How to Set Up Per-App VPN using Configuration Manager


~ Karan Rustagi

With the release of iOS 7, Apple introduced the Per-App VPN feature which caters to both IT Professional and end user experiences. With this feature, IT Professionals can specify which managed apps can use VPN on an Intune managed iOS device. It also makes the connection experience seamless for the user by abstracting the steps taken to connect to a VPN server when accessing corporate documents.

The blog post here teaches you how to set up Per-App VPN for your enterprise using Microsoft Intune (cloud only) but if you want to do this using Configuration Manager please continue reading.

Step 1

a. Create a VPN profile and select ‘Per App VPN (iOS 7 and later)’.


Step 2

a. Under Software library – Applications create an iOS application.


b. Select VPN profile created in Step 1.a under App-Per VPN.


On the iOS Device

  • Make sure you’re running iOS 7 or later

  • Must have the appropriate 3rd party app installed:

    • Juniper

    • Checkpoint

    • F5

    • SonicWall

  • Make sure you have a zero-touch experience:

    • User taps on the 3rd party VPN app

    • Taps on Connect

    • VPN successfully connects without any extra prompts.

      • User must not be asked to trust the VPN server (i.e., User must not see the Dynamic Trust dialog box)

      • User must not enter any credentials

      • User must be connected to VPN upon tapping the connect button

Comments (3)

  1. Hi Karan
    Thanks for this article. There is plenty of Intune specific content, but a real lack of guides around Hybrid configuration.
    Are there any other limitations at present, or with the release of the current branch (1602) are we are feature partity?

    1. Hi Adrian,

      There isn’t an official list but the design intent behind CB is, there shouldn’t be any feature parity. Updates will be pushed down to on-premises solution as soon Intune service is upgraded.

      1. Thanks Karan – I know this conversation is a few months old, but I have a question about feature parity and per-app VPN

        When deploying a per-app VPN profile (F5), we are unable to get Safari Domains to populate. The domain list populates in our F5 app, but not on the device itself

        This is seemingly because we are using SCCM to create the VPN profile. In the Intune Console itself, the option to deploy Safari Domains is there, so I know the product should be capable of doing this!

        Can you offer any guidance?

Skip to main content