This article will guide you through how to create a custom VPN IKEv2 profile for macOS native vpn client and how it can be pushed out to Intune-managed BYOD Mac devices.
As of April 2023, from Intune, we can only create VPN profiles for third-party clients as shown in the screenshot below whereas for macOS built-in native vpn clients the only option from intune would be to use the custom profile. Under Intune device configuration blade for macOS platform –> Template –> VPN 1) Authentication methods select certificates for (if 802.1x based authentication) 2) Connection type “Custom VPN”
Prior to creating the profile, check out this link to understand what values are expected for each property field while creating the profile using the Apple configurator.
It is also important to know what the IPsec security parameters used in your VPN server (In our lab, we used Microsoft RRAS Server 2019).
You are aware of and reviewed what IPSec security parameters are used in the VPN server and MDM settings for VPN IKEv2.
- How to create a custom VPN profile using Apple Configurator
Please note: To use the Apple configurator app you need a Mac device. Alternatively, you can also use this app imazing for Windows.
In general, give it a name for the profile, enter your organization name, description (optional), and security (not required as Intune does not allow profile to be removed).
In the VPN section, replace the values for the following connection name, server, remote identifier, and local identifier (For Intune enrolled devices, the {{userprincipalname}} token can be used to represent the enrolled user account) and the rest leave it as is.
According to our lab setup NPS (Radius) server, we have set the network policy to accept both EAP-TLS & PEAP-TLS as authentication methods. Hence, choose “Enable EAP” below.
The below screenshot is the continuation of the section VPN above, here the values for both IKE & Child SA Parameters are based on the IPSec parameters from your VPN server shown above. Also, you can set up DSN Servers, Primary Domain Names, and DNS Search Domains (if any).
Once you have entered all the values above, you can simply click on File –> Save to the local directory with a (.mobileconfig) extension (it is basically an XML containing settings for the VPN profile and there is no further alteration is required).
2.Use the custom policy in intune
Give it a name for the custom configuration profile name, select the deployment channel to a user, and import the VPNprofile.mobileconfig exported from Apple configurator.
After the profile is deployed to the clients, this is how it looks on a Mac device and the values are pre-filled, which comes from the Intune profile.
Limitations:
- Mac Native client does not support SSTP
- Need to enable the port forwarding rule due to IPSEC NAT traversal (most of the modern-day routers are built with a feature called IPSec passthrough) so the rule is required on those does not have it enabled
- Mac native vpn client does not support Azure AD conditional access.
GS Tech Community 
You must be logged in to post a comment.