If you want to use IKEv2-based VPNs for per Account and per App VPN and require certificate-based authentication, I will explain the required steps to make use of this in BlackBerry UEM. The below configuration assumes that the VPN username and actual username are different, e.g., vpnuser001@boui.de is the VPN username and abdelkader@boui.de is the username. The certificate for the VPN authentication is issued to the VPN username.
- Enable the use of custom variables in BlackBerry UEM. We will need this later on as this gives us a simple way to map the VPN certificate to the actual user account.
- Login to the UEM console
- Navigate to Settings-> General settings-> Custom variables
- Enable the checkbox “Show custom variables when adding or editing a user”
- For the variable %custom1% set the label to vpn_user_iphone
- For the variable %custom2% set the label to vpn_user_ipad
- It is necessary to differentiate between iPhone and iPad VPN accounts as in my setup I need to use one VPN certificate per device.
- Click on Save.
- Configure the custom variables in user account
- Navigate to Users-> All Users in the UEM console
- Search for the user account you want to modify and open the user view
- Click on the Edit button in the top right corner
- In the new view navigate to the bottom and expand the section Custom variables. Enter the VPN username for the iPhone and iPad, respectively.
- Click on Save.
- Navigate to Users-> All Users in the UEM console
- Create the two user credential profile – one for iPhones and one for iPads
- In the UEM console navigate to Policies and profiles-> Managed devices-> Certificates-> User credential
- Click on the plus symbol to create a new user credential profile
- In the name field enter the name for the profile, e.g. vpn_user_iphone_certificate
- In the drop-down list for Certificate authority connection select Manually uploaded certificate
- Disable the checkboxes for macOS and Android
- Click on Add to save the profile
- Repeat the previous steps and create the user credential profile we will use with for the iPads, e.g., vpn_user_iphone_certificate
- Create the IKEv2 VPN profile
- In the UEM console navigate to Policies and profiles-> Managed devices-> Networks and Connections-> VPN
- Click on the plus symbol to create a new VPN profile
- In the field Name enter a name for the profile, e.g., iphone_vpn_profile
- As we will use the VPN profile only for iPhones and iPads, you can disable the checkboxes for macOS, Android and Windows
- In the drop-down list Connection type select IKEv2
- For Remote address enter your VPN gateway FQDN, e.g., vpngw.boui.de
- For Local ID enter %custom1%
- For Remote ID enter the remote ID of your VPN gateway, e.g., vpngw.boui.de
- In the drop-down list Authentication type select User credential
- We will get a new drop-down list named Associated user credential profile. Select the user credential profile we created for iPhones. In our case it is named vpn_user_iphone_certificate. This selection now gives us the mapping between the custom variable we have entered in Local ID and the VPN certificate, which we will assign to the user further down in this guide.
- Confirm that Enable per-App VPN and Allow apps to connect automatically are enabled.
- It is optional to add any domains. We will skip that for now.
- In the drop-down list Traffic tunnelling confirm that Application layer is selected
- All other settings depend on the requirements of your VPN solution. Configure the remaining as required.
- Click on Add to save the VPN profile.
- Open the newly created VPN profile and click on the Copy VPN profile button in the top right corner
- You only need to change two values – the profile name and the Local ID
- For the profile name we will use vpn_profile_ipad
- For the Local ID we will change the value to %custom2% as this is the custom variable we are using for our setup to authenticate the iPad
- All other settings will remain the same.
- Click on Save to save to copied profile
- The two newly created VPN profiles should look like the below screenshot
- Assign the user credential profiles to the user
- To make easier user of the user credential profiles, I have created two user groups in BlackBerry UEM – one for iPhone users, one for iPad users
- The user credential profiles we created, are assigned to the respective group as shown in the below screenshot, e.g., the iPhone user credential profile is assigned to the iPhone user group and the iPad user credential profile is assigned to the iPad user group
- Our test user is member of both groups
- We are now have the option to add the two certificates to the user
- In our setup we have two VPN user certificates – one issued to vpn001@boui.de for the iPhone and the other issued to vpn002@boui.de to be used with the iPad. We will add the certificates to user by click on Add a certificate. We will be prompted for the password of the private key when we upload it to the UEM server. Make sure you have the relevant passwords at hand when adding the certificates. After the certificates were successfully added, the view should be like the screenshot shown below
Our VPN setup in BlackBerry UEM is now completed. As we are differentiating between iPads and iPhones, I would recommend doing the app assignment, to use per App VPN, and mail profile, for the per Account VPN, through device groups. If you are planning to use per Account VPN in the email profile, you will require one mail profile per device type. For a simple setup, set the device query in the device group to Model Starts with iPhone and scope the device group to the iPhone users’ group. For the iPad group change the value to Model Starts with iPad and modify the user groups scope to the iPad users. When assigning the apps to the device groups, make sure to use the correct VPN profile.
The screenshot below shows the device group setup for iPhone and configured with an email profile and the app SecuFOX to use the per App VPN tunnel. The per Account VPN configuration for the email profile is not shown in the screenshot. You can add additional profiles and apps to the device group as required.