-->

In Microsoft Intune, you can create and use Virtual Private Networks (VPNs) assigned to an app. This feature is called 'per-app VPN'. You choose the managed apps that can use your VPN on devices managed by Intune. When using per-app VPNs, end users automatically connect through the VPN, and get access to organizational resources, such as documents.

AT&T VPN is most compared with Cisco AnyConnect Secure Mobility Client and Prisma Access by Palo Alto Networks, whereas Zscaler Private Access is most compared with Prisma Access by Palo Alto Networks, Cisco AnyConnect Secure Mobility Client, Okta Workforce Identity, Cloudflare Access and F5 BIG-IP. See our list of.

Zscaler is enabling secure digital transformation by rethinking traditional network security, and empowering enterprises to securely work from anywhere. The Zscaler Cloud Security Platform elastically scales to your traffic demands. With no hardware or software to deploy, you can set up direct internet connections in minutes. Zscaler processes up to 140 billion transactions at peak periods and performs 175,000 unique security updates each day. In case you have Zscaler App running in Tunnel With Local Proxy mode, and upon launching Cisco AnyConnect receive the error that AnyConnect will not connect through a local proxy, support for local proxy must be enabled on the AnyConnect VPN Profile.

This feature applies to:

• iOS 9 and newer
• iPadOS 13.0 and newer

Check your VPN provider's documentation to see if your VPN supports per-app VPN.

This article shows you how to create a per-app VPN profile, and assign this profile to your apps. Use these steps to create a seamless per-app VPN experience for your end users. For most VPNs that support per-app VPN, the user opens an app, and automatically connects to the VPN.

Some VPNs allow username and password authentication with per-app VPN. Meaning, users need to enter a username and password to connect to the VPN.

Important

• There's a known issue in iOS/iPadOS 13. The issue prevents per-app VPN profiles from connecting in user enrollment environments that use certificate-based authentication. Apple plans to fix this in a future release of iOS.
• On iOS/iPadOS, per-app VPN isn't supported for IKEv2 VPN profiles.

Per-app VPN with Microsoft Tunnel or Zscaler

Microsoft Tunnel and Zscaler Private Access (ZPA) integrate with Azure Active Directory (Azure AD) for authentication. When using Tunnel or ZPA, you don't need the trusted certificate or SCEP or PKCS certificate profiles (described in this article).

If you have a per-app VPN profile set up for Zscaler, then opening one of the associated apps doesn't automatically connect to ZPA. Instead, the user needs to sign into the Zscaler app. Then, remote access is limited to the associated apps.

Prerequisites for per-app VPN

Important

Your VPN vendor may have other requirements for per-app VPN, such as specific hardware or licensing. Be sure to check with their documentation, and meet those prerequisites before setting up per-app VPN in Intune.

To prove its identity, the VPN server presents the certificate that must be accepted without a prompt by the device. To confirm the automatic approval of the certificate, create a trusted certificate profile. This trusted certificate profile must include the VPN server's root certificate issued by the Certification Authority (CA).

Export the certificate and add the CA

1. On your VPN server, open the administration console.

2. Confirm that your VPN server uses certificate-based authentication.

3. Export the trusted root certificate file. It has a .cer extension, and you add it when creating a trusted certificate profile.

4. Add the name of the CA that issued the certificate for authentication to the VPN server.

   If the CA presented by the device matches a CA in the Trusted CA list on the VPN server, then the VPN server successfully authenticates the device.

Create a group for your VPN users

Create or choose an existing group in Azure Active Directory (Azure AD). This group must include the users or devices that will use per-app VPN. To create a new group, see Add groups to organize users and devices.

Create a trusted certificate profile

Import the VPN server's root certificate issued by the CA into a profile created in Intune. The trusted certificate profile instructs the iOS/iPadOS device to automatically trust the CA that the VPN server presents.

1. Sign in to the Microsoft Endpoint Manager admin center.

2. Select Devices > Configuration profiles > Create profile.

3. Enter the following properties: Hd video converter factory pro full version download.

   • Platform: Select iOS/iPadOS.
   • Profile: Select Trusted certificate.

4. Select Create.

5. In Basics, enter the following properties:

   • Name: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is iOS/iPadOS trusted certificate VPN profile for entire company.
   • Description: Enter a description for the profile. This setting is optional, but recommended.

6. Select Next.

7. In Configuration settings, select the folder icon, and browse to your VPN certificate (.cer file) that you exported from your VPN administration console.

8. Select Next, and continue creating your profile. For more information, see Create a VPN profile.

Create a SCEP or PKCS certificate profile

The trusted root certificate profile allows the device to automatically trust the VPN Server. The SCEP or PKCS certificate provides credentials from the iOS/iPadOS VPN client to the VPN server. The certificate allows the device to silently authenticate without prompting for a username and password.

To configure and assign the client authentication certificate, see one of the following articles:

Be sure to configure the certificate for client authentication. You can set client authentication directly in SCEP certificate profiles (Extended key usage list > Client authentication). For PKCS, set client authentication in the certificate template in the certificate authority (CA).

Create a per-app VPN profile

This VPN profile includes the SCEP or PKCS certificate that has the client credentials, the VPN connection information, and the per-app VPN flag that enables the per-app VPN used by the iOS/iPadOS application.

1. In the Microsoft Endpoint Manager admin center, select Devices > Configuration profiles > Create profile.

2. Select Devices > Configuration profiles > Create profile.

3. Enter the following properties:

   • Platform: Select iOS/iPadOS.
   • Profile: Select VPN.

4. Select Create.

5. In Basics, enter the following properties:

   • Name: Enter a descriptive name for the custom profile. Name your profiles so you can easily identify them later. For example, a good profile name is iOS/iPadOS per-app VPN profile for myApp.
   • Description: Enter a description for the profile. This setting is optional, but recommended.

6. In Configuration settings, configure the following settings:

   • Connection type: Select your VPN client app.

   • Base VPN: Configure your settings. iOS/iPadOS VPN settings describes all the settings. When using per-app VPN, be sure you configure the following properties as listed:

     • Authentication method: Select Certificates.
     • Authentication certificate: Select an existing SCEP or PKCS certificate > OK.
     • Split tunneling: Select Disable to force all traffic to use the VPN tunnel when the VPN connection is active.

     For information on the other settings, see iOS/iPadOS VPN settings.

   • Automatic VPN > Type of automatic VPN > Per-app VPN

7. Select Next, and continue creating your profile. For more information, see Create a VPN profile.

Associate an app with the VPN profile

After adding your VPN profile, associate the app and Azure AD group to the profile.

1. In the Microsoft Endpoint Manager admin center, select Apps > All apps.

2. Select an app from the list > Properties > Assignments > Edit.

3. Go to the Required or Available for enrolled devices section.

4. Select Add group > Select the group you created (in this article) > Select.

5. In VPNs Download nintendo ds wifi code free software. , select the per-app VPN profile you created (in this article).

6. Select OK > Save.

When all of the following conditions exist, an association between an app and a profile is removed during the next device check-in:

• The app was targeted with required install intent.
• The profile and the app are assigned to the same group.
• You remove the per-app VPN configuration from the app assignment.

When all of the following conditions exist, an association between an app and a profile remains until the user requests a reinstall from the Company Portal app:

• The app was targeted with available install intent.
• The profile and the app are assigned to the same group.
• The end user requested the app install in the Company Portal app. This request results in the app and profile being installed on the device.
• You remove or change the per-app VPN configuration from the app assignment.

Verify the connection on the iOS/iPadOS device

With your per-app VPN set-up and associated with your app, verify the connection works from a device.

Before you attempt to connect

• Make sure you deploy all the policies described in this article to the same group. Otherwise, the per-app VPN experience won't work.
• If you're using the Pulse Secure VPN app or a custom VPN client app, then you can choose to use app-layer or packet-layer tunneling. For app-layer tunneling, set the ProviderType value to app-proxy. For packet-layer tunneling, set ProviderType value to packet-tunnel. Check your VPN provider's documentation to make sure you're using the correct value.

Connect using the per-app VPN

Verify the zero-touch experience by connecting without having to select the VPN or type your credentials. The zero-touch experience means:

• The device doesn't ask you to trust the VPN server. Meaning, the user doesn't see the Dynamic Trust dialog box.
• The user doesn't have to enter credentials.
• When the user opens one of the associated apps, the user's device is connected to the VPN.

Next steps

• To review iOS/iPadOS settings, see VPN settings for iOS/iPadOS devices in Microsoft Intune.
• To learn more about VPN setting and Intune, see configure VPN settings in Microsoft Intune.

Zscaler Vs Anyconnect

-->

In this tutorial, you'll learn how to integrate Zscaler ZSCloud with Azure Active Directory (Azure AD). When you integrate Zscaler ZSCloud with Azure AD, you can:

• Control in Azure AD who has access to Zscaler ZSCloud.
• Enable your users to be automatically signed-in to Zscaler ZSCloud with their Azure AD accounts.
• Manage your accounts in one central location - the Azure portal.

Prerequisites

To configure Azure AD integration with Zscaler ZSCloud, you need the following items:

• An Azure AD subscription. If you don't have an Azure AD environment, you can get a free account.
• Zscaler ZSCloud single sign-on enabled subscription.

Scenario description

In this tutorial, you configure and test Azure AD single sign-on in a test environment.

• Zscaler ZSCloud supports SP initiated SSO

• Zscaler ZSCloud supports Just In Time user provisioning

Adding Zscaler ZSCloud from the gallery

To configure the integration of Zscaler ZSCloud into Azure AD, you need to add Zscaler ZSCloud from the gallery to your list of managed SaaS apps.

1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
2. On the left navigation pane, select the Azure Active Directory service.
3. Navigate to Enterprise Applications and then select All Applications.
4. To add new application, select New application.
5. In the Add from the gallery section, type Zscaler ZSCloud in the search box.
6. Select Zscaler ZSCloud from results panel and then add the app. Wait a few seconds while the app is added to your tenant.

Configure and test Azure AD SSO for Zscaler ZSCloud

Configure and test Azure AD SSO with Zscaler ZSCloud using a test user called B.Simon. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Zscaler ZSCloud.

To configure and test Azure AD SSO with Zscaler ZSCloud, perform the following steps:

1. Configure Azure AD SSO - to enable your users to use this feature.
   1. Create an Azure AD test user - to test Azure AD single sign-on with B.Simon.
   2. Assign the Azure AD test user - to enable B.Simon to use Azure AD single sign-on.
2. Configure Zscaler ZSCloud SSO - to configure the single sign-on settings on application side.
   1. Create Zscaler ZSCloud test user - to have a counterpart of B.Simon in Zscaler ZSCloud that is linked to the Azure AD representation of user.
3. Test SSO - to verify whether the configuration works.

Configure Azure AD SSO

Follow these steps to enable Azure AD SSO in the Azure portal.

1. In the Azure portal, on the Zscaler zscloud application integration page, find the Manage section and select single sign-on.

2. On the Select a single sign-on method page, select SAML.

3. On the Set up single sign-on with SAML page, click the pencil icon for Basic SAML Configuration to edit the settings.

4. On the Basic SAML Configuration section, enter the values for the following fields:

   In the Sign-on URL textbox, type the URL used by your users to sign-on to your ZScaler ZSCloud application.

   Note

   You have to update the value with the actual Sign-On URL. Contact Zscaler ZSCloud Client support team to get the value. You can also refer to the patterns shown in the Basic SAML Configuration section in the Azure portal.

5. Your Zscaler ZSCloud application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows the list of default attributes. Click Edit icon to open User Attributes dialog.

6. In addition to above, Zscaler ZSCloud application expects few more attributes to be passed back in SAML response. In the User Claims section on the User Attributes dialog, perform the following steps to add SAML token attribute as shown in the below table:

   Name	Source Attribute
   memberOf	user.assignedroles

   a. Click Add new claim to open the Manage user claims dialog.

   b. In the Name textbox, type the attribute name shown for that row.

   c. Leave the Namespace blank.

   d. Select Source as Attribute.

   e. From the Source attribute list, type the attribute value shown for that row.

   f. Click Save.

   Note

   Please click here to know how to configure Role in Azure AD.

7. On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Certificate (Base64) from the given options as per your requirement and save it on your computer.

8. On the Set up Zscaler ZSCloud section, copy the appropriate URL(s) as per your requirement.

Create an Azure AD test user

In this section, you'll create a test user in the Azure portal called B.Simon.

1. From the left pane in the Azure portal, select Azure Active Directory, select Users, and then select All users.
2. Select New user at the top of the screen.
3. In the User properties, follow these steps:
   1. In the Name field, enter B.Simon.
   2. In the User name field, enter the username@companydomain.extension. For example, B.Simon@contoso.com.
   3. Select the Show password check box, and then write down the value that's displayed in the Password box.
   4. Click Create.

Assign the Azure AD test user

In this section, you enable Britta Simon to use Azure single sign-on by granting access to Zscaler ZSCloud.

1. In the Azure portal, select Enterprise Applications, select All applications, then select Zscaler ZSCloud.

2. In the applications list, select Zscaler ZSCloud.

3. In the menu on the left, select Users and groups.

4. Click the Add user button, then select Users and groups in the Add Assignment dialog.

5. In the Users and groups dialog, select the user like Britta Simon from the list, then click the Select button at the bottom of the screen.

6. From the Select Role dialog choose the appropriate user role in the list, then click the Select button at the bottom of the screen.

7. In the Add Assignment dialog select the Assign button.

   Note

   Default access role is not supported as this will break provisioning, so the default role cannot be selected while assigning user.

Configure Zscaler ZSCloud SSO

Zscaler App Cisco Anyconnect

1. To automate the configuration within Zscaler ZSCloud, you need to install My Apps Secure Sign-in browser extension by clicking Install the extension.

2. After adding extension to the browser, click on Setup Zscaler ZSCloud will direct you to the Zscaler ZSCloud application. From there, provide the admin credentials to sign into Zscaler ZSCloud. The browser extension will automatically configure the application for you and automate steps 3-6.

3. If you want to setup Zscaler ZSCloud manually, open a new web browser window and sign into your Zscaler ZSCloud company site as an administrator and perform the following steps:

4. Go to Administration > Authentication > Authentication Settings and perform the following steps:

   a. Under Authentication Type, choose SAML.

   b. Click Configure SAML.

5. On the Edit SAML window, perform the following steps: and click Save.

   a. In the SAML Portal URL textbox, Paste the Login URL which you have copied from Azure portal.

   b. In the Login Name Attribute textbox, enter NameID.

   c. Click Upload, to upload the Azure SAML signing certificate that you have downloaded from Azure portal in the Public SSL Certificate.

   d. Toggle the Enable SAML Auto-Provisioning.

   e. In the User Display Name Attribute textbox, enter displayName if you want to enable SAML auto-provisioning for displayName attributes. Conspiracy theory 911.

   f. In the Group Name Attribute textbox, enter memberOf if you want to enable SAML auto-provisioning for memberOf attributes.

   g. In the Department Name Attribute Enter department if you want to enable SAML auto-provisioning for department attributes.

   h. Click Save.

6. On the Configure User Authentication dialog page, perform the following steps:

   a. Hover over the Activation menu near the bottom left.

   b. Click Activate.

Configuring proxy settings

To configure the proxy settings in Internet Explorer

Zscaler Anyconnect App

1. Start Internet Explorer.

2. Select Internet options from the Tools menu for open the Internet Options dialog.

3. Click the Connections tab.

4. Click LAN settings to open the LAN Settings dialog.

5. In the Proxy server section, perform the following steps:

   a. Select Use a proxy server for your LAN.

   b. In the Address textbox, type gateway.Zscaler ZSCloud.net.

   c. In the Port textbox, type 80.

   d. Select Bypass proxy server for local addresses.

   e. Click OK to close the Local Area Network (LAN) Settings dialog.

6. Click OK to close the Internet Options dialog.

Create Zscaler ZSCloud test user

Zscaler Anyconnect Login

In this section, a user called Britta Simon is created in Zscaler ZSCloud. Zscaler ZSCloud supports just-in-time user provisioning, which is enabled by default. There is no action item for you in this section. If a user doesn't already exist in Zscaler ZSCloud, a new one is created after authentication.

Note

If you need to create a user manually, contact Zscaler ZSCloud support team.

Test SSO

In this section, you test your Azure AD single sign-on configuration with following options.

• Click on Test this application in Azure portal. This will redirect to Zscaler ZSCloud Sign-on URL where you can initiate the login flow.

• Go to Zscaler ZSCloud Sign-on URL directly and initiate the login flow from there.

• You can use Microsoft My Apps. When you click the Zscaler ZSCloud tile in the My Apps, this will redirect to Zscaler ZSCloud Sign-on URL. For more information about the My Apps, see Introduction to the My Apps.

Next steps

Once you configure Zscaler ZSCloud you can enforce session control, which protects exfiltration and infiltration of your organization’s sensitive data in real time. Session control extends from Conditional Access. Learn how to enforce session control with Microsoft Cloud App Security.