Configuring VPN On Demand on Android Devices

This section describes the configuration and use of VPN On Demand (VOD) for Android devices.

Overview: Android VPN On Demand.

Configuring VPN On Demand on Pulse Workspace.

Registering an Android Device and Installing the Pulse Secure Client App.

Overview: Android VPN On Demand

VPN on Demand (VOD) is supported for Android mobile devices.

Traditional VPN – After the corporate network's secure tunnel is created between a user's device and the VPN server, it remains connected even if there is no traffic through the tunnel. It impacts the user as it consumes more licenses since a given endpoint will always be connected. Also, there will be more battery drain due to the unnecessary VPN connection.

VPN On Demand – Apps can be configured to automatically connect to VPN when they are launched. This feature is intended to be used only within the Android work profile, since it is predominantly being used at an app level and only Pulse Workspace is aware of the apps in the work profile. Using this feature, only the corporate managed apps will transfer the data over the VPN and the employee's other personal data like personal web browsing, connections to gaming and social networks will not use the VPN.

When the VPN On Demand profile is applied to the device, VPN will be started automatically in the following two conditions:

When user launches the application.

When the application sends traffic in the background.

Figure 268User Work Flow


In VPN On Demand, a blocking interface is set up on the device which monitors the VPN configured apps for the network traffic. Whenever an application whose network access type is "require VPN", tries to perform any network activity, the blocking interface detects this. It thereafter authenticates the user, tears down the blocking interface and establishes the VPN connection.

Configuring VPN On Demand on Pulse Workspace

Before you proceed with the configuration, ensure Android for Work is enrolled within your EMM console. For the enrollment details, see Configuring Android Enterprise.

Also ensure that the required apps are added to the App Catalog in the EMM console. For adding apps to the EMM console, see Adding an Android App to the App Catalog.

This section describes the procedures involved in VPN On Demand configuration. These include:

Configuring On-Demand VPN related attributes in the policy.

Adding apps which require VPN in the policy.

To configure VPN On Demand related attributes in the policy, perform the following steps:

1.Log in to Pulse One admin console.

2.Select the Workspaces menu, and then select Policies.

3.Create a new policy (if required), see Creating a Policy.

4.Select the required policy.

5.Click the Properties tab.

6.Expand the VPN category and configure the following properties:

On Demand VPN Timeout (minutes): (Optional) For example, 5.

Stealth Mode: True.

Vpn Certificate Auth: Yes.

Vpn Connection Name. For example: VPN.

Vpn Connection Type: onDemand.

Vpn Enabled: Yes.

Vpn Host. For example:

Vpn Verify Certificate: Yes.

7.Click Publish.

Figure 269Policy Properties


To add the apps from App Catalog to the policy with Network Access as Require VPN and publish, see Adding an Android App to a Policy.

Registering an Android Device and Installing the Pulse Secure Client App

To register an Android BYOD device and install the Pulse Secure Client app, perform the procedures described in Onboarding Android BYOD Devices.