Many organizations believe data is protected when resources exist within the boundaries of their corporate networks. But in today's digital workplace, that boundary has expanded with managed mobile devices and resources and services in the cloud. Virtual private networks (VPNs) allow remote mobile workers to securely access your corporate resources using your line of business (LOB) applications and managed public applications.
With Microsoft Endpoint Manager, you can create a VPN connection profile to assign VPN settings to users and devices in your organization so they can easily and securely connect to your organizational network. Here’s a few different scenarios supported by Microsoft to secure the connection between remote mobile endpoints and your corporate network.
Scenario 1: Provide on-premises access to multiple apps from fully managed mobile devices
In this scenario, the user devices are enrolled in Microsoft Endpoint Manager. You can include VPN connection settings in a VPN profile. Then, you assign this profile to all users that require remote access from supported mobile devices. The users see the VPN connection in the list of available networks and can connect with minimal effort, or auto-connect depending on the scenario. As an example, many Microsoft customers create and deploy custom VPN profiles with VPN solutions such as NetMotion.
NetMotion is a connectivity and security solutions company for the world’s growing mobile workforce. Using NetMotion’s class-leading VPN, customers not only gain uncompromised connectivity, they benefit from a VPN that is compatible with Windows, MacOS, Android and iOS devices. NetMotion mobile VPN software maintains resilient, reliable connections and optimizes performance through the most challenging wireless-network conditions.
Microsoft supports several other VPN solutions that you may already own, protecting your investment and enabling a flexible architecture for mobile access. Learn more
In addition, Microsoft Endpoint Manager enables network access control partners to keep their network and resources safe by blocking non-compliant or non-enrolled devices from accessing data and on-prem resources. By integrating with Conditional Access, partner NAC solutions can also make intelligent access control decisions on criteria such as IP blacklisting, identity risk, etc.
Scenario 2: Provide on-premises access to web apps from non-enrolled devices
In the bring-your-own-device (BYOD) scenario, end users are not necessarily required to enroll their devices in Microsoft Endpoint Manager. They may access corporate data through web apps and productivity apps such as Office 365 from the public app stores. In this scenario, Azure Active Directory Application Proxy may be best suited to control who and what gets into your network. Azure AD Application Proxy integrates with modern authentication and cloud-based technologies, like SaaS applications and identity providers. This integration enables users to access apps from anywhere. You don't need to change or update your applications to work with Application Proxy. Furthermore, App Proxy doesn't require you to open inbound connections through your firewall. With Application Proxy, Azure AD keeps track of users who need to access web apps published on-premises and in the cloud. It provides a central management point for those apps. With Conditional Access, you further ensure only compliant devices and users have access to applications.
Learn more about Application Proxy for roaming (or remote) users who need access to internal resources
Scenario 3: Provide on-premises access to line of business apps from non-enrolled devices
BYOD devices that are not enrolled for management may also use a microVPN that is embedded with a specific app. In this scenario, Microsoft partners such as Citrix ADC (formerly NetScaler) integrate with Microsoft Endpoint Manager MAM enabled apps, like managed Microsoft Edge for iOS and Android, to enable their microVPN technology.
Another key integration point is our partnership with Blue Cedar. While microVPNs can help you access data remotely, it is equally important to protect the data within the application from leakage. Blue Cedar not only help with their automated solutions to create a secure VPN micro tunnel from Microsoft MAM enabled apps, but also make integrating Microsoft security and data protection controls into enterprise mobile applications as simple as clicking a button. Enterprise teams can reduce the time needed to integrate Intune protection and security controls into mobile applications by an average of five weeks – not only for the original release of the app, but for every version update over the life of the app.
Not all apps may be able to be covered by Scenario 3 – such as a third party app from the public App Store that does not integate a microVPN. In these cases, you have a couple of options. You may choose to require full management of BYO devices for VPN access. Alternatively, you may choose User Enrollment (on iOS) and Work Profile (on Android) to provision a VPN for corporate apps without needing to manage an employee’s full device.
Microsoft is excited to expand the security ecosystem to support diverse customer needs. Here are some other resources to help you choose and deploy the right partner to deliver secure VPN access to mobile users