Menu

VPN Profile Configuration

This section explains how the EMM agent which controls the mobile device can configure the VPN connection for a given combination of device privileges, apps, and VPN connections. This section also includes instructions for creating blacklists for VPN access.

See also VPN Chaining for instructions on configuring a dual chain VPN server configuration.

A Main User or a DO, Per-App, VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the Main user.

Implement the EMM Agent's Configuration and Management Operations

See the GenericVpnPolicy class in the Knox SDK for calls used in the following steps.

  1. The EMM agent has to get the instance of the GenericVpnPolicy object in the KnoxManager class by passing the VPN vendor's package name as parameter.

    EnterpriseKnoxManager ekm = EnterpriseKnoxManager.getInstance();
    GenericVpnPolicy gm = ekm.getGenericVpnPolicy($vpn_client_packageName,$userId where VPN client is installed);

    After this code executes, the framework tries to bind to the VPN vendor's application. When the binding succeeds, the framework sends a broadcast message to the EMM agent.

  2. The EMM agent has to listen for the intent action com.samsung.android.mdm.VPN_BIND_RESULT that contains the following information:

    • vpn_bind_vendor provides the VPN vendor's package name
    • vpn_bind_status returns true or false, specifying whether the bind to the VPN vendor's application was successful or not.

    public class VPNBindReciever extends BroadcastReceiver {
    	public static final String ACTION_BIND_RESULT = "com.samsung.android.mdm.VPN_BIND_RESULT";
    	public static final String BIND_VENDOR = "vpn_bind_vendor";
    	public static final String BIND_STATUS = "vpn_bind_status";
    	public void onReceive(Context context, Intent intent) {
    		if (intent.getAction().equalsIgnoreCase(ACTION_BIND_RESULT)) {
    			String vendorName = intent.getExtra(BIND_VENDOR);
    			boolean status = intent.getExtra(BIND_STATUS);
    		}
    	}
    }
  3. Once the received value of vpn_bind_status is true, then the APIs present in the GenericVpnPolicy class need to be called with the reference to GenericVpnPolicyObject (gm);

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following sections.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addPackagesToVpn (String[] packageList, String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

A Main User-Wide or a DO, VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the Main user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following sections.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  1. gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

CL Container User, Per-App, VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the container user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following section.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under the configuration described in the previous section.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addPackagesToVpn (String[] packageList, String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

CL Container-Wide VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed in the Main user.
  • The VPN client must be installed in the container user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following sections.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

BYOD Device, Per-App VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the container user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following section.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under the configuration described in the previous section.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addPackagesToVpn (String[] packageList, String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

BYOD User-Wide VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the container user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following sections.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  1. gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Cross-User, Per-App, VPN Connection

Requirements for this configuration:

  • The EMM agent must be installed in the Main user.
  • VPN client must be installed in the Main user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following section.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under the configuration described in the following section.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addPackagesToVpn (String[] packageList, String profileName);
  3. gm.getState (String profileName); // The return value should be 1 or 5
  4. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  5. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  6. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Cross-User, Per-App or User-Wide, VPN Connection

Requirements for this configuration:

  • Admin must be installed on the device.
  • VPN client must be installed in the Main user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following section.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addPackagesToVpn (String[] packageList, String profileName);
  3. gm.addAllContainerPackagesToVpn ($container-id, String profileName);
    where $container-id should be available through the EMM.
  4. gm.getState (String profileName); // The return value should be 1 or 5
  5. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  6. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  7. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Cross User-Wide or Device-Wide Configuration

Requirements for this configuration:

  • The EMM agent must be installed on the device.
  • The VPN client must be installed in the Main user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Manage the VPN Connection

After the VPN is configured, there are basic operations required to work with the facility as described in the following section.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under the configuration described in the previous section.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.addAllContainerPackagesToVpn ($container-id, String profileName);
    where $container-id should be available through the EMM.
  4. gm.getState (String profileName); // The return value should be 1 or 5
  5. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  6. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  7. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Blacklist BYOD devices or PO or DO Users from VPN

Requirements for this configuration:

  • The EMM agent and the VPN client must be installed in the same user space.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.removePackagesFromVpn (String[] packageList, String profileName);
  4. gm.getState (String profileName); // The return value should be 1 or 5
  5. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  6. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  7. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Blacklist Knox CL or Knox COM Users from VPN

Requirements for this configuration:

  • The EMM agent must be installed in main user.
  • The VPN client must be installed inside the container.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under this configuration.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllPackagesToVpn (String profileName);
  3. gm.removePackagesFromVpn (String[] packageList, String profileName);
  4. gm.getState (String profileName); // The return value should be 1 or 5
  5. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  6. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  7. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);

Blacklist Cross User-Wide or Device-Wide Users from VPN

Requirements for this configuration:

  • The EMM agent must be installed in main user.
  • The VPN client must be installed in main user.

Follow these instructions to implement the calls for this VPN connection in the EMM agent.

Create and Start a VPN Connection

The EMM agent must make the following calls to start a VPN connection under the configuration described above.

  1. gm.createVpnProfile (String profileInfo);
  2. gm.addAllContainerPackagesToVpn ($container-id, String profileName);
    where $container-id should be available through the EMM.
  3. gm.removeContainerPackagesFromVpn ($container-id, String[] packageList, String profileName);
    where $container-id should be available through the EMM.
  4. gm.addAllPackagesToVpn (String profileName);
  5. gm.removePackagesFromVpn (String[] packageList, String profileName);
  6. gm.getState (String profileName); // The return value should be 1 or 5
  7. gm.setAutoRetryOnConnectionError (String profileName, boolean enable); //optional
  8. gm.setVpnModeOfOperation (String profileName, int vpnMode); //optional
  9. gm.activateVpnProfile (String profileName, true);

Stop a VPN Connection

The EMM agent must make the following call to stop a VPN connection:

  • gm.activateVpnProfile (String profileName, false);

Remove a VPN Connection

The EMM agent must make the following calls to remove a VPN connection from a VPN vendor's app.

  1. gm.activateVpnProfile (String profileName, false);
  2. gm.getState (String profileName); // The return value should be 1 or 5
  3. gm.removeVpnProfile (String profileName);