diff --git a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md index ae2b79c1b3..ab9cd3bddb 100644 --- a/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-wip-policy-using-intune.md @@ -26,100 +26,44 @@ Follow these steps to create the VPN policy you want to use with WIP. 1. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. -2. In the Create Profile pane, specify the following: + ![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png) - - **Name.** Type the name for your VPN policy. For this topic, we're using *Contoso_VPN_Win10*. +2. In the **Create Profile** pane, type *Contoso_VPN_Win10* into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. - - **Description.** Optionally add text about your policy. + ![Microsoft Azure Intune, Create a new policy using the Create Profile pane](images/wip-azure-vpn-configure-policy.png) - - Platform. Pick Windows 10 and later +3. In the **Custom OMA-URI Settings** pane, click **Add**. -2. In the Create Profile pane, type *Contoso_VPN_Win10* into the **Name** box, add an optional description for your policy into the **Description** box, pick **Windows 10 and later** from the **Platform** dropdown box, and pick **Custom** from the **Profile type** dropdown box. +4. In the **Add Row** pane, type: -3. Select + - **Name.** Type _EDPModeID_ as the name. + + - **Description.** Type an optional description for your setting. + + - **OMA-URI.** Type _./Vendor/MSFT/VPNv2//EDPModeId_ into the box. - ![Microsoft Intune, Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) + - **Data type.** Select **String** from the dropdown box + + - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. -3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box. + ![Microsoft Azure Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) - -4. In the **VPN Settings** area, type the following info: - - - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable. - - - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**. - - - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable. - - - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). - - ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) - -5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

-It's your choice whether you check the box to **Remember the user credentials at each logon**. - - ![Microsoft Intune, Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) - -6. You can leave the rest of the default or blank settings, and then click **Save Policy**. +5. Click **OK** to save your setting info in the **Add Row** pane, and then click **OK** in the **Custom OMA-URI Settings** pane to save the setting with your policy. ## Deploy your VPN policy using Microsoft Intune After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. -**To deploy your VPN policy** +**To deploy your Custom VPN policy** -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. +1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

-The added people move to the **Selected Groups** list on the right-hand pane. + A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. - ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) +2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. -3. After you've picked all of the employees and groups that should get the policy, click **OK**.

-The policy is deployed to the selected users' devices. - -## Link your WIP and VPN policies and deploy the custom configuration policy -The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies - -**To link your VPN policy** - -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - -2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - - ![Microsoft Intune, Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) - -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) - -4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info. - -5. In the **OMA-URI Settings** area, type the following info: - - - **Setting name.** Type **EDPModeID** as the name. - - - **Data type.** Pick the **String** data type. - - - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`. - - - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. - - ![Microsoft Intune: Fill in the OMA-URI Settings for the EMPModeID setting](images/intune-vpn-omaurisettings.png) - -6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** - - - **To deploy your linked policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane. - - ![Microsoft Intune, Manage Deployment box used to deploy your linked VPN policy](images/intune-groupselection_vpnlink.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. + The policy is deployed to the selected users' devices. + ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/images/wip-azure-vpn-configure-policy.png b/windows/keep-secure/images/wip-azure-vpn-configure-policy.png new file mode 100644 index 0000000000..fdc9d4e7c8 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-vpn-configure-policy.png differ diff --git a/windows/keep-secure/images/wip-azure-vpn-custom-omauri.png b/windows/keep-secure/images/wip-azure-vpn-custom-omauri.png new file mode 100644 index 0000000000..f397cd6797 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-vpn-custom-omauri.png differ diff --git a/windows/keep-secure/images/wip-azure-vpn-device-policy.png b/windows/keep-secure/images/wip-azure-vpn-device-policy.png new file mode 100644 index 0000000000..30dde125e1 Binary files /dev/null and b/windows/keep-secure/images/wip-azure-vpn-device-policy.png differ