Configure VPN Profiles

This is an Early Access feature. To enable it, please contact Okta Support.

Okta Mobility Management (OMM) can provision password-based, device-wide, VPN configurations directly to devices without requiring IT to duplicate infrastructures or implement application proxies and gateways. Okta uses the native VPN capabilities that are built into the mobile operating system to leverage existing VPN solutions and enable easy access to on-premises resources.

  • The OMM menu is only available to orgs that implement Okta Mobility Management (OMM).
  • Procedures documented on this page are only available to customers who have already purchased OMM for their organization. New OMM sales are not supported. For more information, contact Okta Support.

Currently, this feature is only available for iOS devices.

  1. In the Admin Console, go to OMMVPN.
  2. Click Add Device VPN.
  3. Select a VPN client.
    Note: Apple no longer supports PPTP or Juniper VPN options. This is an Apple limitation.

Configure your VPN client

Configure a Cisco AnyConnect VPN client

  1. Set up the following General Settings for the VPN client:
    • Application label: Enter a name to display under the app on your home page. By default this is Cisco AnyConnect VPN.
    • VPN Server: Enter the IP address or hostname of your VPN server. If you are using ipsec, you must specify the corresponding protocol. For example: ipsec://asa-gateway.example.com.
  2. Click Next.
  3. Set up the following Sign-On Options for the VPN client:
    • VPN Password: Select one of the following options:
      • Delegated Authentication: Select this option if your company VPN is configured to authenticate with Active Directory and your Okta users are authenticated using AD Delegated Authentication. Choosing this setting specifies that you are using your AD credentials for VPN as well. This way Okta never persists your AD credentials in Okta, but allows you to update VPN profiles with those credentials on your end users' devices.
      • Password RequiredAdministrator sets username, password is same as user's Okta Password: Select this option if you want the VPN profiles to remain synced on the device with their Okta Password whether or not you are using Delegated Authentication.
      • Password RequiredAdministrator sets username, user sets password: Select this option if you do not want to tie the VPN password with the Okta or AD password. Okta pushes the VPN profiles/configs to the device without including a password, and the user can enter it on their device.
    • Advanced Sign-on Settings: Optional. For Group for authenticating connection, specify the group policy name.
      • Make sure you add a Group URL in Cisco AnyConnect settings that corresponds to the ASA server and group you use.
      • If you are using Cisco ASDM utility, you can do this under Connection ProfilesYour groupAdvanced settingsGroup Alias/Group URL. For example: ipsec://asa-gateway.example/com/group1.
    • VPN Username: Set the username to use in the VPN profile. This functions the same way as username mappings in other non-VPN applications:
      • VPN username format: Select a format from the drop-down menu.
      • Password reveal: Select this checkbox if you want your users to securely see their password.
  4. Click Done.
  5. In the People tab, assign your app to users and groups. Make sure the app is available to your end users from the Okta Mobile App Store (Android and iOS):
    1. Click the Mobile tab.
    2. Click Edit (pencil) and select the following:
        • Prompt users to install the app on enrollment (iOS 7+)
        • If a user already has the app, enable them to make it a managed app from the company app store (iOS 9+)
        • Make this app available to users

Configure a Juniper SSL VPN client

  1. Select the Juniper SSL VPN option.
    Note: Apple no longer supports Juniper VPN options on macOS Sierra. This is an Apple limitation. Okta will maintain this option, but will not support it with bug fixes.
  2. Set up the following General Settings for the VPN client:
    • Application Label: Enter the name to display under the app on your home page. By default this is populated by Juniper SSL VPN.
    • Server: Enter the IP address of the Juniper VPN server.
  3. Click Next.
  4. Set up the following Sign-On Options options for the VPN client:
    • VPN Password: Select one of the following:
      • Delegated Authentication: Select this option if your company VPN is configured to authenticate with Active Directory (AD) and your Okta users are authenticated using AD Delegated Authentication. It specifies that you are using your AD credentials for VPN. This way Okta never persists your AD credentials in Okta, but allows you to update VPN profiles with those credentials on your end users devices.
      • Password RequiredAdministrator sets username, password is same as user's Okta Password: Select this option if you want the VPN profiles to remain synced on the device with their Okta Password whether or not you are using Delegated Authentication.
      • Password RequiredAdministrator sets username, user sets password: Select this option if you don't want to tie the VPN password with Okta or AD password. Okta pushes the VPN profiles/configs to the device without including a password, and the user can enter it on their device.
      • Advanced Sign-On Settings: Optional.
    • Realm: Specify a realm for authenticating the connection.
    • Role: Specify a role for authenticating the connection.
    • RADIUS Authentication Behavior: Retaining this default button allows Okta to perform primary authentication.
    • RADIUS Client: Enter the following:
      • UDP Port: Enter the unique number of the RADIUS app.
      • Secret Key: Enter the secret key to use to encrypt and decrypt the user password. This key must be identical to the key that configured on the VPN server.
    • VPN Username: Set the username to use in the VPN profile. This functions the same way as the username mappings in other non-VPN applications.
      • VPN username format: Select a format from the drop-down menu.
      • Password reveal: Select this checkbox if you want your users to securely see their password.
  5. Click Done.

    The new configured Juniper SSL VPN client appears on the Device VPN page. It is activated automatically.

Configure an L2TP VPN client

  1. Select the L2TP VPN option.

    Note: Apple no longer supports PPTP. This is an Apple limitation.

  2. Set up the following General Settings for the VPN client:
    • Application Label: Enter the name to display under the app on your home page.
    • Server: Enter the IP address or hostname of your VPN server. If you are using ipsec, the corresponding protocol must be specified, for example: ipsec://asa-gateway.example.com.
  3. Click Next.
  4. Set up the Sign-On Options to specify how users will sign in to the VPN. They can use a password or they can sign in using Delegated Authentication if it is configured:
    • Advanced Sign On Settings:
      • Shared Secret (L2TP only): Enter a shared secret key for VPN login.
    • VPN Password: Select one of the following:
      • Delegated Authentication: Select this setting if your company VPN is set up to authenticate with Active Directory, and your Okta users are authenticated using AD Delegated Authentication. Choosing this setting specifies that you are using your active directory credentials for VPN as well. This way Okta never persists your AD credentials in Okta, but allows you to update VPN profiles with those credentials on your end users devices.
      • Password RequiredAdministrator sets username, password is same as user's Okta Password. Select this option if you want the VPN profiles to remain synced on the device with their Okta Password whether or not you are using Delegated Authentication.
      • Password RequiredAdministrator sets username, user sets password. Select this option if you do not want to tie the VPN password with Okta or AD password. Okta pushes the VPN profiles/configs to the device without including a password, and the user can enter it on their device.
    • VPN Username: Select one of the following:
      • VPN username format: Select a format from the drop-down menu. Specifies the username format to use in the VPN profile, this function the same way as the username mappings in other non-VPN applications.
      • Password Reveal: Select this if you want your users to securely see their password.
  5. Click Done.

Configure a Pulse Secure VPN client

  1. Select the Pulse Secure VPN option. The Pulse Secure VPN configuration page opens.
  2. Under General Settings:
    • Application Label: This is the label displayed under the app on your home page. By default this is populated by Pulse Secure VPN, but you can edit it if you wish.
    • Server: Enter the IP address of the Pulse Secure VPN server.
  3. Click Next.
  4. Under Sign-On Options:
    • VPN Password: Select one of the following:
      • Delegated Authentication: This setting is to be used if your company VPN is set up to authenticate with Active Directory, and your Okta users are authenticated using AD Delegated Authentication. Choosing this setting specifies that you are using your AD credentials for VPN as well. This way Okta never persists your AD credentials in Okta, but allows you to update VPN profiles with those credentials on your end users devices.
      • Password RequiredAdministrator sets username, password is same as user's Okta Password. Select this option if you want the VPN profiles to remain synced on the device with their Okta Password whether or not you are using Delegated Authentication.
      • Password RequiredAdministrator sets username, user sets password. Select this option if you do not want to tie the VPN password with Okta or AD password. Okta pushes the VPN profiles/configs to the device without including a password, and the user can enter it on their device.
    • Advanced Sign-On Settings. Optional.
      • Realm: Specify a realm for authenticating the connection.
      • Role: Specify a role for authenticating the connection.
    • VPN Username: Set the username to use in the VPN profile. This functions the same way as username mappings in other non-VPN applications.
      • VPN username format: Select a format from the drop-down menu.
      • Password Reveal: Select this if you want your users to securely see their password.
  5. Click Done.
  6. In the People tab, assign your app to users and groups.
  7. You will also need to make the app available to your end users via the Okta Mobile App Store (Android and iOS). To do so
    1. Click the Mobile tab.
    2. Click Edit and complete the following:
      • Prompt end users who have already installed an iOS mobile app on their own to allow their admin to manage the app. (iOS only)
      • Prompt users to install the app on enrollment. (iOS only)
      • Deploy: Select the Make this app available to users check box.

​Once VPN configurations (profiles) and the respective VPN mobile apps are pushed to OMM-enrolled devices, users can sign in to VPN and work remotely.

Your VPN password configuration affects how the VPN profiles are pushed:

  • Delegated Authentication: VPN profiles are pushed when users are enrolled.
  • User sets password: VPN profiles are pushed when users are enrolled, an app user is assigned, or a VPN app instance setting changes.
  • Password is same as Okta: VPN profiles are pushed when the user logs on.