SOTI Pulse Logo

Zero Touch configuration of VPN app

Solved
E
Eduard
wacker

Hello,

we are using a third-party VPN app on our devices and I would like to enroll it with zero touch, meaning that with the installation of app the VPN profile should be installed on Android automatically, too.

I tried to tweak the instructions described here: https://www.soti.net/mc/help/v2025.1/en/scriptcmds/reference/configuring_native_VPN_AE.html?hl=native%2Cvpn

But I am not able to find the right configuration. Most important is to set the "always-on VPN" option of the VPN profile. When I open the app, the VPN profile is installed automatically, but the always-on VPN option is disabled. Other MDMs, like MobileIron or ManageEngine do have the option to set this flag for a specific app via profiles. For me it would be OK to use writeprivateprofstring, if no other option is available with MobiControl.

As less important, but optimal solution would be to install the VPN profile completely without opening the VPN app. This would mean that the script needs to contain the app-id etc.

Any ideas? 

always-on vpn android vpn
5 months ago
SOTI MobiControl
ANSWERS
E
Eduard
5 months ago

Hi, I have found a way to enable always-on VPN via legacy script:

writeprivateprofstring DeviceFeature EnableAlwaysOnVpn VPN_PACKAGE_ID
apply featurecontrol

However, now the option "block connections without VPN" (in the logs there is some mentioning of Block_Connections_Without_VPN) is enabled, too. I did not want this, as we use app-vpn and some apps should be excluded from the VPN. I also cannot disable the always-on vpn anymore and it states "managed by device administrator".

I would like to be able to disable the always-on vpn through mobicontrol and also be able to disable the Block_Connections_Without_VPN option in the VPN profile - any ideas?

RS
Rafael Schäfer
5 months ago

try this:

writeprivateprofstring DeviceFeature EnableAlwaysOnVpn "vpn.bundle.id"
writeprivateprofstring DeviceFeature BlockConnectionsWithoutVPN 0
apply featurecontrol
 
Not sure about the disabling, maybe just the EnableAlwaysOnVpn needs to be provided with an empty string between "".
 
I guess you use Mobicontrol with version lower than 2024 as with 2024.x.x you can set this up directly in the feature control profile. Maybe consider an upgrade.
E
Eduard
5 months ago

Hi, actually we have 2025.0.2.

I cannot find this option in the feature control profile. How is it called exactly?

Regarding your script: It is actually deleting the VPN profile created by the app itself (yes, I have adjusted the bundle id).

RS
Rafael Schäfer
5 months ago

Sounds weird as we use this script actually to set an app as always on VPN with the blocking turned off.

The setting can be found here:

Profiles -> work managed -> Feature control -> Security
Screenshot from 2025.0.3 but similar to example 2024.1.1.

Solution
N
NSMOD@soti.net
3 months ago

Hi Eduard

I hope the suggestions provided by Rafael have helped you answer your query. Please inform us if you require further assistance. 

Additionally, if any response has helped address your inquiry, we kindly request you to mark it as "is solution" so that others may also benefit from this information.

Thank you Matt for your valuable suggestions.

Thank you for choosing SOTI.

Regards,

Technical Support | SOTI Inc. |1.905.624.9828 | support@soti.net | www.soti.net

Similar Discussions