Improving experience for VPN profiles for ConfigMgr and Hybrid MDM
First published on CLOUDBLOGS on Oct 06, 2017
Starting in the
System Center Configuration Manager 1709 Technical Preview
, we're making it easier to determine which VPN profile settings are supported on each platform - like the changes we've made to compliance policies and configuration items. When creating a new VPN profile, you'll first choose the platform it applies to, and then all the settings in the following wizard pages will apply to the selected platform. This will make it much easier to avoid creating an invalid profile - which will in turn reduce the need to troubleshoot broken VPN profiles or to contact support.
We started down this path several releases ago when we split the Windows 10 VPN workflow from the all platforms workflow. Now, we've split up all the supported platforms so they'll each have their own path.
In addition to splitting out the workflows by platform, we've also combined the Configuration Manager client and hybrid mobile device management (MDM) workflows for Windows 10, since both management methods now support the same settings. For Windows 8.1, we've clearly marked the settings supported by Configuration Manager only, and we've retained the import option.
Finally, we've removed the Automatic VPN page, since all the settings configured by this page were deprecated by their respective platforms, making this page obsolete.
In this blog post, we'd like to answer some questions you may have.
Why did you make this change?
The main driver for this change is to prevent customers from inadvertently creating invalid VPN profiles. Prior to this change, all VPN settings for all platforms supported by Configuration Manager were exposed in the all platforms workflow. Some settings were labeled by platform (specifically, per-app VPN for iOS), but beyond this it was to tell which settings applied to which platform; also, the Automatic VPN page was still there even after it had become obsolete.
Customers and support staff would then ask why a specific configuration wasn't working correctly. In most cases, they had created a profile with settings that were not supported by the platform. Sometimes the setting was supported for one of the targeted platforms, but not another, and it was impossible to tell from the user experience. Finding out that the configuration the customer wanted to use wasn't supported was disappointing and frustrating for everyone involved. These changes are designed to prevent these issues.
In earlier releases, we made similar changes in compliance policies and configuration items for the same reason. VPN is the first of the company resource access profiles to get this treatment, and while it was mainly designed to improve the experience for MDM profiles, the updates benefit devices managed by the Configuration Manager client as well - particularly because the Windows 8.1 settings are clearly set apart from all the mobile platforms now.
What about my existing profiles?
We understand that many of our customers use VPN profiles for multiple platforms, and by this point, you might be concerned. However, you don't need to worry about your existing profiles; one of our goals was to ensure that all existing profiles continue to work as they did before the change. When you upgrade, you will still see the same properties pages, and no changes will be made to the profiles themselves. All new profiles will use the new experience, but all existing profiles will still use the previous experience.
Let us know what you think!
If you're eager to have similar changes applied to other profile types, please leave a request on UserVoice: