicy Settings, next toRemove policy, select eitherSelect dateorDuration until removal (in hours)．
  • If you selectSelect date, click the calendar to select the specific date for removal.
  • In theAllow user to remove policylist, selectAlways,Password required, orNever．
  • If you selectPassword required, next toRemoval password, type the necessary password.

Configure a per-app VPN

Per-app VPN options for iOS are available for these connection types: Cisco Legacy AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Ariba VIA, Citrix VPN, Citrix SSO, and Custom SSL.

To configure a per-app VPN:

1. InConfigure > Device Policies, create a VPN policy. For example:

   

   

2. InConfigure > Device Policies, create an App Attributes policy to associate an app to the per-app VPN policy. ForPer-app VPN identifier, choose the name of the VPN policy created in Step 1. ForManaged app bundle ID, choose from the app list or type the app bundle ID. (If you deploy an iOS App Inventory policy, the app list contains apps.)

   

• Policy settings
  • Remove policy:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs. Only available for iOS 6.0 and later.

macOS settings

• Connection name:Type a name for the connection.
• Connection type:In the list, select the protocol to be used for this connection. The default is L2TP.
  • L2TP:Layer 2 Tunneling Protocol with pre-shared key authentication.
  • PPTP:Point-to-Point Tunneling.
  • IPSec:Your corporate VPN connection.
  • Cisco AnyConnect:Cisco AnyConnect VPN client.
  • Juniper SSL:Juniper Networks SSL VPN client.
  • F5 SSL:F5 Networks SSL VPN client.
  • SonicWALL Mobile Connect:Dell unified VPN client for iOS.
  • Ariba VIA:Ariba Networks Virtual Internet Access client.
  • Citrix VPN:Citrix VPN client.
  • 成本的m SSL:成本的m Secure Socket Layer.

The following sections list the configuration options for each of the preceding connection types.

Configure L2TP Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• SelectPassword authentication,RSA SecurID authentication,Kerberos authentication, orCryptoCard authentication．The default isPassword authentication．
• Shared secret:Type the IPsec shared secret key.
• Send all traffic:Select whether to send all traffic over the VPN. The default isOff．

Configure PPTP Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User Account:Type an optional user account.
• SelectPassword authentication,RSA SecurID authentication,Kerberos authentication, orCryptoCard authentication．The default isPassword authentication．
• Encryption level:Select the desired encryption level. The default isNone．
  • None:Use no encryption.
  • Automatic:Use the strongest encryption level supported by the server.
  • Maximum(128-bit): Always use 128-bit encryption.
• Send all traffic:Select whether to send all traffic over the VPN. The default isOff．

Configure IPsec Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherShared SecretorCertificatefor the type of authentication for this connection. The default isShared Secret．
  • If you enableShared Secret身份验证,配置这些settings:
    • Group name:Type an optional group name.
    • Shared secret:Type an optional shared secret key.
    • Use hybrid authentication:Select whether to use hybrid authentication. With hybrid authentication, the server first authenticates itself to the client, and then the client authenticates itself to the server. The default isOff．
    • Prompt for password:Select whether to prompt users for their passwords when they connect to the network. The default isOff．
  • If you enableCertificate身份验证,配置这些settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to require users to enter their PIN when connecting to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand options．

Configure Cisco AnyConnect Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Group:Type an optional group name.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand options．
  • Enable Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
    • On-demand match app enabled:Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
    • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
      • Domain:Type the domain to be added.
      • ClickSaveto save the domain or clickCancelto not save the domain.

Configure Juniper SSL Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Realm:Type an optional realm name.
• Role:Type an optional role name.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings．
• Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure the following settings:
  • On-demand match app enabled:Select whether a per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure F5 SSL Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings．
• Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure SonicWALL Mobile Connect Protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Logon group or domain:Type an optional logon group or domain.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings．
• Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure Ariba VIA protocol for macOS

• Server name or IP address:Type the server name or IP address for the VPN server.
• User account:Type an optional user account.
• Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone．
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOff．
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOff．For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings．
• Enable per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
  • On-demand match app enabled:Select whether per-app VPN connection triggers automatically when apps linked to the per-app VPN service initiate network communication. The default isOff．
  • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.

Configure Custom SSL protocol for macOS

• 成本的m SSL identifier (reverse DNS format):Type the SSL identifier in reverse DNS format. This field is required.
• Server name or IP address:Type the server name or IP address for the VPN server. This field is required.
• User account:Type an optional user account.
  • Authentication type for the connection:In the list, select eitherPasswordorCertificatefor the type of authentication for this connection. The default isPassword．
  • If you enablePassword, type an optional authentication password in theAuth passwordfield.
  • If you enableCertificate, configure these settings:
    • Identity credential:In the list, select the identity credential to use. The default isNone.
    • Prompt for PIN when connecting:Select whether to prompt users for their PIN when they connect to the network. The default isOFF.
    • Enable VPN on demand:Select whether to enable triggering a VPN connection when users connect to the network. The default isOFF.For information on configuring settings whenEnable VPN on demandisOn, seeConfigure Enable VPN on demand settings．
  • Per-app VPN:Select whether to enable per-app VPN. The default isOff．If you enable this option, configure these settings:
    • On-demand match app enabled:Select whether per-app VPN connections trigger automatically when apps linked to the per-app VPN service initiate network communication.
    • Safari domains:For each Safari domains that can trigger a per-app VPN connection you want to include, clickAddand do the following:
      • Domain:Type the domain to be added.
      • ClickSaveto save the domain or clickCancelto not save the domain.
• 成本的m XML:For each custom XML parameter you want to add, clickAddand do the following:
  • Parameter name:Type the name of the parameter to be added.
  • Value:Type the value associated withParameter name．
  • ClickSaveto save the domain or clickCancelto not save the domain.

Configure enable VPN on demand options

• On Demand Domain:For each domain and associated action to be taken when users connect to them that you want to add, clickAddto and do the following:
  • Domain:Type the domain to be added.
  • Action:In the list select one of the possible actions:
    • Always establish:The domain always triggers a VPN connection.
    • Never establish:The domain never triggers a VPN connection.
    • Establish if necessary:The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
  • ClickSaveto save the domain or clickCancelto not save the domain.
• On demand rules
  • Action:In the list, select the action to be taken. The default isEvaluateConnection.Possible actions are:
    • Allow:Allow VPN on demand to connect when triggered.
    • Connect:Unconditionally initiate a VPN connection.
    • Disconnect:Remove the VPN connection and do not reconnect on demand as long as the rule matches.
    • EvaluateConnection:Evaluate theActionParametersarray for each connection.
    • Ignore:Leave any existing VPN connection up, but do not reconnect on demand as long as the rule matches.
  • DNSDomainMatch:For each domain against which a user device’s search domain list can match that you want to add, clickAddto and do the following:
    • DNS Domain:Type the domain name. You can use the wildcard “*” prefix for matching multiple domains. For example, *.example.com matches mydomain.example.com, yourdomain.example.com, and herdomain.example.com.
    • ClickSaveto save the domain or clickCancelto not save the domain.
  • DNSServerAddressMatch:For each IP address to which any of the network’s specified DNS servers can match that you want to add, clickAddand do the following:
    • DNS Server Address:Type the DNS server address you want to add. You can use the wildcard “*” suffix for matching DNS servers. For example, 17.* matches any DNS server in the class A subnet.
    • ClickSaveto save the DNS server address or clickCancelto not save the DNS server address.
  • InterfaceTypeMatch:In the list, click the type of primary network interface hardware in use. The default isUnspecified．Possible values are:
    • Unspecified:Matches any network interface hardware. This option is the default.
    • Ethernet:Matches only Ethernet network interface hardware.
    • WiFi:Matches only Wi-Fi network interface hardware.
    • Cellular:Matches only Cellular network interface hardware.
  • SSIDMatch:For each SSID to match against the current network that you want to add, clickAddand so the following.
    • SSID:Type the SSID to add. If the network is not a Wi-Fi network, or if the SSID does not appear, the match fails. Leave this list empty to match any SSID.
    • ClickSaveto save the SSID or clickCancelto not save the SSID.
  • URLStringProbe:Type a URL to fetch. If this URL is successfully fetched without redirection, this rule matches.
  • ActionParameters : Domains:For each domain that EvaluateConnection checks that you want to add, clickAddand do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.
  • ActionParameters : DomainAction:In the list, select theVPN behaviorfor the specifiedActionParameters : Domainsdomains. The default isConnectIfNeeded．Possible actions are:
    • ConnectIfNeeded:The domain triggers a VPN connection attempt if domain name resolution fails. Failure happens when the DNS server cannot resolve the domain, redirects to a different server, or times out.
    • NeverConnect:The domain never triggers a VPN connection.
  • Action Parameters: RequiredDNSServers:For each DNS server IP address to be used for resolving the specified domains, clickAddand do the following:
    • DNS Server:Valid only whenActionParameters:DomainAction=ConnectIfNeeded．Type the DNS server to add. This server doesn’t need to be part of the device’s current network configuration. If the DNS server is not reachable, a VPN connection is established in response. This DNS server must be either an internal DNS server or a trusted external DNS server.
    • ClickSaveto save the DNS server or clickCancelto not save the DNS server.
  • ActionParameters : RequiredURLStringProbe:Optionally, type an HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL’s host name cannot be resolved, the server is unreachable, or the server does not respond, a VPN connection is established. Valid only whenActionParameters:DomainAction=ConnectIfNeeded．
  • OnDemandRules : XML content:Type, or copy and paste, XML configure on demand rules.
    • ClickCheck Dictionaryto validate the XML code. You see Valid XML in green text below theXML contenttext box if the XML is valid. If it isn’t valid, you see an error message in orange text describing the error.
• Proxy
  • Proxy configuration:In the list, select how the VPN connection routes through a proxy server. The default isNone．
    • If you enableManual, configure these settings:
      • Host name or IP address for the proxy server:Type the host name or IP address for the proxy server. This field is required.
      • Port for the proxy server:Type the proxy server port number. This field is required.
      • User name:Type an optional proxy server user name.
      • Password:Type an optional proxy server password.
    • If you configureAutomatic, configure this setting:
      • Proxy server URL:输入代理服务器的URL。这个领域是required.

Android settings

Configure Cisco AnyConnect VPN protocol for Android

• Connection name:Type a name for the Cisco AnyConnect VPN connection. This field is required.
• Server name or IP address:Type the name or IP address of the VPN server. This field is required.
• Identity credential:In the list, select an identity credential.
• Backup VPN server:Type the backup VPN server information.
• User group:Type the user group information.
• Trusted Networks
  • Automatic VPN policy:Enable or disable this option to set how the VPN reacts to trusted and untrusted networks. If enabled, configure these settings:
    • Trusted network policy:In the list, select the desired policy. The default isDisconnect．Possible options are:
      • Disconnect:The client terminates the VPN connection in the trusted network. This setting is the default.
      • Connect:The client initiates a VPN connection in the trusted network.
      • Do Nothing:The client takes no action.
      • Pause:When a user establishes a VPN session outside the trusted network then enters a network configured as trusted, the VPN session gets suspended. When the user leaves the trusted network again, the session resumes. This setting eliminates the need to establish a new VPN session after leaving a trusted network.
    • Untrusted network policy:In the list, select the desired policy. The default isConnect．Possible options are:
      • Connect:The client initiates a VPN connection in the untrusted network.
      • Do Nothing:The client starts a VPN connection in the untrusted network. This option disables always-on VPN.
  • Trusted domains:For each domain suffix that the network interface has when the client is in the trusted network, clickAddto do the following:
    • Domain:Type the domain to be added.
    • ClickSaveto save the domain or clickCancelto not save the domain.
  • Trusted servers:For each server address that a network interface has when the client is in the trusted network, clickAddand do the following:
    • Servers:Type the server to be added.
    • ClickSaveto save the server or clickCancelto not save the server.

Configure the Citrix SSO protocol for Android

• Connection name:Type a name for the VPN connection. This field is required.

• Server name or IP address:Type the FQDN or IP address of the Citrix Gateway.

• Authentication type for the connection:Choose an authentication type and complete any of these fields that appear for the type:

  • User nameandPassword:Type your VPN credentials for theAuthentication typesofPasswordorPassword and Certificate．Optional. If you don’t provide the VPN credentials, the Citrix VPN app prompts for a user name and password.

  • Identity credential:Appears for theAuthentication typesofCertificateorPassword and Certificate．In the list, select an identity credential.

• Enable per-app VPN:Select whether to enable per-app VPN. If you don’t enable per-app VPN, all traffic goes through the Citrix VPN tunnel. If you enable per-app VPN, specify the following settings. The default isOff．

  • WhitelistorBlacklist:IfWhitelist, all allowed apps tunnel through this VPN. IfBlacklist, all apps except those apps on the block list tunnel through this VPN.

    Note:

    The XenMobile Server console includes the terms “blacklist” and “whitelist”. We are changing those terms in an upcoming release to “block list” and “allow list”.

  • Application List:Specify the allowed or blocked apps. ClickAddand then type a comma-separated list of app package names.

• 成本的m XML:ClickAddand then type custom parameters. XenMobile supports these parameters for Citrix VPN:

  • DisableUserProfiles:Optional. To enable this parameter, typeYesfor theValue．如果启用,XenMobile不显示用户添加VPN connections and the user cannot add a connection. This setting is a global restriction and applies to all VPN profiles.
  • userAgent:A string value. You can specify a custom User Agent string to send in each HTTP request. The specified user agent string gets appended to the existing Citrix VPN user agent.

Configure VPNs to support NAC

1. Use theConnection typeof成本的m SSLto configure the NAC filter.
2. Specify aConnection nameofVPN．
3. For成本的m XML, clickAddand do the following:
   • Parameter name:TypeXenMobileDeviceId．This field is the device ID to use for the NAC check based on device enrollment in XenMobile. If XenMobile enrolls and manages the device, the VPN connection is allowed. Otherwise, authentication is denied at the time of VPN establishment.
   • Value:TypeDeviceID_${device.id}, which is the value for the parameterXenMobileDeviceId．
   • ClickSaveto save the parameter.

Configure VPNs for Android Enterprise

To configure VPNs for Android Enterprise devices, create a Managed configuration device policy for the Citrix SSO app. SeeConfigure VPN profiles for Android Enterprise．

Samsung SAFE settings

• Connection name:Type a name for the connection.
• VPN type:In the list, select the protocol to be used for this connection. The default isL2TP with pre-shared key．Possible options are:
  • L2TP with pre-shared key:Layer 2 Tunneling Protocol with pre-shared key authentication. This setting is the default.
  • L2TP with certificate:Layer 2 Tunneling Protocol with certificate.
  • PPTP:Point-to-Point Tunneling.
  • Enterprise:Your corporate VPN connection. Applicable to SAFE versions earlier than 2.0.
  • Generic:A generic VPN connection. Applicable to SAFE versions 2.0 or higher.

Configure L2TP with pre-shared key protocol for Samsung SAFE

• Host name:Type the name of the VPN host. This option is required.
• User name:Type an optional user name.
• Password:Type an optional password.
• Pre-shared key:Type the pre-shared key. This option is required.

Configure L2TP with certificate protocol for Samsung SAFE

• Host name:Type the name of the VPN host. This option is required.
• User name:Type an optional user name.
• Password:Type an optional password.
• Identity credential: In the list, select the identity credential to be used. The default isNone．

Configure PPTP protocol for Samsung SAFE

• Host name:Type the name of the VPN host. This option is required.
• User name:Type an optional user name.
• Password:Type an optional password.
• Enable encryption:Select whether to enable encryption on the VPN connection.

Configure Enterprise protocol for Samsung SAFE

• Host name:Type the name of the VPN host. This option is required.
• Enable backup server:Select whether to enable a backup VPN server. If enabled, inBackup VPN server, type the FQDN or IP address of the backup VPN server.
• Enable user authentication:Select whether to require user authentication. If enabled, configure the following settings:
  • User name:Type a user name.
  • Password:Type the user password.
• Group name:Type an optional group name.
• Authentication method:In the list, select the authentication method to be used. Possible options are:
  • Certificate:使用证书身份验证。这个设置是the default. If selected, in theIdentity credentiallist, select the credential to use. The default isNone．
  • Pre-shared key:Use a pre-shared key. If selected, in thePre-shared keyfield, type the shared secret key.
  • Hybrid RSA:Use hybrid authentication using RSA certificates.
  • EAP MD5:Authenticate the EAP peer to the EAP server, but does no mutual authentication.
  • EAP MSCHAPv2:Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
• CA certificate:In the list, select the certificate to be used. The default isNone．
• Enable default route:Select whether to enable a default route to the VPN server. The default isOff．
• Enable smartcard authentication:Select whether to allow users to authenticate by using smart cards. The default isOff．
• Enable mobile option:Select whether to enable mobile option. The default isOff．
• Diffie-Hellman group value (key strength):In the list, select the key strength to be used. The default is 0.
• 将隧道类型:In the list, select the type of split tunnel to use. The default isAuto．Possible options are:
  • Auto:Split tunneling is used automatically.
  • Manual:Split tunneling is used over the IP address and port specified on the VPN server.
  • Disabled:Split tunneling is not used.
• SuiteB type:In the list, select the level of NSA Suite B encryption to use. The default isGCM-128.Possible options are:
  • GCM-128:Use 128-bit AES-GCM encryption.
  • GCM-256:Use 256-bit AES-GCM encryption.
  • GMAC-128:Use 128-bit AES-GMAC encryption.
  • GMAC-256:Use 256-bit AES-GMAC encryption.
  • None:Use no encryption.
• Forward routes:If your corporate VPN server supports forwarding routes, for each forwarding route to use, clickAddand do the following:
  • Forward route:Type the IP address for the forwarding route.
  • ClickSaveto save the route or clickCancelto not save the route.

Configure generic protocol for Samsung SAFE

• Host name:Type the name of the VPN host. This option is required.
• Enable user authentication:Select whether to require user authentication. If enabled, inPassword, type the user password.
• User name:Type a user name.
• Package Name Agent VPN:The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
• VPN Connection type:In the list, select eitherIPSECorSSLfor the connection type to be used. The default isIPSEC．The following sections describe the configuration settings for each connection type.

Configure IPSEC connection type settings for Samsung SAFE

• Identity:Type an optional identifier for this configuration.
• IPsec group ID type:In the list, select the IPsec group ID type to use. The default isDefault．Possible options are:
  • Default
  • IPv4 address
  • Fully qualified domain name (FQDN)
  • User FQDN
  • IKE key ID
• IKE version:In the list, select the Internet Key Exchange version to use. The default isIKEv1．
• Authentication method:In the list, select the authentication method to be used. The default isCertificate．Possible options are:
  • Certificate:使用证书身份验证。If selected, in theIdentity credential list, select the credential to use. The default isNone．
  • Pre-shared key:Use a pre-shared key. If selected, in thePre-shared keyfield, type the shared secret key.
  • Hybrid RSA:Use hybrid authentication using RSA certificates.
  • EAP MD5:Authenticate the EAP peer to the EAP server, but does no mutual authentication.
  • EAP MSCHAPv2:Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
  • CAC based Authentication:Use a Common Access Card (CAC) for authentication.
• Identity credential:In the list select the identity credential to use. The default isNone．
• CA certificate:In the list, select the certificate to be used.
• Enable dead peer detection:Select whether to contact a peer to ensure that it remains alive. The default isOff．
• Enable default route:Select whether to enable a default route to the VPN server.
• Enable mobile option:Select whether to enable mobile option.
• ike LifeTime in Minutes:Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
• ipsec LifeTime in Minutes:Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
• Diffie-Hellman group value (key strength):In the list, select the key strength to be used. The default is0．
• IKE Phase 1 key exchange mode:Select eitherMainorAggressivefor the IKE Phase 1 negotiation mode. The default isMain．
  • Main:No information is exposed to potential attackers during negotiation, but is slower thanAggressivemode.
  • Aggressive:Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster thanMainmode.
• Perfect forward secrecy (PFS) value:Select whether to use PFS to require a new key exchange renegotiating a connection.
• 将隧道类型:In the list, select the type of split tunnel to use. Possible options are:
  • Auto:Split tunneling is automatically used.
  • Manual:Split tunneling is used over the IP address and port specified on the VPN server.
  • Disabled:Split tunneling is not used.
• IPSEC加密算法:A VPN configuration that the IPsec protocol uses.
• IKE Encryption Algorithm:A VPN configuration that the IPsec protocol uses.
• IKE Integrity Algorithm:A VPN configuration that the IPsec protocol uses.
• Vendor:communi的通用代理的个人资料cate with the Knox API.
• Forward routes:If your corporate VPN server supports forwarding routes, for each forwarding route to use, clickAddand do the following:
  • Forward route:Type the IP address for the forwarding route.
  • ClickSaveto save the route or clickCancelto not save the route.
• Per App VPN:For each per-app VPN you want to add, clickAddand do the following:
  • Per App VPN:The VPN configuration that the app uses to communicate.
  • ClickSaveto save the per-app VPN or clickCancelto not save the per-app VPN.

Configure SSL connection type settings for Samsung SAFE

• Authentication method:In the list, select the authentication method to be used. The default isNot Applicable．Possible options are:
  • Not Applicable
  • Certificate:使用证书身份验证。If selected, in theIdentity credentiallist, select the credential to use. The default isNone．
  • CAC based Authentication:Use a Common Access Card (CAC) for authentication.
• CA certificate:In the list, select the certificate to be used.
• Enable default route:Select whether to enable a default route to the VPN server.
• Enable mobile option:Select whether to enable mobile option.
• 将隧道类型:In the list, select the type of split tunnel to use. Possible options are:
  • Auto:Split tunneling is automatically used.
  • Manual:Split tunneling is used over the IP address and port specified on the VPN server.
  • Disabled:Split tunneling is not used.
• SSL Algorithm:Type the SSL algorithm to use for client-server negotiation.
• Vendor:communi的通用代理的个人资料cate with the Knox API.
• Forward routes:If your corporate VPN server supports forwarding routes, for each forwarding route to use, clickAddand do the following:
  • Forward route:Type the IP address for the forwarding route.
  • ClickSaveto save the route or clickCancelto not save the route.
• Per App VPN:For each per-app VPN you want to add, clickAddand do the following:
  • Per App VPN:The VPN configuration that the app uses to communicate.
  • ClickSaveto save the per-app VPN or clickCancelto not save the per-app VPN.
• Policy settings
  • Remove policy:Choose a method for scheduling policy removal. Available options areSelect dateandDuration until removal (in hours)
    • Select date:Click the calendar to select the specific date for removal.
    • Duration until removal (in hours):Type a number, in hours, until policy removal occurs.
  • Allow user to remove policy:You can select when users can remove the policy from their device. SelectAlways,Passcode required, orNeverfrom the menu. If you selectPasscode required, type a passcode in theRemoval passcodefield.
  • Profile scope:Select whether this policy applies to aUseror an entireSystem．The default isUser．This option is available only on macOS 10.7 and later.

Samsung Knox settings

When you configure any policy for Samsung Knox, it applies only inside the Samsung Knox container.

• VPN Type:In the list, select the type of VPN connection to configure. The connection can be eitherEnterprise(applicable to Knox versions earlier than 2.0) orGeneric(applicable to Knox versions 2.0 or higher). The default isEnterprise．

The following sections list the configuration options for each of the preceding connection types.

Configure Enterprise protocol for Samsung Knox

• Connection name:Type a name for the connection. This field is required.
• Host name:Type the name of the VPN host. This option is required.
• Enable backup server:Select whether to enable a backup VPN server. If enabled, inBackup VPN server, type the FQDN or IP address of the backup VPN server.
• Enable user authentication:Select whether to require user authentication. If enabled, configure the following settings:
  • User name:Type a user name.
  • Password:Type the user password.
• Group name:Type an optional group name.
• Authentication method:In the list, select the authentication method to be used. Possible options are:
  • Certificate:使用证书身份验证。For certificate authentication, also select the credential to use from theIdentity credentiallist.
  • Pre-shared key:Use a pre-shared key. If selected, in thePre-shared keyfield, type the shared secret key.
  • Hybrid RSA:Use hybrid authentication using RSA certificates.
  • EAP MD5:Authenticate the EAP peer to the EAP server, but does no mutual authentication.
  • EAP MSCHAPv2:Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
• CA certificate:In the list, select the certificate to be used.
• Enable default route:Select whether to enable a default route to the VPN server.
• Enable smartcard authentication:Select whether to allow users to authenticate by using smart cards. The default isOff．
• Enable mobile option:Select whether to enable mobile option.
• Diffie-Hellman group value (key strength):In the list, select the key strength to be used. The default is0．
• 将隧道类型:In the list, select the type of split tunnel to use. Possible options are:
  • Auto:Split tunneling is automatically used.
  • Manual:Split tunneling is used over the IP address and port specified on the VPN server.
  • Disabled:No split tunneling is used.
• SuiteB type:In the list, select the level of NSA Suite B encryption to use. Possible options are:
  • GCM-128:Use 128-bit AES-GCM encryption: This setting is the default.
  • GCM-256:Use 256-bit AES-GCM encryption.
  • GMAC-128:Use 128-bit AES-GMAC encryption.
  • GMAC-256:Use 256-bit AES-GMAC encryption.
  • None:Use no encryption.
• Forward routes:ClickAddto add any optional forwarding routes if your corporate VPN server supports multiple route tables.

Configure generic protocol for Samsung Knox

• Connection name:Type a name for the connection. This field is required.
• Package Name Agent VPN:The package name, or ID, of the VPN installed on the device; for example, Mocana or Pulse Secure.
• Host name:Type the name of the VPN host. This option is required.
• Enable user authentication:Select whether to require user authentication. If enabled, configure the following settings:
  • User name:Type a user name.
  • Password:Type the user password.
• Identity:Type an optional identifier for this configuration. Only applies whenVpn Connection type = IPSEC.
• VPN Connection type:In the list, select eitherIPSECorSSLfor the connection type to be used. The default isIPSEC．The following sections describe the configuration settings for each connection type.
• Configure IPSEC connection settings
  • IPsec group ID type:In the list, select the IPsec group ID type to use. The default isDefault．Possible options are:
    • Default
    • IPv4 address
    • Fully qualified domain name (FQDN)
    • User FQDN
    • IKE key ID
  • IKE version:In the list, select the Internet Key Exchange version to use. The default isIKEv1．
  • Authentication method:In the list, select the authentication method to be used. The default isCertificate．Possible options are:
    • Certificate:使用证书身份验证。If selected, in theIdentity credentiallist, select the credential to use. The default isNone．
    • Pre-shared key:Use a pre-shared key. If selected, in thePre-shared keyfield, type the shared secret key.
    • Hybrid RSA:Use hybrid authentication using RSA certificates.
    • EAP MD5:Authenticate the EAP peer to the EAP server, but does no mutual authentication.
    • EAP MSCHAPv2:Use Microsoft’s Challenge-Handshake authentication for mutual authentication.
    • CAC based Authentication:Use a Common Access Card (CAC) for authentication.
  • CA certificate:In the list, select the certificate to be used.
  • Enable dead peer detection:Select whether to contact a peer to ensure that it remains alive. The default isOff．
  • Enable default route:Select whether to enable a default route to the VPN server.
  • Enable mobile option:Select whether to enable mobile option.
  • ike LifeTime in Minutes:Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
  • ipsec LifeTime in Minutes:Type the number of minutes before the VPN connection must be reestablished. The default is 1440 minutes (24 hours).
  • Diffie-Hellman group value (key strength):In the list, select the key strength to be used. The default is0．
  • IKE Phase 1 key exchange mode:Select eitherMainorAggressivefor the IKE Phase 1 negotiation mode. The default isMain．
    • Main:No information is exposed to potential attackers during negotiation, but is slower thanAggressivemode.
    • Aggressive:Some information (for example, the identity of the negotiating peers) is exposed to potential attackers during negotiation, but is faster thanMainmode.
  • Perfect forward secrecy (PFS) value:Select whether to use PFS to require a new key exchange renegotiating a connection.
  • 将隧道类型:In the list, select the type of split tunnel to use. Possible options are:
    • Auto:Split tunneling is automatically used.
    • Manual:Split tunneling is used over the IP address and port specified on the VPN server.
    • Disabled:Split tunneling is not used.
  • SuiteB Type:In the list, select the level of NSA Suite B encryption to use. The default isGCM-128．Possible options are:
    • GCM-128:Use 128-bit AES-GCM encryption.
    • GCM-256:Use 256-bit AES-GCM encryption.
    • GMAC-128:Use 128-bit AES-GMAC encryption.
    • GMAC-256:Use 256-bit AES-GMAC encryption.
    • None:Use no encryption.
  • IPSEC加密算法:VPN configuration that the IPsec protocol uses.
  • IKE Encryption Algorithm:VPN configuration that the IPsec protocol uses.
  • IKE Integrity Algorithm:VPN configuration that the IPsec protocol uses.
  • Knox:Configurations for Samsung Knox only.
  • Vendor:communi的通用代理的个人资料cate with the Knox API.
  • Forward routes:If your corporate VPN server supports forwarding routes, for each forwarding route to use, clickAddand do the following:
    • Forward route:Type the IP address for the forwarding route.
    • ClickSaveto save the route or clickCancelto not save the route.
  • Per App VPN:For each per-app VPN you want to add, clickAddand do the following:
    • Per App VPN:The VPN configuration the app uses to communicate.
    • ClickSaveto save the per-app VPN or clickCancelto not save the per-app VPN.
• Configure SSL connection settings
  • Authentication method:In the list, click the authentication method to use. Possible options are:
    • Not Applicable:No authentication method applies. This setting is the default.
    • Certificate:使用证书身份验证。这个设置是the default. If selected, in the Identity credential list, select the credential to use. The default is None.
    • CAC based Authentication:Use a Common Access Card (CAC) for authentication.
  • CA certificate:In the list, select the certificate to be used.
  • Enable default route:Select whether to enable a default route to the VPN server.
  • Enable mobile option:Select whether to enable mobile option.
  • 将隧道类型:In the list, select the type of split tunnel to use. Possible options are:
    • Auto:Split tunneling is automatically used.
    • Manual:Split tunneling is used over the IP address and port specified.
    • Disabled:No split tunneling is used.
  • SuiteB Type:In the list, select the level of NSA Suite B encryption to use. The default is GCM-128. Possible options are:
    • GCM-128:Use 128-bit AES-GCM encryption.
    • GCM-256:Use 256-bit AES-GCM encryption.
    • GMAC-128:Use 128-bit AES-GMAC encryption.
    • GMAC-256:Use 256-bit AES-GMAC encryption.
    • None: Use no encryption:Type the SSL algorithm to use for client-server negotiation.
  • SSL Algorithm:Type the SSL algorithm to use for client-server negotiation.
  • Knox:Configurations for Samsung Knox only.
  • Vendor:communi的通用代理的个人资料cate with the Knox API.
  • Forward routes:If your corporate VPN server supports forwarding routes, for each forwarding route to use, clickAddand do the following:
    • Forward route:Type the IP address for the forwarding route.
    • ClickSaveto save the route or clickCancel to not save the route.
  • Per App VPN:For each per-app VPN you want to add, clickAddand do the following:
    • Per App VPN:The VPN configuration the app uses to communicate.
    • ClickSaveto save the per-app VPN or clickCancelto not save the per-app VPN.

Windows Desktop/Tablet settings

• Connection name:Enter a name for the connection. This field is required.
• Profile type:In the list, select eitherNativeorPlugin．The default isNative．
• Configure Native profile type:These settings apply to the VPN built into users’ Windows devices.
  • Server address:Type the FQDN or IP address for the VPN server. This field is required.
  • Remember credential:Select whether to cache the credential. The default isOff．When enabled, credentials are cached whenever possible.
  • DNS Suffix:Type the DNS suffix.
  • Tunnel type:In the list, select the type of VPN tunnel to use. The default isL2TP．Possible options are:
    • L2TP:Layer 2 Tunneling Protocol with pre-shared key authentication.
    • PPTP:Point-to-Point Tunneling.
    • IKEv2:Internet Key Exchange version 2.
  • Authentication method:In the list, select the authentication method to use. The default isEAP．Possible options are:
    • EAP:Extended Authentication Protocol.
    • MSChapV2:Use Microsoft’s Challenge-Handshake authentication for mutual authentication. This option is not available when you selectIKEv2for the tunnel type.
  • EAP method:In the list, select the EAP method to be used. The default isTLS．This field is not available when MSChapV2 authentication is enabled. Possible options are:
    • TLS:Transport Layer Security
    • PEAP:Protected Extensible Authentication Protocol
  • Trusted networks:Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
  • Require smart card certificate:Select whether to require a smart card certificate. The default isOff．
  • Automatically select client certificate:Select whether to automatically choose the client certificate to use for authentication. The default isOff．This option is unavailable when you enableRequire smart card certificate．
  • Always on VPN:Select whether the VPN is always on. The default isOff．When enabled, the VPN connection remains on until the user manually disconnects.
  • Bypass For Local:Type the address and port number to allow local resources to bypass the proxy server.
• Configure Plugin profile type:These settings apply to VPN plug-ins obtained from the Windows Store and installed on users’ devices.
  • Server address:Type the FQDN or IP address for the VPN server. This field is required.
  • Remember credential:Select whether to cache the credential. The default isOff．When enabled, credentials are cached whenever possible.
  • DNS Suffix:Type the DNS suffix.
  • Client app ID:Type the package family name for the VPN plug-in.
  • Plugin Profile XML:Select the custom VPN plug-in profile to be used by clickingBrowseand navigating to the file’s location. Contact the plug-in provider for format and details.
  • Trusted networks:Type a list of networks separated by commas that do not require a VPN connection for access. For example, when users are on your company wireless network, they can access protected resources directly.
  • Always on VPN:Select whether the VPN is always on. The default isOff．When enabled, the VPN connection remains on until the user manually disconnects.
  • Bypass For Local:Type the address and port number to allow local resources to bypass the proxy server.