Samsung Knox IPsec
This VPN connection type is supported on Android devices.
This section applies to Android devices with Samsung Knox only. Samsung Knox IPsec is used for VPN access in the Samsung Knox container - see Android Samsung Knox Container Settings.
Use the following guidelines to configure Samsung Knox IPsec.
|
Item |
Description |
|
Name |
Enter a short phrase that identifies this VPN setting. |
|
Description |
Provide a description that clarifies the purpose of these settings. |
|
Channel |
For macOS only. Select one of the following distribution options: •Device channel - the configuration is effective for all users on a device. This is the typical option. •User channel - the configuration is effective only for the currently registered user on a device. |
|
Connection Type |
Select Samsung Knox IPsec. |
|
Server |
Enter the IP address, hostname, or URL for the VPN server. |
|
Backup Server |
Enter the IP address, hostname, or URL for the fallback server to use in the event that the primary server is not available. |
|
Authentication Type |
Select the authentication method to use: • Pre-Shared Key - When selected, the Shared Secret and Group Name fields display. • Certificate - When selected, the Identity Certificate and CA Certificate fields display. |
|
Shared Secret |
This field displays when Pre-Shared Key is selected as the Authentication Type. Enter the shared secret passcode. This is not the user’s password; the shared secret must be specified to initiate a connection. |
|
Confirm Shared Secret |
Re-enter the Shared Secret passcode to confirm. |
|
Group ID Type |
This field displays when Certificate is selected as the Authentication Type. Select the Group ID type your IPsec VPN server uses to authenticate to IKE peers. |
|
User Authentication |
This field displays when Certificate is selected as the Authentication Type. Select to enable user authentication as an additional factor. |
|
Group Name |
This field displays when Pre-Shared Key is selected as the Authentication Type. Enter the group name for your Samsung Knox IPsec VPN server. This name corresponds to the value selected in Group ID Type. |
|
Identity Certificate |
This field displays when Certificate is selected as the Authentication Type. Select the entry you created for supporting VPN, if you are implementing certificate-based authentication. |
|
CA Certificate |
This field displays when Certificate is selected as the Authentication Type. Select the entry you created for supporting VPN, if you are implementing certificate-based authentication. |
|
Username |
Specify the user name to use. The default value is $USERID$. Use this field to specify an alternate format, such as: $USERID$, $EMAIL$, $SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as the following: •$USERID$:$EMAIL$ •$USERID$_$EMAIL$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username. Some enterprises have a strong preference concerning which identifier is exposed. |
|
Password |
Specify the password to use (required.) The default value is $PASSWORD$. Include at least one of the following variables: $USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$ You can use combinations such as $EMAIL$:$PASSWORD$ Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password. |
|
IKE Version |
The IPsec VPN server uses the IKE to negotiate the protocols and algorithms used for the connection, and to generate the encryption and authentication keys. Select one: •Phase 1 - When Phase 1 is selected, the Phase 1 Mode field displays. •Phase 2 |
|
Phase 1 Mode |
If you selected IKE Phase 1, select the mode of operation in use by your IPsec VPN server: •Main - Has three two-way exchanges between the initiator and the receiver. •Aggressive - Fewer exchanges are made, and with fewer packets. |
|
Per-app VPN |
Select Yes to create a per-app VPN setting. A Samsung Knox key / license is required for this feature. You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting. You can enable per-app VPN for an app when you: •add the app in the App Catalog. •edit an in-house app or an App Store app in the App Catalog. When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list. See the Ivanti EPMM Apps@Work Guide for information about how to add or edit apps. |