Forum Discussion
Always on VPN Android
I am trying to enforce the use of a VPN client (have app as a required install). I did the device restriction policy and on my device and it shows up on my device. Problem is, I want all traffic blocked until the user logs into the VPN app installed on their device. I was able to accomplish this on the iOS side of the house but can't figure out how to get the same behavior on my Android devices.
When I enable "lockdown mode" it does block all traffic but it also blocks the VPN app from user login. So I am assuming either lockdown mode isn't the way to go or I need to have some URLs excluded on the VPN client side?
Lockdown mode is the way to go, if I read your message correctly this is what you try to accomplish:
"Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN isn't established, then the device won't have network access." See here.
What VPN solution are you using? Is it integrated to Entra Modern Authentication or is certificate based (might be the nicest solution for this). You definitely need to make network connections to the authentication servers...
SebastiaanSmits ZScaler is the VPN app being used. With lockdown mode enabled, how do I get around opening up the URLs for the app to authenticate? Unlike for iOS, Android doesn't have a URL exclusion list.
The connection to the VPN Gateway (you provide this in your VPN configuration) is reachable in Lockdown. But that's why the question, what kind of authentication do you use, is important here. With CBA to the Gateway (or other direct Gateway authentication) this works without problems but if you use Modern Auth and there is a redirect to Entra this is not going to work as is. There is indeed no exclusion available: https://issuetracker.google.com/issues/238109298?pli=1
