Now booking Q1 Intune migrations — talk to an engineer.

CyberSystem
← Back to Blog

Intune VPN Profiles: Complete Configuration Guide

Learn how to configure and deploy VPN profiles in Intune for Windows, iOS, Android, and macOS devices, including certificate-based authentication and various VPN connection types.

By Ali Alame
intunevpnvpn-profilesnetwork-accesscertificateswindowsiosandroidmacos

VPN profiles in Microsoft Intune enable you to deploy preconfigured VPN connection settings to devices, allowing users to securely connect to your organization's network without manually configuring VPN settings. Intune supports multiple VPN connection types and authentication methods across Windows, iOS, Android, and macOS platforms.

Understanding VPN Profiles in Intune

VPN profiles in Intune assign VPN connection settings to users and devices, enabling secure remote access to organizational networks. VPN profiles work with VPN apps installed on devices to establish secure connections.

Key Benefits

  • Preconfigured Connections: Users don't need to configure VPN manually
  • Secure Authentication: Support for certificates and modern authentication
  • Multiple Platforms: Windows, iOS, Android, macOS support
  • Various VPN Types: Support for many enterprise VPN solutions
  • Automatic Connection: Can connect automatically when needed

For an overview, see Create VPN profiles to connect to VPN servers in Intune.

Prerequisites

Before creating VPN profiles:

  1. VPN App: Deploy VPN app to devices first
  2. Certificates: Configure certificates if using certificate authentication
  3. VPN Server: Ensure VPN server is accessible
  4. Network Access: Devices need network connectivity

Supported VPN Connection Types

Windows VPN Types

  • Automatic: Windows automatically selects VPN type
  • IKEv2: Internet Key Exchange version 2
  • L2TP: Layer 2 Tunneling Protocol
  • PPTP: Point-to-Point Tunneling Protocol
  • Check Point Capsule VPN
  • Cisco AnyConnect
  • Citrix SSO
  • Microsoft Tunnel
  • Palo Alto Networks GlobalProtect
  • Pulse Secure
  • SonicWall Mobile Connect
  • Zscaler

iOS/iPadOS VPN Types

  • Cisco AnyConnect
  • Cisco (IPSec)
  • Citrix SSO
  • F5 Access
  • Check Point Capsule VPN
  • IKEv2
  • Microsoft Tunnel
  • Palo Alto Networks GlobalProtect
  • Pulse Secure
  • SonicWall Mobile Connect
  • Zscaler
  • Custom VPN

Android VPN Types

  • Cisco AnyConnect
  • Citrix SSO
  • F5 Access
  • Check Point Capsule VPN
  • Microsoft Tunnel
  • Palo Alto Networks GlobalProtect
  • Pulse Secure
  • SonicWall Mobile Connect
  • Zscaler

For complete list, see VPN connection types.

Creating VPN Profiles

Step 1: Deploy VPN App

Before creating VPN profiles, deploy the VPN app:

  1. Add VPN app to Intune
  2. Assign app to device or user groups
  3. Ensure app is installed before VPN profile deployment

For app deployment, see Add apps to Microsoft Intune.

Step 2: Create VPN Profile

Access VPN Profiles

  1. Sign in to the Microsoft Intune admin center
  2. Navigate to Devices > Manage devices > Configuration > Create
  3. Select platform (Windows, iOS, Android, macOS)
  4. Select Templates > VPN
  5. Select Create

Configure Basics

  1. Name: Enter descriptive name
  2. Description: Optional description
  3. Select Next

Configure VPN Settings

Platform-specific settings vary. Common settings include:

Connection Details:

  • Connection name: VPN connection identifier
  • VPN server address: Server FQDN or IP address
  • Connection type: Select VPN type

Authentication:

  • Authentication method:
    • Username and password
    • Certificates
    • Derived credentials

Advanced Settings:

  • Split tunneling: Configure split tunneling
  • DNS settings: Configure DNS servers
  • Proxy settings: Configure proxy if needed

For platform-specific settings:

Assign and Deploy

  1. Assign scope tags (optional)
  2. Assign to user or device groups
  3. Review and create

For step-by-step guidance, see Create VPN profiles to connect to VPN servers in Intune.

Certificate-Based Authentication

Prerequisites

  1. Trusted Root Certificate: Deploy root CA certificate
  2. User or Device Certificate: Deploy SCEP or PKCS certificate
  3. Certificate Profile: Configure certificate profile

Configuration

  1. Deploy trusted root certificate profile
  2. Deploy user or device certificate profile
  3. Create VPN profile referencing certificate
  4. Assign all profiles to same groups

Important:

  • Deploy certificates before VPN profile
  • Use device groups for device certificates
  • Use user groups for user certificates

For certificate guidance, see Use certificates for authentication in Microsoft Intune.

Per-App VPN

iOS/iPadOS Per-App VPN

Configure per-app VPN for iOS/iPadOS:

  1. Create VPN profile
  2. Configure per-app VPN settings
  3. Select apps that use VPN
  4. Assign to user groups

Note: Per-app VPN is supported for user enrollment on iOS/iPadOS and macOS.

For details, see Configure per-app VPN for iOS/iPadOS and macOS.

Best Practices

1. Deploy VPN App First

  • Install VPN app before VPN profile
  • Verify app installation
  • Test app functionality
  • Ensure app compatibility

2. Use Certificate Authentication

  • Prefer certificates over passwords
  • Deploy certificates properly
  • Test certificate authentication
  • Monitor certificate expiration

3. Configure Appropriate VPN Type

  • Choose VPN type based on requirements
  • Consider security needs
  • Test VPN connection
  • Verify compatibility

4. Test Before Deployment

  • Test with pilot groups
  • Verify connection works
  • Test authentication
  • Validate user experience

5. Monitor VPN Usage

  • Review connection logs
  • Monitor authentication failures
  • Track certificate issues
  • Address problems promptly

Troubleshooting

Common Issues

  1. VPN Not Connecting

    • Verify VPN app is installed
    • Check VPN server accessibility
    • Review authentication settings
    • Verify certificate deployment

  2. Authentication Failures

    • Check certificate validity
    • Verify certificate assignment
    • Review authentication method
    • Test credentials manually

  3. Profile Not Applying

    • Verify device enrollment
    • Check profile assignment
    • Review device check-in
    • Check for conflicts

For troubleshooting guidance, see Troubleshooting VPN profile issues in Microsoft Intune.

Additional Resources

Conclusion

VPN profiles in Intune provide secure, preconfigured network access for your organization's devices. By following these best practices:

✅ Deploy VPN app before VPN profile
✅ Use certificate authentication when possible
✅ Choose appropriate VPN type
✅ Test thoroughly before deployment
✅ Monitor VPN usage and issues

You can provide seamless, secure network access while maintaining security and user experience.

Remember: VPN profiles require the VPN app to be installed first. Always deploy the app, then create and deploy the VPN profile. For certificate-based authentication, ensure certificates are deployed before the VPN profile.