Configuring Native VPN on Android Enterprise Devices
Before you begin
- Devices must be running Android 6 or later.
- You must enroll devices as Android Enterprise Device Owner (AEDO).
- Devices must be running SOTI MobiControl Android Enterprise Agent version 15.1.4.1021 or later.
- Devices must have a lock screen PIN or password set. You require this for certificate installation.
- Devices must have a signed SOTI MDM plugin (Enterprise
Full).Note: Samsung devices do not require this plugin.
About this task
SOTI MobiControl 2024.1 and later support the following IKEv2 Android Native VPNs:
- IKEv2/IPSec MSCHAPv2
- IKEv2/IPSec PSK
- IKEv2/IPSec RSA
When you enroll devices as Android Enterprise Work Managed with an OEM-specific plugin, you can use script commands to native Virtual Private Networks (VPNs). This enable you to secure your device network traffic using VPN tunnels that are available natively on the device.
Procedure
- If non-Samsung devices do not have the Full Enterprise SOTI MDM plugin installed yet, install the plugin first. This feature needs the Full Enterprise plugin to work. Other plugins might not operate as expected.
-
For VPN profiles that require certificates, install the certificates on the
device before sending the script to create the VPN profile. You can send the
certificates using a certificate payload in a profile.
After installing the profile, check that the certificates are successfully installed. From the SOTI MobiControl console, navigate to . Make sure the certificates have the
installedstate and notpushed. -
Select a script from the ones list below. Edit the script as required and send
it to the device using the SOTI MobiControl console to create
the required VPN profile on device.
Tip: If you need to remove existing VPN configurations at any time, send the following script command to the device:
apply vpn wipe.For IPSec XAuth PSK:
writeprivateprofstring VPN Name0 IPSecXAuth3 writeprivateprofstring VPN ServerAddress0 192.33.44.55 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 Bing writeprivateprofstring VPN Type0 X writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN PSKey0 1111 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 1. Profile in device settings screen: 
For IPSec XAuth RSA:
writeprivateprofstring VPN CaCertIssuer0 "SOTIQA-CACRT300 CA" writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87 writeprivateprofstring VPN Name0 IPSecXauthRSA writeprivateprofstring VPN ServerAddress0 192.55.66.66 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 Y writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 2. Profile in device settings screen: 
IPSec Hybrid RSA:
writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN Name0 IPSecHybridRSA writeprivateprofstring VPN ServerAddress0 192.365.66.456 writeprivateprofstring VPN Account0 writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 Z writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 3. Profile in device settings screen: 
PPTP:
writeprivateprofstring VPN Name0 PPTP writeprivateprofstring VPN ServerAddress0 192.33.34.56 writeprivateprofstring VPN Account0 IamUserName writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 P writeprivateprofstring VPN EncryptionLevel0 1 writeprivateprofstring VPN SharedSecret0 writeprivateprofstring VPN Domain0 corp.soti.net writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 4. Profile in device settings screen: 
Figure 5. On a non-Samsung device: 
For L2TP (with certificate):
writeprivateprofstring VPN CaCertIssuer0 SOTIQA-CACRT300 CA writeprivateprofstring VPN CaCertSn0 67662A47DA5A0EAE4DB49F88601C78B7 writeprivateprofstring VPN UserCertIssuer0 sotiqa-QACRT301-CA writeprivateprofstring VPN UserCertSn0 2200067E878CD33BE0B6F7DFF1000000067E87 writeprivateprofstring VPN Name0 L2TP writeprivateprofstring VPN ServerAddress0 enter server address here writeprivateprofstring VPN Account0 Username writeprivateprofstring VPN Password0 writeprivateprofstring VPN CacAuth0 0 writeprivateprofstring VPN IPSecIdentifier0 writeprivateprofstring VPN Type0 L writeprivateprofstring VPN EncryptionLevel0 0 writeprivateprofstring VPN Domain0 sotiqaDomain writeprivateprofstring VPN IdType0 writeprivateprofstring VPN IdValue0 writeprivateprofstring VPN Client0 D writeprivateprofstring VPN AccountCount 1 writeprivateprofstring VPN PayloadTypeId 411 apply vpnFigure 6. Profile in device settings screen: 