What is VPN On Demand?
Apps can be configured to automatically connect to VPN when they are launched. This feature is intended to be used only within the Android work profile, since it is predominantly being used at an app level and only Pulse Workspace is aware of the apps in the work profile. Using this feature, only the corporate managed apps will transfer the data over the VPN and the employee's other personal data like personal web browsing, connections to gaming and social networks will not use the VPN.
How does VPN On Demand work?
When the VPN On Demand profile is applied to the device, VPN will be started automatically in the following two conditions:
- When user launches the application.
- When the application sends traffic in the background.
In VPN On Demand, a blocking interface is set up on the device which monitors the configured apps for the network traffic. Whenever an application whose network access type is require VPN
, tries to perform any network activity, the blocking interface detects this. It thereafter authenticates the user, tears down the blocking interface and establishes the VPN connection.
Configuring VPN On Demand on Pulse Workspace
Before you proceed with the configuration, ensure Android for Work is enrolled within your EMM console. For the enrollment details, see Configuring Android Enterprise.
Also ensure that the required apps are added to the App Catalog in the EMM console. For adding apps to the EMM console, see Adding an Android App to the App Catalog.
- Login to Pulse One admin console
- Select the Workspaces menu
- Select Policies
- Create a new policy (if required), see Creating a Policy.
- Select the required policy.
- Click Properties tab.
- Expand the VPN category and configure the following properties:
- Stealth Mode: True
- Vpn Certificate Auth: Yes
- Vpn Connection Type: onDemand
- Vpn Enabled: Yes.
- Vpn Verify Certificate: Yes
- Vpn Host: <Pulse Connect Secure sign-in URL>
- On Demand VPN Timeout (minutes): 5 (Default)
- Click Publish
- From App Catalog, add the required apps to the policy with Network Access as Require VPN and publish, see Adding an Android App to a Policy.
Configuring VPN On Demand on Pulse Connect Secure
VPN On Demand Limitations:
- Layer 4 (L4) Tunnel is not supported for Android
For VPN On Demand to properly work, ensure the corresponding user role is configured for VPN Tunneling and associated with VPN Tunneling Connection Profile. To configure a Layer 3 (L3) Connection Profile, please refer to Configuring VPN Tunneling
Unable to connect and receiving Untrusted Server Certificate prompt with On Demand configured
For On Demand to work properly, the device certificate installed on the Pulse Connect Secure device must be signed by a certificate authority (CA) trusted by the Android device. The recommendation is to obtain a device certificate signed by a public certificate authority.
On Demand constantly looping with multiple certificate authentication attempts in the access logs.
When the On Demand connection has automatically disconnected and reconnected, an existing session may already exist. If the warning notification is prompted, this will cause the On Demand tunnel remain in a constant loop until the session is manually deleted from the Pulse Connect Secure device. To resolve this issue, disable the warning message and allow the user to login.
- Multiple user session should be enabled with Allow the user to login (Under Signing In > Sign-In Policies)
- Disable the Display open user session[s] warning notification