deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Reverted topics

Browse Source
This commit is contained in:
LizRoss
2017-04-13 09:54:18 -07:00
parent 33b49aae77
commit 280da26eb6
2 changed files with 119 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

135
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,6 +1,6 @@
--- ---
title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Azure Intune custom URI functionality (Windows 10) title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune custom URI functionality (Windows 10)
description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Azure Intune custom URI functionality and AppLocker. description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880 ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: WIP, Enterprise Data Protection, protected apps, protected app list keywords: WIP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10 ms.prod: w10
@ -11,113 +11,82 @@ author: eross-msft
localizationpriority: high localizationpriority: high
--- ---
# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Azure Intune custom URI functionality # Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
**Applies to:** **Applies to:**
- Windows 10, version 1703 - Windows 10, version 1607 and later
- Windows 10 Mobile, version 1703 - Windows 10 Mobile
You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Azure Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Azure Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330). You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkID=691330).
>[!IMPORTANT] >[!IMPORTANT]
>Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy. >Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
## Add Store apps ## Add Store apps
1. Open the Local Security Policy snap-in (SecPol.msc). 1. Go to the AppLocker UI by opening a command line window and running secpol.msc. The local security policy MMC snap-in opens showing the **Security Settings**.
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**, and then right-click and choose **Automatically Generate Rules**. 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app policies for all the installed apps on a device or for packaged apps within a specific folder. The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-auto-generate-rules.png) 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
3. In the **Applications and Permissions** screen, keep the default of **Everyone** in the **User or security group that the rules will apply to** box. You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
Keeping this value applies your WIP policy to the managed device, not to a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. 4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable. For the purposes of this topic, we've used *WIP_StoreApps_Rules*. This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
![Local security snap-in, showing the Applications and Permissions screen](images/wip-applocker-secpol-app-and-permissions.png) 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
5. In the **Rule Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Note] >[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
![Local security snap-in, showing the Rule Preferences screen](images/wip-applocker-secpol-rule-preferences.png)
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
![Local security snap-in, showing the Review Rules screen](images/wip-applocker-secpol-review-rules.png)
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>[!Important] >[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
![Local security snap-in, showing the Export Policies option](images/wip-applocker-secpol-export-rules.png) 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
8. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. 9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png) 10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
9. In the **Create Profile** blade, type a name for your profile, such as *contoso_allowed_store_apps_uri*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. 11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
![Microsoft Azure Intune, Create a new policy using the Create Profile blade](images/wip-azure-configure-store-apps-using-uri.png) 12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/StoreApp EXE`
10. In the **Custom OMA-URI Settings** blade, click **Add**. 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
11. In the **Add Row** blade, type: 14. Copy the text that has a **Type** of `Appx`, within the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
- **Name.** Type a name for your setting, such as *AllowedStoreAppsURI*.
- **Description.** Type an optional description for your setting.
- **OMA-URI.** Type _./Vendor/MSFT/AppLocker/EnterpriseDataProtection/&gt;your_enterprise_name&lt;/StoreApp EXE_ into the box.
- **Data type.** Select **String** from the dropdown box.
- **Value.** To find the text to type here, follow these steps:
1. Open File Explorer, go to the location where you saved your exported XML file from above, and open it using an XML editor, such as Notepad.
2. Copy the text that includes the **Type** of `Appx` within the **RuleCollection** tags, pasting this info into the **Value** box. For example:
``` ```
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
![Microsoft Azure Intune, Add URI setting in the Add Row blade](images/wip-azure-add-uri-store-apps.png)
12. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
13. Click **Create** to create the policy, including your OMA_URI info.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps ## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc). 1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**, and then right-click and choose **Automatically Generate Rules**. 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app policies for all the installed apps on a device or for packaged apps within a specific folder. The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-auto-generate-rules.png) 3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
3. In the **Applications and Permissions** screen, keep the default of **Everyone** in the **User or security group that the rules will apply to** box. You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
Keeping this value applies your WIP policy to the managed device, not to a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**. 4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable. For the purposes of this topic, we've used *WIP_DesktopApps_Rules*. This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
![Local security snap-in, showing the Applications and Permissions screen](images/wip-applocker-secpol-app-and-permissions-desktop.png) 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
5. In the **Rule Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
![Local security snap-in, showing the Rule Preferences screen](images/wip-applocker-secpol-rule-preferences.png)
>[!Important] >[!Important]
>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
@ -127,50 +96,30 @@ You can add apps to your Windows Information Protection (WIP) protected app list
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
![Local security snap-in, showing the Review Rules screen](images/wip-applocker-secpol-review-rules.png)
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>[!Important] >[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
![Local security snap-in, showing the Export Policies option](images/wip-applocker-secpol-export-rules-desktop.png) 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
8. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. 9. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png) 10. In the **Add one or more OMA-URI settings that control functionality on Windows devices** box, click **Add**.
9. In the **Create Profile** blade, type a name for your profile, such as *contoso_allowed_desktop-apps_uri*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. 11. Type your new **Setting Name** and **Description** into the associated boxes, keeping the default **Data Type** of **String**.
![Microsoft Azure Intune, Create a new policy using the Create Profile blade](images/wip-azure-configure-desktop-apps-using-uri.png) 12. In the **OMA-URI** box, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>/EXE`
10. In the **Custom OMA-URI Settings** blade, click **Add**. 13. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
11. In the **Add Row** blade, type: 14. Copy the text that has a **Type** of `EXE`, within in the **RuleCollection** tags, and then go back to Intune and paste the text into the **Value** box of the **Add or edit OMA-URI Setting** box. For example:
- **Name.** Type a name for your setting, such as *AllowedDesktopAppsURI*.
- **Description.** Type an optional description for your setting.
- **OMA-URI.** Type _./Vendor/MSFT/AppLocker/EnterpriseDataProtection/&gt;your_enterprise_name&lt;/EXE_ into the box.
- **Data type.** Select **String** from the dropdown box.
- **Value.** To find the text to type here, follow these steps:
1. Open File Explorer, go to the location where you saved your exported XML file from above, and open it using an XML editor, such as Notepad.
2. Copy the text that includes the **Type** of `Exe` within the **RuleCollection** tags, pasting this info into the **Value** box. For example:
``` ```
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
![Microsoft Azure Intune, Add URI setting in the Add Row blade](images/wip-azure-add-uri-desktop-apps.png) 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
5. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
6. Click **Create** to create the policy, including your OMA_URI info.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic. After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
@ -178,16 +127,8 @@ You can add apps to your Windows Information Protection (WIP) protected app list
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics ## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Azure Intune](create-wip-policy-using-intune.md) - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Azure Intune](create-vpn-and-wip-policy-using-intune.md)
 
 
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)

97
windows/keep-secure/create-vpn-and-wip-policy-using-intune.md
View File

@ -11,66 +11,103 @@ author: eross-msft
localizationpriority: high localizationpriority: high
--- ---
# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Azure Intune # Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
**Applies to:** **Applies to:**
- Windows 10, version 1703 - Windows 10, version 1607
- Windows 10 Mobile, version 1703 - Windows 10 Mobile
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Azure Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Create your VPN policy using Microsoft Azure Intune ## Create your VPN policy using Microsoft Intune
Follow these steps to create the VPN policy you want to use with WIP. Follow these steps to create the VPN policy you want to use with WIP.
**To create your VPN policy** **To create your VPN policy**
1. Open the Microsoft Azure Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
![Microsoft Azure Intune, Create a new policy using the the Azure portal](images/wip-azure-vpn-device-policy.png) 2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
2. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. ![Microsoft Intune, Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
![Microsoft Azure Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) 3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box.
3. In the **Custom OMA-URI Settings** blade, click **Add**. ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
4. In the **Add Row** blade, type: 4. In the **VPN Settings** area, type the following info:
- **Name.** Type a name for your setting, such as *EDPModeID*. - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
- **Description.** Type an optional description for your setting. - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
- **OMA-URI.** Type _./Vendor/MSFT/VPNv2/&lt;VPNProfileName&gt;/EDPModeId_ into the box. - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
- **Data type.** Select **String** from the dropdown box - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
![Microsoft Azure Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) 5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
It's your choice whether you check the box to **Remember the user credentials at each logon**.
5. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. ![Microsoft Intune, Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
6. Click **Create** to create the policy, including your OMA_URI info. 6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
## Deploy your VPN policy using Microsoft Azure Intune ## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your Custom VPN policy** **To deploy your VPN policy**
1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. 1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade. 2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices. The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) ## Link your WIP and VPN policies and deploy the custom configuration policy
The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
**To link your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune, Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png)
4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- **Setting name.** Type **EDPModeID** as the name.
- **Data type.** Pick the **String** data type.
- **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId`, replacing &lt;*VPNProfileName*&gt; with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
![Microsoft Intune: Fill in the OMA-URI Settings for the EMPModeID setting](images/intune-vpn-omaurisettings.png)
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
**To deploy your linked policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune, Manage Deployment box used to deploy your linked VPN policy](images/intune-groupselection_vpnlink.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
>[!NOTE] >[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).