cer file) that you exported from your VPN administration console. In Configuration settings, select the folder icon, and browse to your VPN certificate (. This setting is optional, but recommended.
The trusted certificate profile instructs the iOS/iPadOS device to automatically trust the CA that the VPN server presents. Import the VPN server's root certificate issued by the CA into a profile created in Intune. To create a new group, see Add groups to organize users and devices. This group must include the users or devices that will use per-app VPN. If the CA presented by the device matches a CA in the Trusted CA list on the VPN server, then the VPN server successfully authenticates the device.Ĭreate or choose an existing group in Azure Active Directory (Azure AD). cer extension, and you add it when creating a trusted certificate profile.Īdd the name of the CA that issued the certificate for authentication to the VPN server. On your VPN server, open the administration console.Ĭonfirm that your VPN server uses certificate-based authentication.Įxport the trusted root certificate file. This trusted certificate profile must include the VPN server's root certificate issued by the Certification Authority (CA).
To confirm the automatic approval of the certificate, create a trusted certificate profile. To prove its identity, the VPN server presents the certificate that must be accepted without a prompt by the device. Be sure to check with their documentation, and meet those prerequisites before setting up per-app VPN in Intune. Your VPN vendor may have other requirements for per-app VPN, such as specific hardware or licensing.