Specify which apps use Gateway on iOS devices in a Microsoft Intune environment

You can configure iOS devices to recognize Gateway as a VPN provider and configure per-app VPN to specify which apps send data through the Gateway tunnel. In Microsoft Intune, you can configure settings that affect Gateway.

To set up per-app tunnel options, you must have permissions for VPN management and app management on iOS devices that are activated using Intune. To specify which apps use the Gateway tunnel in Intune, do these steps:

  1. In the Microsoft Intune admin center, add the apps that you want to send through Gateway to Intune and assign them to users.
    Only apps that are assigned to users use the Gateway tunnel. Do not assign the default browser or the Aurora Protect Mobile app to users or the device will be unable to establish a tunnel with Gateway.
  2. Create a VPN profile and include these settings. For more information on the iOS and iPadOS settings, see Add VPN settings on iOS and iPadOS devices.

    Setting

    Description

    Connection type

    Custom VPN

    VPN server address

    The value must be 127.0.0.1. This value is not used by Gateway.

    Authentication Method

    Username & Password

    Split tunneling

    Disable

    VPN identifier

    For iOS devices, enter com.blackberry.protect

    For macOS devices, enter com.blackberry.big
    • Key: key
    • Value: value
    Microsoft Intune requires one custom attribute. Gateway does not use this setting. You can enter any attribute.

    Automatic VPN

    Per-app VPN

    Provider Type

    Packet-tunnel

    Safari URLs

    Specify the domains that can establish a connection through the Gateway tunnel. Intune does not support wildcards in domains, they are implied. For example, if you enter “org”, implies “*.org”.

    Note: Connections through the Gateway tunnel can start only if Gateway is enabled in the Aurora Protect Mobile app on the device.

    If you specify blackberry.com as a managed Safari VPN, newly activate Aurora Protect Mobile apps will be prevented from activating.
  3. If necessary, have users activate the Aurora Protect Mobile app.