Configuring Native VPN on Android Enterprise Devices
Before you begin
- Devices must be running Android 6 or later.
- Devices must be enrolled as Android Enterprise Device Owner (AEDO).
- Devices must be running MobiControl Android Enterprise Agent version 15.1.4.1021 or later.
- Devices must have a lock screen PIN or password set. This is required for certificate installation.
- Devices must have a signed SOTI MDM plugin (Enterprise Full).Note: Samsung devices do not require this plugin.
About this task
You can configure native Virtual Private Networks (VPNs) through script commands on devices that are enrolled as Android Enterprise Work Managed with an OEM-specific plugin. This allows you to secure your device network traffic using VPN tunnels that are available natively on the device.
Procedure
- If the non-Samsung devices do not have the Full Enterprise SOTI MDM plugin installed yet, install the plugin first. This feature needs the Full Enterprise plugin to work. Other plugins might not operate as expected.
-
For VPN profiles that require certificates, install the certificates on the
device before sending the script to create the VPN profile. You can send the
certificates using a certificate payload in a profile.
After installing the profile, ensure that the certificates are successfully installed. From the SOTI MobiControl console, navigate to . Ensure the certificates are noted as
installedand notpushed. -
Choose a script from the selections listed below. Edit the script as required
and send it to the device using the SOTI MobiControl console
to create the required VPN profile on device.
Note: If you need to remove existing VPN configurations at any time, send the following script command to the device:
apply vpn wipe.For IPSec XAuth PSK:
writeprivateprofstring VPN Name0 IPSecXAuth3 writeprivateprofstring VPN ServerAddress0 192.33.44.55 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 Bing writeprivateprofstring VPN Type0 X writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN PSKey0 1111 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 1. Profile in device settings screen: 
For IPSec XAuth RSA:
writeprivateprofstring VPN CaCertIssuer0 "SOTIQA-CACRT300 CA" writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87 writeprivateprofstring VPN Name0 IPSecXauthRSA writeprivateprofstring VPN ServerAddress0 192.55.66.66 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 Y writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 2. Profile in device settings screen: 
IPSec Hybrid RSA:
writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN Name0 IPSecHybridRSA writeprivateprofstring VPN ServerAddress0 192.365.66.456 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 Z writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 3. Profile in device settings screen: 
PPTP:
writeprivateprofstring VPN Name0 PPTP writeprivateprofstring VPN ServerAddress0 192.33.34.56 writeprivateprofstring VPN Account0 IamUserName writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 P writeprivateprofstring VPN EncryptionLevel0 1 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 corp.soti.net writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 4. Profile in device settings screen: 
Figure 5. On a non-Samsung device: 
For L2TP (with certificate):
writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87 writeprivateprofstring VPN Name0 L2TP writeprivateprofstring VPN ServerAddress0 enter server address here writeprivateprofstring VPN Account0 Username writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 L writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN Domain0 sotiqaDomain writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 6. Profile in device settings screen: 