Microsoft

The rapid shift to work from home has left many companies scrambling to figure out the best, most cost-effective way to help users be productive on iOS and Android devices. Companies with workloads in the cloud have had a relatively smooth transition to remote work. However, many companies are still just beginning their cloud journey–and continue to run critical workloads on-premises.

 

To help meet customers where they are, Microsoft Endpoint Manager is pleased to announce a public preview of Microsoft Tunnel Gateway.

 

The Microsoft Tunnel Gateway solution allows Microsoft Intune-enrolled iOS and Android devices to access on-premises apps and resources. Tunnel is fully integrated with the Microsoft 365 cloud and takes advantage of single sign-on capabilities using Azure Active Directory (AAD) authentication from the client to Tunnel Gateway.

 

Conditional Access policies, which are integrated into the Tunnel, provide an additional layer of security for your network. By applying these policies, you can restrict network access to just users who are enrolled, compliant, and meet your defined user identity risk requirements. We consider Conditional Access integration with Tunnel to be a key part of your Zero Trust security journey.

 

Every organization’s network infrastructure is different. Tunnel Gateway installation is flexible to meet your unique network requirements. It can be installed on-premises, in your DMZ, or in the cloud.

 

Our intention is to provide a solution that acts like an appliance and doesn’t require a lot of on-going effort to maintain. Here are a few ways we’re making that goal a reality:

 

  • Tunnel Gateway is enterprise ready and can be used behind a load balancer for high availability.
  • Server configuration occurs using Microsoft Endpoint Manager console, making it easy to make changes to all servers from one central location.
  • Automatic updates are rolling, so you can maintain high uptime for your Tunnel Gateway infrastructure when new versions are installing.
  • Tunnel Gateway logs are sent to the cloud to help with centralized troubleshooting. You can also use syslog integration with Azure Sentinel or other SIEM tools to log and monitor events.

 

New Tunnel app for iOS and Android - A new Tunnel application is available for both the iOS App Store and Google Play Store. These apps can be deployed to your users and configured from Intune to make onboarding seamless.

 

The app can also be used to manage app access to the Tunnel. Support for full device tunneling ensures all traffic goes through the Tunnel Gateway. A per-app VPN option enables you to specify which apps may use the tunnel. The third option, split tunneling, ensures only certain IP ranges go through the tunnel.

 

The configuration options depend on the type of device. On Android, you can configure the connection to be always on, so users don’t have to manually connect via the app. Proxy is also supported on both iOS and Android. With AAD single sign-on, your users may not even need to launch the Tunnel app at all to connect, making it a truly seamless experience. (This is dependent on how you configure your VPN profile in Intune.)

 

 

Next steps:

A lot of you have been asking for this capability, and the work-from-home trend has made network security more important than ever. Watch Lance Crandall and Tyler Castaldo go into more details in this on-demand video. We are really excited for you to try it out and let us know what you think!

 

Be sure to bookmark the product documentation to stay up to date on What's New and What's Coming in Microsoft Intune.  

 

clipboard_image_6.pngFollow @MSIntune on Twitter

9 Comments
New Contributor

Good one

New Contributor

Nice addition to the toolbox!

New Contributor

What about yourOS (Windows 10 ;). Or even macOS. 

Occasional Visitor

It would have been better to have had the ability to push IKEv2 or SSTP profiles to mobile devices so they can connect to already existing RRAS servers which organisations already have set up to allow AOVPN? Or is there a plan to have this become AOVPN v2?

Senior Member

Hi, did I miss something or does Microsoft Tunnel really not support plain vanilla Safari Domains to connect to internal websites?

Microsoft

We hear you @Peter Meuser. Engineering teams have it in their roadmap. Stay tuned! 

Occasional Visitor

Note to admins who have users in mainland China. Android phones are very common in China, but every vendor has their own app store, and Google services are not available. Intune is already quite a problem to use on Android phones here. Microsoft put in some effort and also distributed the Intune app to the major app store providers (see here: https://docs.microsoft.com/en-us/mem/intune/user-help/install-company-portal-android-china), but there are many other app stores in China and it's a pain to use. Before you roll out Intune and Tunnel, better check with some test users first.

Occasional Visitor

This is a great addition.  Is there a planned date when this would become generally available?

Occasional Contributor

As far as i can see the server part is based on ocserv, an Anyconnect compatible SSL VPN. I hope Microsoft brings Tunnel to Windows, there is an openconnect implementation for Windows.