VPN profiles (Premium)
A group of configuration settings for the VPN profiles used to drive the primary and secondary VPN clients on the device. You can define up to two VPN profiles that are used for VPN Chaining.
    • Profile name
      Enter the name of the VPN profile in this field. Use a unique and descriptive name, including the name of the VPN server and other identifying descriptions. For example, KnoxOuterVPN or CIscoInnerVPN. This field should be used as reference in the "Name of VPN profile to use" or "Name of secondary VPN profile" section at device-wide or work profile level VPN policy controls.
    • Vendor
      Select the VPN Vendor that manufactured your VPN client. To use Strong Swan VPN that is part of the Knox framework, select Knox built-in. To use another VPN client that is not the default Knox built-in client, ensure that the appropriate VPN client is installed before KSP is launched. KSP does not automatically install the VPN client.
    • Host
      Enter a server host IP or domain name format. Refer to your VPN provider's documentation for the formats applicable to your VPN client.
    • VPN connection type
      Select the type of security protocol that the VPN client uses to connect to the server. Some VPN Vendors may not support some of the connection types. Refer to your VPN provider's documentation for this information.
    • Include UID/PID meta data
      Use this control to enable the inclusion of metadata about the unique identifier of the device's user (UID) and the processes running on the device (PID).
    • Proxy
      Use these controls to add information about the proxy server and other configurations used with this VPN profile.
      • Enable Proxy with VPN
        If required, use this control to use proxy servers with your VPN connection.
      • Server
        If your configuration uses proxy servers, enter the VPN proxy server information in this field. Contact your Network or IT Administrator for this information.
      • Port
        Enter the port number on the device that the proxy uses for communication. Contact your Network or IT Administrator for this information.
      • PAC (Proxy auto config)
        Specify the URL for your proxy's automatic configuration file that determines the appropriate proxy server to use for each URL accessed. Contact your Network or IT Administrator for this information.
      • Proxy authentication type
        Proxy use is possible without authentication or with basic or NTLM authentication using admin provided credential or user credentials. Contact your Network or IT Administrator for more information.
      • Username
        If you want to use admin provided credentials, enter the username for use with the proxy server. Leave this field empty to let the device user use their own credentials for the device.
      • Password
        For proxies that use the IT admin provided credentials, enter the password used with the proxy username. Leave this field empty if you didn't provide a proxy username earlier and to let the device user use their own credentials for the device.
    • Cisco AnyConnect VPN client settings
      Use these controls to specify values for the vendor-specific attributes for your Cisco AnyConnect VPN client. Contact your Network or IT Administrator for more information.
      • authentication
        Select the type of authentication that your VPN client uses. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
      • ike-identity
        If you selected the EAP-GTC, EAP-MD5, EAP-MSCHAPv2, or IKE-RSA authentication type for your VPN profile, enter the IKE Identity information to use. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
      • usergroup
        Enter the name of the usergroup that is authorized to use the VPN client profile.
      • certalias
        If your configuration uses certificates to establish a connection, enter the certificate alias here. KSP checks whether the certificate is installed and will wait for up to 5 minutes before retrying if it is not found. Your IT admin provides this information when setting up the Cisco AnyConnect profile.
    • Pulse Secure VPN client settings
      Use these controls to specify the vendor-specific attributes for your Pulse Secure VPN client. Refer to your VPN provider's documentation for this information.
      • Authentication realm
        The authentication realm specifies the conditions that users must meet in order to sign into the VPN server. Your IT admin provides this information when setting up the VPN profile.
      • Authentication profile role
        The authentication role specifies the session and personalization settings, as well as the type of resources they can access. For example, the role defines whether the user can access all websites, some websites, or emails only.
      • certAlias
        Enter the name of the authentication certificate that your VPN client uses to connect to the server. KSP checks whether the certificate is installed and will wait for up to 5 minutes before retrying if it is not found. Your IT admin provides this information when setting up the VPN profile.
      • RSASoftToken
        Enter the name of RSA software token generator to use that the VPN client uses to connect to the server. Your IT admin provides this information when setting up the VPN profile.
      • SafeNetSoftToken
        Enter the name of SafeNet software token generator to use that the VPN client uses to connect to the server. Your IT admin provides this information when setting up the VPN profile.
      • Retry
        Enable this to allow VPN client to retry automatically in case of failure to connect.
      • Silent Authentication
        Enable this setting to allow the VPN client to perform silent authentication and establish connection without any user prompts. This setting is supported on specific versions of the VPN client only. Contact your VPN provider for this information. This option is supported only for DO and COPE deployments and not in PO (BYOD) deployments.
    • Net Motion VPN client settings
      Use these controls to specify the vendor-specific attributes for your NetMotion Mobility client. Refer to your VPN provider's documentation for this information.
      • Username
        Use this control to provide the user name for your Net Motion VPN client, when the Windows NTLM protocol is used for user authentication.
      • Password
        Use this control to provide the password for your Net Motion VPN client, when the Windows NTLM protocol is used for user authentication.
      • Domain
        If username and password authentication requires a domain, specify it here.
      • Validate Server
        When this is set to true, the RADIUS server must send the Mobility client a certificate signed by a certification authority that has established a trust relationship with the client. A certificate in the same trusted root chain must already be installed on the Mobility client.
      • Certificate alias for user authentication
        If your network uses certificate-based authentication, use this control to enter the certificate alias used for user authentication.
      • Certificate alias for device authentication
        If your network uses certificate based authentication, use this control to enter certificate alias used for device authentication.
      • Server suffix to use for authentication
        Use this setting to limit the RADIUS servers Mobility can use for authentication. For example, to designate the domain to which the authenticating server must belong, entering it here prevents Mobility from using a RADIUS server in a different domain.
      • Device name
        This field shows the name of the device as listed in Device Settings. Within the Mobility client, you can change the name of an Android device to something more meaningful. If you have changed the device name in the Mobility client, enter that name in this field.
    • Parameters for Knox built-in VPN (for Strong Swan)
      Use these controls to specify vendor-specific attributes for your Knox built-in VPN client.
      • Authentication type
        Select the type of authentication that your Knox built-in VPN client uses.
      • Auto retry in minutes
        When the VPN client is unable to connect or drops an active connection to the server, it automatically tries to reconnect. Enter the time interval, in minutes, after which the VPN client tries to reconnect. Default interval is two minutes
      • Identifier
        Enter the built-in unique VPN identifier that applies to your VPN provider. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
      • Pre-shared key
        Enter your VPN client's pre-shared key, that is a form of password, that applies to your VPN client profile. This information applies to the ipsec_ike2_psk authentication type. Your IT admin provides this information when setting up the VPN client profile.
      • User certificate alias
        Enter the alias that identifies the user certificate used for the your VPN client. Your IT admin provides this information when setting up the VPN client profile.
      • CA certificate alias
        Enter the alias that identifies the CA certificate used in your VPN cilent for ipsec_hybrid_rsa and ipsec_ike2_rsa authentication types. Your IT admin provides this information when setting up the VPN client profile.
      • Server certificate alias
        If your client uses ipsec_hybrid_rsa and ipsec_ike2_rsa, enter the name of the server certificate to use for authenticating connections. Your IT admin provides this information when setting up the VPN client profile.
      • OCSP URL
        If your client uses ocsp_url for ipsec_ike2_rsa, enter the URL to use for connections. Your IT admin provides this information when setting up the VPN client profile.