Microsoft Tunnel: access to on-prem resources from Android or iOS devices – Part 2

In the previous article related to the Microsoft Tunnel solution, we talked about the advantages that this solution can bring to companies and their employees in accessing data and services based on on-premise resources through mobile devices; we have also seen the procedure for installing Microsoft Tunnel Gateway in a container running on a Linux server.

Figure 1 – Microsoft Tunnel overview

In the image above, we have the opportunity to see what is the communication flow from the devices to the internal resources: as described in the first part of the article, once the server configuration has been performed, the management agent on the Linux system communicates with Intune to retrieve server configuration policies and to send telemetry logs.

At this point, the specially configured devices will be able to communicate with the corporate network; in this second part of the article, we will see precisely how to configure the appropriate VPN profile and the app used to set up the VPN tunnel on Android and iOS devices.

Microsoft Defender for Endpoint app deployment

In order to take advantage of the Microsoft Tunnel functionality, the dedicated application must be present on the devices; starting from June 2021, the Microsoft Tunnel app has been replaced by the Microsoft Defender for Endpoint application as a client-side solution for establishing the VPN connection with the Microsoft Tunnel server. Now let’s see how to proceed with the deployment of the app and its configuration for the Android and iOS platforms through the Microsoft Endpoint Manager admin center console:

Android:

  • Access the Apps section > All apps;
  • Click on the Add button;
  • From the App type drop-down menu, select the Managed Google Play app option and press the Select button;
  • Within the search field available on Managed Google Play, search for the Microsoft Defender for Endpoint app;
  • Select the app and press the Approve button;
  • Always authorize the permissions requested by the app through the Approve button;
  • Leave the Keep approved when app requests new permissions option unchanged and press the Save button;
  • Perform a sync between the Google portal and Microsoft Intune through the appropriate Sync button;
  • From the list of applications, select the Microsoft Defender for Endpoint app;
  • From the ribbon on the left, select the Properties item in the Manage section;
  • Press on the Edit item in the Assignments section;
  • By pressing the Add group item in the Required section and selecting the dedicated user-based Azure AD group, we will distribute the application to the users involved in the affected mode;
  • To confirm the distribution, click on the Review + save button;

iOS:

  • Access the Apps section > All apps;
  • Click on the Add button;
  • From the App type drop-down menu, select the iOS store app option and press the Select button;
  • Click on Search the App Store and, within the available search field, search for the Microsoft Defender for Endpoint app;
    • From the drop-down menu on the right, remember to select the region you belong to;
  • Select the app and press the Select button;
  • Press the Next button to continue with the wizard;
  • Assign any Scope tags and press the Next button again;
  • Click on Add group in the Required section and select the user-based Azure AD group dedicated to app distribution;
  • To confirm the distribution, click on the Create button;

VPN Profile creation

Through the use of a Configuration Profile, it is possible to prepare the devices to use the Microsoft Defender for Endpoint app and thus establish the desired VPN connection; during the VPN profile creation phase it will be possible to define settings to configure the app. According to the type of device, it is possible to set the following settings:

Android

KeyTypeValueDescription
vpnInteger0 – 1Set to 1 (Enable) allows the Microsoft Defender for Endpoint anti-phishing feature to use the VPN
antiphishingInteger0 – 1Set to 1 (Enable) allows you to activate the Microsoft Defender for Endpoint anti-phishing feature
defendertoggleInteger0 – 1Set to 1 (Enable) allows you to activate Microsoft Defender for Endpoint.
Table 1 – Android Configuration key

iOS

KeyValueDescription
TunnelOnlyTrue – FalseSet to True it enables only the tunneling functionality on Microsoft Defender for Endpoint
WebProtectionTrue – FalseSet to True it enables the anti-phishing feature on Microsoft Defender for Endpoint
AutoOnboardTrue – FalseSet to True it allows you to activate the Web Protection feature on Microsoft Defender for Endpoint without requiring user authorization
Table 2 – iOS Configuration key

At this point, you can proceed with creating a Configuration Profile:

  • Log in to the Microsoft Endpoint Manager console with an administrative account;
  • Select Devices > Configuration Profiles;
  • Press the Add button;
  • From the Platform drop-down menu, select the relevant platform (Android or iOS/iPadOS);
  • Select the VPN profile from the list of available configurations and press the Create button;
  • Enter the name and any description of the configuration profile;
  • From the Connection Type drop-down menu, select the Microsoft Tunnel (for Android device) or Microsoft Tunnel (preview) (for iOS/iPadOS device) option;
  • Within the Base VPN section, assign a name to the VPN connection and select, through the Select a site item, the Microsoft Tunnel site created previously;
Figure 2 – VPN Profile configuration
  • In case you want to use the Microsoft Tunnel solution only in the context of a single application, expand the Per-app VPN section and configure the following settings:
    • For Android devices, press the Add button and select the app that will use the Tunnel function;
    • For iOS devices, move the toggle to Enable (during the deployment of the app that will use the feature, it will be possible to define the relevant VPN profile – see link);
  • On Android devices it is possible, by expanding the Always-on VPN section and moving the Always-on VPN toggle to Enable, to allow the VPN client to connect/reconnect whenever possible;
Figure 3 – Always-on VPN
  • Within the Custom settings menu, you can set the various settings indicated in the tables above at the beginning of the paragraph;
Figure 4 – Custom settings configuration (Android)
Figure 5 – Custom settings configuration (iOS)
  • Press the Next button to continue with the wizard;
  • Assign any Scope tags and press the Next button again;
  • Click on Add group and select the user-based Azure AD group dedicated to distribution;
  • To confirm the creation of the policy, click on the Create button;

References

Here are some useful references to the official Microsoft documentation:

Conclusions

In this second article, the various steps to allow the distribution to our users of the Microsoft Defender for Endpoint application and the configuration profile for the preparation of the VPN have been reported; through Microsoft Endpoint Manager, we have seen how simple it is to configure Android and iOS devices all through a single management console.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: