Configuring Native VPN on Android Enterprise Devices

Before you begin

  • Devices must be running Android 6 or later.
  • Devices must be enrolled as Android Enterprise Device Owner (AEDO).
  • Devices must be running MobiControl Android Enterprise Agent version 15.1.4.1021 or later.
  • Devices must have a lock screen PIN or password set. This is required for certificate installation.
  • Devices must have a signed SOTI MDM plugin (Enterprise Full).
    Note: Samsung devices do not require this plugin.

About this task

You can configure native Virtual Private Networks (VPNs) through script commands on devices that are enrolled as Android Enterprise Work Managed with an OEM-specific plugin. This allows you to secure your device network traffic using VPN tunnels that are available natively on the device.

Procedure

  1. If the non-Samsung devices do not have the Full Enterprise SOTI MDM plugin installed yet, install the plugin first. This feature needs the Full Enterprise plugin to work. Other plugins might not operate as expected.
  2. For VPN profiles that require certificates, install the certificates on the device before sending the script to create the VPN profile. You can send the certificates using a certificate payload in a profile.
    After installing the profile, ensure that the certificates are successfully installed. From the SOTI MobiControl console, navigate to Devices view > Device Name > Security. Ensure the certificates are noted as installed and not pushed.
  3. Choose a script from the selections listed below. Edit the script as required and send it to the device using the SOTI MobiControl console to create the required VPN profile on device.
    Note: If you need to remove existing VPN configurations at any time, send the following script command to the device: apply vpn wipe.

    For IPSec XAuth PSK:

    writeprivateprofstring VPN Name0 IPSecXAuth3
    writeprivateprofstring VPN ServerAddress0 192.33.44.55
    writeprivateprofstring VPN Account0
    writeprivateprofstring VPN Password0
    writeprivateprofstring VPN CacAuth0 0
    writeprivateprofstring VPN IPSecIdentifier0 Bing
    writeprivateprofstring VPN Type0 X
    writeprivateprofstring VPN EncryptionLevel0 0
    writeprivateprofstring VPN SharedSecret0
    writeprivateprofstring VPN PSKey0 1111
    writeprivateprofstring VPN Domain0
    writeprivateprofstring VPN IdType0
    writeprivateprofstring VPN IdValue0
    writeprivateprofstring VPN Client0 D
    writeprivateprofstring VPN AccountCount 1
    writeprivateprofstring VPN PayloadTypeId 411
    apply vpn
    
    Figure 1. Profile in device settings screen:
    VPN settings screen for IPSec XAuth PSK on an Android device.

    For IPSec XAuth RSA:

    writeprivateprofstring VPN CaCertIssuer0 "SOTIQA-CACRT300 CA"
    writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7
    writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA
    writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87
    writeprivateprofstring VPN Name0 IPSecXauthRSA
    writeprivateprofstring VPN ServerAddress0 192.55.66.66
    writeprivateprofstring VPN Account0
    writeprivateprofstring VPN Password0
    writeprivateprofstring VPN CacAuth0 0
    writeprivateprofstring VPN IPSecIdentifier0
    writeprivateprofstring VPN Type0 Y
    writeprivateprofstring VPN EncryptionLevel0 0
    writeprivateprofstring VPN SharedSecret0
    writeprivateprofstring VPN Domain0
    writeprivateprofstring VPN IdType0
    writeprivateprofstring VPN IdValue0
    writeprivateprofstring VPN Client0 D
    writeprivateprofstring VPN AccountCount 1
    writeprivateprofstring VPN PayloadTypeId 411
    apply vpn
    
    Figure 2. Profile in device settings screen:
    VPN settings screen for IPSec XAuth RSA on an Android device.

    IPSec Hybrid RSA:

    writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA
    writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7
    writeprivateprofstring VPN Name0 IPSecHybridRSA
    writeprivateprofstring VPN ServerAddress0 192.365.66.456
    writeprivateprofstring VPN Account0
    writeprivateprofstring VPN Password0
    writeprivateprofstring VPN CacAuth0 0
    writeprivateprofstring VPN IPSecIdentifier0
    writeprivateprofstring VPN Type0 Z
    writeprivateprofstring VPN EncryptionLevel0 0
    writeprivateprofstring VPN SharedSecret0
    writeprivateprofstring VPN Domain0
    writeprivateprofstring VPN IdType0
    writeprivateprofstring VPN IdValue0
    writeprivateprofstring VPN Client0 D
    writeprivateprofstring VPN AccountCount 1
    writeprivateprofstring VPN PayloadTypeId 411
    apply vpn
    
    Figure 3. Profile in device settings screen:
    VPN settings screen for IPSec Hybrid RSA on an Android device.

    PPTP:

    writeprivateprofstring VPN Name0 PPTP
    writeprivateprofstring VPN ServerAddress0 192.33.34.56
    writeprivateprofstring VPN Account0 IamUserName
    writeprivateprofstring VPN Password0
    writeprivateprofstring VPN CacAuth0 0
    writeprivateprofstring VPN IPSecIdentifier0
    writeprivateprofstring VPN Type0 P
    writeprivateprofstring VPN EncryptionLevel0 1
    writeprivateprofstring VPN SharedSecret0
    writeprivateprofstring VPN Domain0 corp.soti.net
    writeprivateprofstring VPN IdType0
    writeprivateprofstring VPN IdValue0
    writeprivateprofstring VPN Client0 D
    writeprivateprofstring VPN AccountCount 1
    writeprivateprofstring VPN PayloadTypeId 411
    apply vpn
    Figure 4. Profile in device settings screen:
    VPN settings screen for PPTP on an Android device.
    Figure 5. On a non-Samsung device:
    VPN settings screen for PPTP on a non-Samsung Android device.

    For L2TP (with certificate):

    writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA
    writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7
    writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA
    writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87
    writeprivateprofstring VPN Name0 L2TP
    writeprivateprofstring VPN ServerAddress0 enter server address here
    writeprivateprofstring VPN Account0 Username
    writeprivateprofstring VPN Password0
    writeprivateprofstring VPN CacAuth0 0
    writeprivateprofstring VPN IPSecIdentifier0
    writeprivateprofstring VPN Type0 L
    writeprivateprofstring VPN EncryptionLevel0 0
    writeprivateprofstring VPN Domain0 sotiqaDomain
    writeprivateprofstring VPN IdType0
    writeprivateprofstring VPN IdValue0
    writeprivateprofstring VPN Client0 D
    writeprivateprofstring VPN AccountCount 1
    writeprivateprofstring VPN PayloadTypeId 411
    apply vpn
    
    Figure 6. Profile in device settings screen:
    VPN settings screen for L2TP with certificate on an Android device.