KNOX VPN Support

As part of MobileIron’s support of Samsung Knox, [email protected] for Android together with MobileIron Core support the following Virtual Private Network (VPN) clients:

  • Pulse Secure (previously called Junos Pulse) (SSL)
  • F5 BIG-IP Edge Client (SSL)
  • Cisco AnyConnect (SSL)
  • OpenVPN (SSL)
  • MobileIron Tunnel for Samsung Knox

[email protected] 9.0.0.0 for Android through the most recently released version as supported by MobileIron adds:

  • Cisco AnyConnect (universal app for Android and for Samsung Knox)

MobileIron supports all of these VPN clients on Samsung Knox 2.0 through the most recently released version as supported by MobileIron.

Only Cisco AnyConnect and Pulse Secure are supported with other Android devices.

Basic Requirements to use Samsung Knox Features

To use any Samsung Knox Premium features that MobileIron supports, including VPN, the following are required:

  • The user must have a Samsung Knox-capable mobile device.
  • A Samsung General Policy with a Samsung Knox license key must be defined and applied to a label.
    To create this policy, in Core Admin Portal go to Policies & Configs > Policies. Select Add New > Android > Samsung General.
  • The device must have the Samsung General Policy label applied.

VPN clients deployed either inside or outside Knox Workspace

VPN client apps are deployed either inside or outside the Knox Workspace (container). When deployed inside the container, the VPN client and its data are protected by the Knox security platform.

Whether the VPN client is deployed inside or outside the container depends on:

[email protected] 9.1 for Android

When a device is running [email protected] 9.1 for Android, you can set an option in the VPN setting to deploy the VPN client inside the container. The following VPN clients you can use with Samsung devices to deploy inside or outside the container are:

  • Pulse Secure SSL (previously Junos Pulse)
  • Cisco AnyConnect
  • F5 SSL
  • OpenVPN
  • MobileIron Tunnel for Samsung Knox

The option in the VPN setting is called Deploy inside Knox workspace. When you choose this option, be sure to add the VPN client app to the Apps section of the Samsung Knox Container setting. MobileIron Tunnel for Samsung Knox is always deployed inside the container.

See also:

Prior to [email protected] 9.1 for Android

When a device is running a version of [email protected] prior to 9.1, the option in the VPN setting to deploy the VPN client inside the container is not applicable. The following table shows which VPN clients are deployed inside or outside of the Knox Workspace (container) when the device is running a version of [email protected] prior to 9.1:

Always deployed inside the container

Always deployed outside the container

OpenVPN

 

Pulse Secure SSL (previously Junos Pulse)
Cisco AnyConnect
F5 SSL

VPN Modes

For Android devices using the Samsung Knox Workspace, there are four VPN modes you can configure in MobileIron Core. They are:

Per-Device VPN

  • If a VPN client is installed outside the Knox container:
    • all apps outside the container use the same VPN connection.
    • a per-device VPN does not apply inside the Knox container for Samsung Knox 2.0 through the most recently released versions as supported by MobileIron.
  • If a VPN client is installed inside the Knox container, per-device VPN provides similar functionality to per-container VPN:
    • all apps inside the Knox container use the same VPN connection.
    • a per-device VPN does not apply to apps outside the Knox container.
  • Available for all Android devices.

Per-Container VPN

All apps inside the Knox container use the same VPN connection.
Requires a Samsung Knox license.

Per-App VPN for apps inside of Knox Container

  • Applies to individual apps inside a Knox container.
  • Each app can be individually assigned to a VPN connection. We recommend using a single VPN profile from a single provider.(The new feature allows you to cross providers.)
  • Any number of apps can share a single VPN connection. (Check this is true for the cross provider feature. It may only be one app.)
  • Requires a Samsung Knox license. See Working with Samsung general policies.

Per-App VPN for apps outside of Knox Container

  • Applies to apps outside of a Knox container (a Knox container may or may not be present.)
  • Each app can be individually assigned to a VPN connection.
  • Requires a Samsung Knox license.

All of these modes are supported by the following VPN clients on Samsung Knox devices:

Table 1.  VPN clients

VPN Client Name

Appears in VPN Setting as Connection Type:

Pulse Secure (previously: Junos Pulse)

“Pulse Secure SSL”

Note: The connection type “Juniper SSL” is only for VPN settings created in previous versions of MobileIron Core

F5 BIG-IP Edge Client

“F5 SSL”

OpenVPN

“OpenVPN”

Cisco AnyConnect

“Cisco AnyConnect”

The following VPN clients are supported for non-Samsung Android devices using per-device mode:

  • Pulse Secure
  • Cisco AnyConnect
  • MobileIron Tunnel (Samsung Knox Workspace)

Configuring VPN modes when VPN client is outside the Knox container

If the VPN client is installed outside the Knox container, you can configure the VPN client to be used in one of these modes:

  • per-device
  • per-container
  • per-app

In addition, you can configure a per app Android enterprise VPN within the Knox v3 workspace. See Creating per container and per app Android enterprise VPNs within the Knox v3 workspace.

The following table provides an overview of what you need to configure for each mode.

 

per-device mode

per-container mode

per-app mode

Description

The VPN client configured for per-device use can be used by appropriately labeled apps that are outside the Knox container.

The VPN client configured for per-container use can be used by any apps inside the Knox container.

The VPN client configured for per-app use can be used only by apps specifically configured to use it. The apps can be either inside or outside the Knox container.

VPN setting

Options in VPN setting:

per-app VPN: No
Samsung Knox: Select ONLY if using OpenVPN.
Deploy inside Knox Workspace: Not selected

 

Apply label to VPN setting

Options in VPN setting

per-app VPN: Yes
Samsung Knox: Selected
Deploy inside Knox Workspace: Not selected

 

Apply label to VPN setting

Options in VPN setting

per-app VPN: Yes
Samsung Knox: Selected
Deploy inside Knox Workspace: Not selected

 

Apply label to VPN setting

App in App Catalog

Apply label to app
Per App VPN Settings in app: not applicable
App label is not applicable to VPN usage
Per App VPN Settings in app: not applicable

For apps outside the Knox container:

Apply label to app
Per App VPN Settings in app: set to VPN setting

Samsung Knox Container setting

 

In the App Settings section, in the VPN field, select the VPN setting from the drop-down list.
In the Apps section, for a specific app, make no VPN selection.
Apply label to Samsung Knox Container setting

For apps inside the Knox container:

In the Apps section, for the specific app, select the VPN setting from the drop-down list.
In the App Settings section, in the VPN field, make no selection.
Apply label to Samsung Knox Container setting

Android enterprise

N/A

( Managed device with Work Profile mode)

Managed Device with Work Profile on the devices: Selected

Enable Samsung Per-container VPN: Selected

( Managed device with Work Profile mode)

In the App Catalog, Per App VPN by Label Only: Selected (applicable for in-house apps only)

Install this app for Android Enterprise: Selected

Creating per container and per app Android enterprise VPNs within the Knox v3 workspace

In Managed device with Work Profile mode, administrators can configure Knox VPN settings for per container and per app deployment devices to communicate with services securely. Within the Knox workspace, administrators can create per-app VPNs that they can assign to apps in the Apps catalog. Additionally, a special case of a per app deployment (MobileIron Tunnel + OpenVPN) supports VPN chaining, see "Configuring VPN chaining" procedure in MobileIron Tunnel for Android Guide for Administrators.

Managed device with Work Profile mode works with the following VPN connection types:

  • Cisco AnyConnect
  • F5 SSL
  • Pulse Secure SSL
  • OpenVPN
  • MobileIron Tunnel (Samsung KNOX Workspace)

Note The Following:  

These methods of configuring VPNs are not supported:

  • Configuring VPNs via App restrictions and using Knox VPN APIs
  • Support for device-wide VPN in Managed device with Work Profile mode

Android enterprise VPN is configured using a password and certificate-based credentials. KLM licenses must be applied.

Creating per container Android enterprise VPN with Knox 3 workspace

This section covers configuring Knox VPN settings for per container Android enterprise. The below procedure is applicable for Managed device with Work Profile mode for Android version 8.0.

Procedure 

  1. Register the device, in Work Profile mode, to Core using the procedure described in Setting the registration PIN code length for device user registration.
  2. Create a Samsung General Policy. See Working with Samsung general policies.
  3. Create a Android enterprise configuration.
    1. Click Add New > Android > Android enterprise.

      The New Android enterprise (all modes) Setting dialog box opens.

    2.  Enter the Name and Description of the configuration.
    3.  Select the Enable Managed Device with Work Profile on the devices check box.
    4.  Click Save.
  4. Apply the configuration to a device label.
  5. Create a VPN configuration for Android enterprise.
    1. Click Policies & Configurations > Configurations.
    2. Select Add New > VPN. The Add VPN Setting dialog box opens.
    3. Select a Connection Type in the drop-down:

      • Cisco Legacy AnyConnect
      • OpenVPN
      • F5 SSL
      • Pulse Secure SSL
      • MobileIron Tunnel (Samsung KNOX Workspace)

    4. Select the Samsung KNOX check box.
    5. Select the Deploy inside Knox Workspace check box.
    6. Select the Per-app VPN Yes radio button.
    7. Click Save.
  6. Apply the VPN configuration to a device label.
  7. Edit the Android enterprise configuration.
    1. In the For Samsung Knox v3 (Android 8.0) section, select the Enable Samsung Per-container VPN check box.
    2. In the VPN Config Name field, select the VPN configuration you just created.
    3. Click Save.

In Devices & Users > Devices > Device Details page, the Managed Device with Work Profile displays your setting, for example, Workspace > Tunnel.

Creating per app Android enterprise VPN with Knox 3 workspace

This section covers configuring Knox VPN settings for per app Android enterprise. The below procedure is applicable for Managed device with Work Profile mode.

NOTE: Before you begin this procedure, follow the "Configuring VPN chaining" procedure in MobileIron Tunnel for Android Guide for Administrators to populate the VPN Config Name field.
  1. Register the device, in Work Profile mode, to Core using the procedure described in Setting the registration PIN code length for device user registration.
  2. Create a Samsung General Policy. See Working with Samsung general policies.
  3. Apply the policy to a device label.
  4. Add a new Android Enterprise app in the App Catalog, for example, Google Chrome.
    1. Click Apps > App Catalog > Add .
    2. In the Android Enterprise section, select the Install this app for Android Enterprise check box.
    3. Click Save.
  5. Apply the app to a device label.
  6. Create a VPN configuration for Android Enterprise.
    1. Click Policies & Configurations > Configurations.
    2. Select Add New > VPN. The Add VPN Setting dialog box opens.

    3. Select a Connection Type in the drop-down:

      • Cisco Legacy AnyConnect
      • OpenVPN
      • F5 SSL
      • Pulse Secure SSL
      • MobileIron Tunnel (Samsung KNOX Workspace)

    4. Select the Samsung Knox check box.
    5. Select the Deploy inside Knox Workspace check box.
    6. Select the Per-app VPN Yes radio button.
    7. Save the new configuration.
  7. Import another app and install this app for Android enterprise. In the Per App VPN Settings section, select the new perApp VPN you created.

Next steps 

Move Android enterprise in-house apps to inside Knox Workspace

Move Android enterprise in-house apps to inside Knox Workspace

Once you have set up VPN for Knox Workspaces, you can move in-house apps from outside of the workspace to inside the Knox workspace. This is applicable to:

  • corporate-owned personal-enabled (COPE) mode on Android devices with an activated KNOX premium license.
  • devices with Knox version 3.x and above only.

You cannot copy or move apps from the personal side of the device into corporate-owned personal-enabled (COPE) mode or Work Profile mode on Samsung devices. The in-house apps should be assigned to a device label so they can be installed in a personal (outside of the container) space. This Android enterprise-only capability allows you to move previously-installed in-house apps into the container (Knox V3 workspace) using whitelisting of apps in the Android Enterprise configuration. The app being moved must be whitelisted prior to moving inside the Knox workspace, see Android Samsung Knox Container Settings.

Procedure 

This procedure is applicable for Android OS version 8.0 through the most recently released version as supported by MobileIron.

  1. Complete the procedure in Creating per container Android enterprise VPN with Knox 3 workspace or Creating per app Android enterprise VPN with Knox 3 workspace.
  2. Add a new Android Enterprise app in the App Catalog.
  3. Apply the app to a device label.
  4. If needed, force device check in.
  5. In Policies & Configs > Configurations, Edit the Android enterprise configuration and select the Move In- House app into workspace check box.
  6. In the Package Name field, select the name of the app or hold the Shift key down and select multiple apps.
  7. Click Save.

On the device, the app is moved to the Knox Workspace. In the device's Settings > Workspace option, the Install apps option is disabled.

Remove Android enterprise apps from Knox Workspace

If the whitelist of apps is modified and an app is no longer listed inside the Knox workspace, that app will be moved back to the personal space. If the whitelist of apps is removed, all previously installed in-house apps will be moved back into the personal space.

Procedure 

  1. In Policies & Configs > Configurations, Edit the Android enterprise configuration.
  2. In the Package Name field, de-select the name of the app or hold the Shift key down and de-select multiple apps.
  3. Click Save.
  4. Force device check in.

On the device, the app is moved out of Knox Workspace to the personal space.

Configuring VPN modes when VPN client is inside the Knox container

If the VPN client is installed inside the Knox container, you can configure the VPN client to be used in one of these modes:

  • per-device, but when the VPN client is installed inside the Knox container, per-device mode is really another way to configure per-container mode. Apps outside the container cannot use the VPN client.
  • per-container
  • per-app

The following table provides an overview of what you need to configure for each mode.

 

per-device mode

per-container mode

per-app mode

Description

The VPN client configured for per-device use can be used by any apps inside the Knox container.

Therefore, per-device mode when the VPN client is inside the container is really a way of configuring per-container mode.

The VPN client configured for per-container use can be used by any apps inside the Knox container.

The VPN client configured for per-app use can be used only by apps specifically configured to use it. The apps can be either inside or outside the Knox container.

VPN setting

Options in VPN setting:

per-app VPN: No
Samsung Knox: Selected
Deploy inside Knox Workspace: Selected

 

Apply label to VPN setting

Options in VPN setting

per-app VPN: Yes
Samsung Knox: Selected
Deploy inside Knox Workspace: Selected

 

Apply label to VPN setting

Options in VPN setting

per-app VPN: Yes
Samsung Knox: Selected
Deploy inside Knox Workspace: Selected

 

Apply label to VPN setting

App in App Catalog

App label is not applicable to VPN usage
Per App VPN Settings in app: not applicable
App label is not applicable to VPN usage
Per App VPN Settings in app: not applicable

For apps outside the Knox container:

Apply label to app
Per App VPN Settings in app: set to VPN setting

Samsung Knox Container setting

Include the VPN client in the Apps section.

Note: Do not apply a label to the VPN client app itself. This reference to the app will result in the app being deployed in the device’s Knox container.

Apply label to Samsung Knox Container setting
Include the VPN client in the Apps section.

Note: Do not apply a label to the VPN client app itself. This reference to the app will result in the app being deployed in the device’s Knox container.

In the App Settings section, in the VPN field, select the VPN setting from the drop-down list.
In the Apps section, for a specific app, make no VPN selection.
Apply label to Samsung Knox Container setting
Include the VPN client in the Apps section.

Note: Do not apply a label to the VPN client app itself. This reference to the app will result in the app being deployed in the device’s Knox container.

For apps inside the container, in the Apps section, for the specific app, select the VPN setting from the drop-down list.
In the App Settings section, in the VPN field, make no selection.
Apply label to Samsung Knox Container setting

VPN Behavior on the Device

When a VPN setting is installed on a device, the following behavior is observed:

  • The VPN client displays its VPN connection status in the notifications bar.
  • For per-app VPN configurations, the connection is automatically established when the user opens an app or accesses data that requires the connection.
  • For per-device VPN, the user must manually establish the connection through the VPN client app.

Disconnecting or attempting to remove VPN behaves as follows:

  • A user cannot disconnect a per-app or per-container VPN connection manually. The connection is automatically disconnected if:
    • Device is removed from the label that provides VPN.
    • Device is retired.
  • A user can disconnect a per-device VPN connection manually.
  • A user cannot uninstall a VPN client on Samsung devices if a VPN connection exists using the client.

Usage Notes

For all VPN clients:

  • Knox 1.2 supports using per-app VPN outside of the Knox container, but not inside. Per-device VPN works inside Knox 1.2 container.
  • Knox 2.0 through the mostly recently released version as supported by MobileIron is required to use per-app VPN inside of the Knox container. Per-device VPN is not available inside these versions of the Knox container.

For the F5 BIG-IP Edge Client, Pulse Secure (previously Junos Pulse), OpenVPN, and Cisco AnyConnect:

  • To use per-app VPN with Pulse Secure, F5 BIG-IP Edge Client, OpenVPN, or Cisco AnyConnect, you must select Samsung Knox in the VPN Settings. An invalid configuration can result if Samsung Knox is not selected.

For Juniper (Pulse Secure, previously Junos Pulse):

  • For the Pulse Secure client, the user must accept the app’s EULA before [email protected] can install the VPN setting.
  • To use Pulse Secure for per-app VPN, a license is required from Juniper Networks that is applied to the VPN gateway.
  • [email protected] supports the PulseSecure client, not the “Junos for Samsung” client.

Regarding migrating to Pulse Secure from Junos Pulse:

Only [email protected] 9.0.0.0 and prior prompts the device user to install Pulse Secure if the device is using the Junos Pulse VPN app. Otherwise, device users are not prompted, but can uninstall the Junos Pulse app and then install Pulse Secure. When Junos Pulse is uninstalled, the Junos Pulse configurations will be removed only if the device is running [email protected] 9.0.0.0 or prior.

If you prefer device users to be prompted to migrate, MobileIron recommends users stay on [email protected] 8.5 (8.5.0.0 through 8.5.0.3) until after they have upgraded to Pulse Secure. See the migration instructions in the following documents.

Limitations for VPN connections and settings

  • Per-container VPN for the Knox container cannot be combined with per-app VPN for apps inside the container. You must choose to use one VPN mode or the other.

    To do so, in the New Samsung Knox Container Setting dialog, you must either provide a VPN selection for individual apps in the Apps section, or provide a VPN selection in the App Settings section, but not both

  • Mobile Iron recommends using a single VPN client and a single VPN connection per device.

How to set up VPN for apps both outside and inside the Knox container

In Knox 2.0 through the most recently released version as supported by MobileIron, when you install a VPN client outside of the Knox container, a per-device VPN does not provide VPN inside the Knox container. If you want VPN working for apps both inside and outside the Knox container when the VPN client is outside the Knox container, set up:

  • a per-device VPN for apps outside of the container, and
  • a per-container VPN for the apps inside of the container.

We recommend using the same VPN client for each. You will need to create a separate VPN setting for each, however. One VPN setting sets its per-app VPN option to yes, and the other sets it to no.

See Configuring VPN modes when VPN client is outside the Knox container.

Using certificates with VPN

When using certificates with VPN settings, depending on the VPN client, you will need to add the certificate in the VPN setting, and in some cases also assign the certificate to a label.

The following tables indicate the rules for each VPN client and certificate type.

VPN Client

Rules for User Authentication Certificates

Pulse Secure (previously: Junos Pulse),

OpenVPN

Provide user authentication certificate in the VPN setting.

Apply certificate to a label.

Mocana KeyVPN, F5 Big-IP Edge Client

Provide user authentication certificate in the VPN setting only.

Do not apply certificate to a label.

VPN Client

Rules for CA (Root) Certificates

Pulse Secure (previously: Junos Pulse),

F5 Big-IP Edge Client

Apply CA certificate to a label.

Mocana KeyVPN,

OpenVPN

Provide CA certificate in the VPN setting only.

Do not apply certificate to a label.