This article discusses how to configure Azure Intune to deploy a per-app VPN for your account.
This feature is supported for iOS Client v5.8 and higher.
Note
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information about enabling the feature, contact your Cato Networks representative or send an email to ea@catonetworks.com.
Per-App VPN on iOS lets you selectively tunnel only specific enterprise applications through the Cato Cloud while allowing personal apps and internet traffic to bypass the VPN profile.
With per-app VPN behavior, you can isolate sensitive traffic such as corporate email, SaaS applications, and internal services. At the same time, personal apps such as social media, streaming, and general browsing continue to use the device’s regular network. This reduces bandwidth and latency overhead, improves user privacy, and simplifies compliance
Ensure that Microsoft Intune company portal app is installed on the devices where you want to install the per-app VPN profile.
- Office Mode is not compatible with a per-app VPN
- Split tunnel configurations are not applied when working with a per-app VPN as the tunneling determinations are made in the VPN profile
- Bypassing the Cato Cloud is not supported when working with a per-app VPN as the tunneling determinations are made in the VPN profile
ABC Company allows employees to use personal iPhones to access company resources such as Salesforce, Microsoft Teams, and more. However, the IT team needs to ensure that all enterprise traffic is routed through the Cato Cloud, while personal browsing and apps remain outside the VPN tunnel.
To enforce this, the team deploys a Per-App VPN configuration using Microsoft Intune. They define a VPN profile that includes only the corporate apps, and assign the profile to user groups with enrolled iOS devices. As a result, work apps automatically connect to the Cato Cloud, while personal apps such as Instagram, WhatsApp, or Safari are accessed directly through the mobile connection.
This is an overview of the workflow to implement a per app VPN for iOS Clients in your account.
- Configure the VPN profile settings
- Add the users and groups to whom the VPN profile applies
- Configure the apps that must go through the VPN tunnel and the apps that are excluded from the VPN tunnel
- Distribute the VPN profile
Use the Microsoft Intune Admin Center to configure a per-app VPN for iOS.
To configure the per-app VPN:
- From the navigation menu, select Devices > iOS/iPadOS and under Manage Devices, click Configuration.
-
Click Create > New Policy and enter the following:
- Under Profile type, select Templates
- Under Template name, select VPN provide a descriptive name, and click Next.
-
In the Configuration settings page, enter the following:
- Under Connection type, select Custom VPN
- Enter a descriptive name for the connection name, for example, Cato Per-App VPN
- In the VPN server address field, enter
vpn.catonetworks.net - Under the Authentication method, select Username and password.
- Under Split tunneling, click Disable.
- In the VPN identifier field, enter
CatoNetworks.CatoVPN - Enter the custom VPN attribute:
- Key - SingleSignOn
- Value - True
- Under Automatic VPN settings, in the Type of automatic VPN field, select Per-app VPN.
- Under Provider Type, select packet-tunnel.
-
Under Safari URLs that will trigger this VPN, enter the following:
- catonetworks.com
- sso.ias.catonetworks.com
- Under Excluded Domains, enter
push.apple.com - Click Next and continue below to add users and groups.
You can define which apps are tunneled through the per-app VPN, and which can go outside of the VPN tunnel. If the app that you want to tunnel is already installed on the device, you must uninstall and reinstall the app after applying the per-app VPN profile.
Configure the apps that must use the VPN profile:
- From the navigation menu, select Apps and under Manage apps by platform, click iOS/iPadOS.
-
Click Create to add a new app or select an app from the existing list.
You must include at least the Cato Client as an app that uses the profile.
- In the Assignments page, select the same groups as above for whom the apps are available, and click Select.
- In the VPN column, click None and in the Edit assignment page, under App settings > VPN select the per app VPN you created above.
- Click Next and Create.
Configure the apps that use the VPN profile
The following section provides information about how your end users can apply the per-app vpn profile on their devices. When they access an app that is defined as requiring the VPN tunnel, the Cato Client automatically connects.
To deploy the per-app VPN
- From the Azure Intune company portal app, click Begin setup.
- Authenticate to your company portal.
- When prompted to download the management profile, click Allow.
- After the profile is downloaded, click Continue.
- Follow the instructions to install the profile:
- Go to the Settings app on your device
-
Under VPN and Device Management, click Install.
After you complete the profile installation, return to the Azure Intune company portal.
- In the company portal, when prompted, select Yes, I installed the profile and then click Continue.
-
For each app that requires the per-app VPN, you will be prompted to allow the app to be managed. Click Manage.
If you don't allow the app to be managed, you won't be able to access the resource.
When the process has completed successfully, in the Cato Client you will see in the Statistics page that Per-App VPN is set to Yes.
0 comments
Article is closed for comments.