Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry UEM 12.19
  3. Managing secure connections
  4. Managing work connections using profiles
  5. Setting up work VPNs for devices
  6. Windows 10: VPN profile settings

Windows 10
: VPN profile settings

Windows
: VPN profile setting
Description
Connection type
This setting specifies the connection type that a
Windows 10
 device uses for a VPN.
Server
This setting specifies the public or routable IP address or DNS name for the VPN. This setting can point to the external IP of a VPN, or a virtual IP for a server farm.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Server URL list
This setting specifies a comma-separated list of servers in URL, host name, or IP format.
This setting is valid only if the "Connection type" is not set to "
Microsoft
".
Routing policy type
This setting specifies the type of routing policy.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Built-in protocol type
This setting specifies the type of routing policy used by the VPN.
This setting is valid only if the "Connection type" is set to "
Microsoft
."
Authentication
This setting specifies the method of authentication used for the native VPN.
The "Built-in protocol type" setting determines which authentication methods are supported and the default value for this setting.
EAP configuration
This setting specifies the XML of the EAP configuration.
This setting is valid only if the "Authentication " setting is set to "EAP."
User method
This setting specifies the type of user method authentication to use.
This setting is valid only if the "Authentication " setting is set to "User method."
Machine method
This setting specifies the type of machine method authentication to use.
This setting is valid only if the "Authentication " setting is set to "Machine method."
Custom configuration
This setting specifies the HTML encoded XML blob for an SSL-VPN plug-in specific configuration, including authentication information, that is sent to the device to make it available for SSL-VPN plug-ins.
This setting is valid only if the "Connection type" is not set to "
Microsoft
."
Plugin package family name
This setting specifies the package family name of the custom SSL VPN.
This setting is valid only if the "Connection type" is set to "Manual connection definition."
L2TP preshared key
This setting specifies the preshared key used for an L2TP connection.
App trigger list
This setting specifies a list of apps that start the VPN connection.
App trigger list > App ID
This setting identifies an app for a per-app VPN.
Possible values:
  • Package family name. To find the package family name, install the app and run the
    Windows PowerShell
     command,
    Get-AppxPackage
    .
  • Installation location of the app. For example, C:\Windows\System\Notepad.exe.
Route list
This setting specifies a list of routes that the VPN can use. If the VPN uses split tunneling, a route list is required.
Subnet address
This setting specifies the IP address of the destination prefix using the IPv4 or IPv6 address format.
Subnet prefix
This setting specifies the subnet prefix of the destination prefix.
Exclusion
This setting specifies whether the route that is added must point to the VPN interface as the gateway or a physical interface. If you select the check box, traffic is directed over the physical interface. If you leave the box unchecked, traffic is directed over the VPN.
Domain name list
This setting specifies the Name Resolution Policy Table (NRPT) rules for the VPN.
Domain name
This setting specifies the FQDN or suffix of the domain.
DNS servers
This setting specifies the list of IP addresses of the DNS servers, separated by commas.
Web proxy server
This setting specifies the IP address of the web proxy server.
Trigger VPN
This setting specifies whether this domain name rule triggers the VPN.
Persistent
This setting specifies whether the domain name rule is applied when the VPN is not connected.
Traffic filter list
This setting specifies the rules that allow traffic over the VPN.
Traffic filter list > App ID
This setting identifies an app for an app-based traffic filter.
Possible values:
  • Package family name. To find the package family name, install the app and run the
    Windows PowerShell
     command,
    Get-AppxPackage
    .
  • Installation location of the app. For example,
    C:\Windows\System\Notepad.exe
    .
  • Type "SYSTEM" to enable Kernel Drivers to send traffic through the VPN (for example, PING or SMB).
Protocol
This setting specifies the protocol that the VPN uses.
Local port ranges
This setting specifies the list of allowed local port ranges separated by commas. For example, 100-120, 200, 300-320.
Remote port ranges
This setting specifies the list of allowed remote port ranges separated by commas. For example, 100-120, 200, 300-320.
Local address ranges
This setting specifies the list of allowed local IP address ranges, separated by commas.
Remote address ranges
This setting specifies the list of allowed remote IP address ranges, separated by commas.
Routing policy type
This setting specifies the routing policy that the traffic filter uses. If set to "Force tunnel," all traffic goes through the VPN. If set to "Split tunnel," traffic can go through the VPN or the Internet.
Remember credentials
This setting specifies whether the credentials are cached whenever possible.
Always on
This setting specifies whether devices automatically connect to the VPN at sign-in and stay connected until the user manually disconnects the VPN.
Lock down
This setting specifies whether this VPN connection must be used when the device connects to a network. When this setting is enabled, the following applies:
  • The device stays connected to the VPN. It cannot be disconnected.
  • The device must be connected to this VPN to have any network connection.
  • The device cannot connect to, or modify, other VPN profiles.
DNS suffix
This setting specifies one or more DNS suffixes separated by commas. The first DNS suffix in the list is also used as the primary connection for the VPN. The list is added to the SuffixSearchList.
Trusted network detection
This setting specifies a comma-separated string to identify the trusted network. The VPN does not connect automatically when users are on their organization's wireless network.
IP Security properties
Authentication transform constants
This setting specifies the authentication level of a VPN. This setting must match the setting on the VPN server.
Cipher transform constants
This setting specifies the encryptions level of a VPN. This setting must match the setting on the VPN server.
Encryption method
This setting specifies the phase 1 encryption level of a VPN. This setting must match the setting on the VPN server.
Integrity check method
This setting specifies the phase 1 authentication level of a VPN. This setting must match the setting on the VPN server.
Diffie-Hellman Group
This setting species the key group of a VPN. This setting must match the setting on the VPN server.
PFS Group
This setting specifies the Perfect Forward Secrecy encryption protocol used for the VPN. This setting must match the setting on the VPN server.
Proxy type
This setting specifies the type of proxy configuration for the VPN.
PAC URL
This setting specifies the URL for the web server that hosts the PAC file, including the PAC file name. For example, http://www.example.com/PACfile.pac.
This setting is valid only if the "Proxy type" setting is set to "PAC configuration."
Address
This setting specifies the FQDN or IP address for the proxy server.
This setting is valid only if the "Proxy type" setting is set to "Manual configuration."
Associated SCEP profile
This setting specifies the associated SCEP profile that a device uses to obtain a client certificate to authenticate with the VPN.