MaaS360 introduces a new VPN solution for mobile devices. MaaS360 VPN is a complete VPN solution that enterprises may leverage to allow seamless connection from the mobile device or even from specific apps on the mobile device into the corporate network. MaaS360 VPN is delivered as a software solution and is available as a new module on the Cloud Extender.
Some of the key features of MaaS360 VPN solution are as follows:
- Overview: Easy to install and configure VPN solution to MaaS360 enrolled iOS, Android, and Windows devices. Note: MaaS360 VPN is not supported on Windows phones
- Password-less end user authentication: Users can connect to VPN automatically or with a click of a button without requiring to input corporate credentials for authentication.
- App level or device level VPN, support for split tunneling: Administrators can configure VPN only for selected apps or for the entire device. Access can be further fine tuned with split tunneling rules.
- Per-app Auto Connect / Always Connect options: MaaS360 VPN gets automatically established when whitelisted apps are launched on iOS and Windows devices. MaaS360 further enhances Android experience by providing always connect VPN options and tunnel only whitelisted app traffic (something that is not natively available on Android per-app VPN support)
- Strong security and authentication mechanism: MaaS360 VPN leverages Identity Certificates issued by MaaS360 Cloud to devices during enrollment for VPN authentication, thus eliminating the need for having a PKI solution or even integrating with your PKI infrastructure. MaaS360 VPN offers advanced access controls to block non-compliant devices from connecting to VPN
- High Availability options: MaaS360 VPN supports clustered setup for large environment, geo-located setups and easy scaling
- OS Support: Supports iOS 9+, Windows 10+, and Android ICS+ for full device VPN / Android L+ devices for per-app VPN
- No wrapping / SDK: For use-cases that required enterprise apps on mobile devices to access corporate networks, this solution does not require any wrapping / SDK integration. Any app (public or private) can participate in per-app VPN
- Easy de-provisioning: Users who no longer need access to VPN can be easily be de-provisioned. One click action from MaaS360 portal removes the VPN app, Identity Certificates and any VPN profiles.
How does MaaS360 VPN work?
Here is the architecture and workflow details:
- MaaS360 VPN server is installed on your corporate network / DMZ on a Cloud Extender (delivered as a module)
- MaaS360 VPN server is configured with a public URL / hostname and port to which devices connect to. Traffic is NAT’ed to the internal IP / port of the MaaS360 VPN server
- MaaS360 VPN server registers successfully with MaaS360 Cloud
- Administrator configures an iOS, Windows, or Android MDM policy to define a VPN profile. Selects the registered MaaS360 VPN server
- Administrator configures per-app or full device VPN
- Device enrolls into MaaS360. Gets an MDM policy that configures VPN on the device. MaaS360 also issues Identity Certificate from the MaaS360 cloud based Certificate Authority (CA) to the device.
- User download and install MaaS360 VPN app (client) on the mobile device either from MaaS360 App Catalog / public app stores.
- User launches the app for per-app VPN or connect to the VPN manually.
- MaaS360 VPN app (client) presents the Identity Certificate from enrollment to the MaaS360 VPN server for authentication.
- MaaS360 VPN server performs the following checks before allowing the mobile device to connect to the corporate network.
- Authenticates the device based on Identity Certificate
- Ensure that the device is in compliance as per security policies
- Once successful, the VPN tunnel is established.
Why MaaS360 VPN?
- MaaS360 VPN leverages the native iOS, Windows, and Android per-app VPN capability to provide this solution. This preserves the native VPN experience for end users
- MaaS360 VPN for Android offers Always Connect VPN option. This is particularly important for end user experience in certain scenarios since Android per-app VPN requires end users to manually trigger the VPN connection before apps can participate in per-app VPN sessions.
- Don’t have a Certificate Authority (CA)? Have a custom PKI infrastructure? Don’t want to integrate with current PKI infrastructure for mobile devices? Don’t worry. MaaS360 VPN leverages the hosted MaaS360 CA to issue ID certificates to devices for authentication
- MaaS360 VPN is a software VPN. Can be deployed along with your corporate VPN solution. This VPN can be used specifically by MaaS360 enrolled mobile devices for per-app VPN use-cases.
- For apps that require per-app VPN capability, there is no requirement for wrapping apps or building them with SDK’s for per-app tunneling. Just whitelist the apps and leverage per-app VPN. This can be used for even public apps, and not just enterprise apps
MaaS360 VPN is now available for customers to try and can be enabled from the Setup >> Services workflow in the MaaS360 portal. It is being provided at no additional charge for Premium and Enterprise Suite customers. It can also be purchased separately if you are not entitled to these suites. Please reach out to MaaS360 sales for details and pricing.
Detailed documentation on the requirements, installation and configuration steps, policy configuration and end to end testing can be found here: MaaS360 VPN Module documentation