Always on VPN Android

Copper Contributor

I am trying to enforce the use of a VPN client (have app as a required install). I did the device restriction policy and on my device and it shows up on my device. Problem is, I want all traffic blocked until the user logs into the VPN app installed on their device. I was able to accomplish this on the iOS side of the house but can't figure out how to get the same behavior on my Android devices.

 

When I enable "lockdown mode" it does block all traffic but it also blocks the VPN app from user login. So I am assuming either lockdown mode isn't the way to go or I need to have some URLs excluded on the VPN client side?

7 Replies

@dwp1975 

 

Lockdown mode is the way to go, if I read your message correctly this is what you try to accomplish:

 

"Lockdown mode: Enable forces all network traffic to use the VPN tunnel. If a connection to the VPN isn't established, then the device won't have network access." See here.

 

What VPN solution are you using? Is it integrated to Entra Modern Authentication or is certificate based (might be the nicest solution for this). You definitely need to make network connections to the authentication servers...

 

 

@SebastiaanSmits ZScaler is the VPN app being used. With lockdown mode enabled, how do I get around opening up the URLs for the app to authenticate? Unlike for iOS, Android doesn't have a URL exclusion list.

@dwp1975 

 

The connection to the VPN Gateway (you provide this in your VPN configuration) is reachable in Lockdown. But that's why the question, what kind of authentication do you use, is important here. With CBA to the Gateway (or other direct Gateway authentication) this works without problems but if you use Modern Auth and there is a redirect to Entra this is not going to work as is. There is indeed no exclusion available: https://issuetracker.google.com/issues/238109298?pli=1

By the way is also possible to check the VPN client logs to see what URL it trying to reach when authentication fails..
I only have access to the logs the device can export. I've try to read them before and found nothing particulary helpful. It seems to sorta work but not consistently which makes me hesitant to say it's working. I am going to do another round of testing today.

@dwp1975 

 

Ok let us know what the outcome is!

It seems to work better with each test. I've wiped the device and was able to set it up. Then I filter myself out from the app deployment so it's removed. Remove the filter and let the app reinstall...check that traffic is blocked and then attempt login that has been successful.