Deploy AlwaysOn VPN profiles as SCCM Application

The official Microsoft documentation (link) recommends deploying the connection scripts as packages, but I thought that it would be fancy to deploy them as applications – because the application model is more powerful and offers several features that can’t be achieved with packages.

TL;DR:
Device Tunnel (details)
1. Create the application which runs the configuration script: powershell.exe -ExecutionPolicy Bypass -File ".\DeviceTunnel_installer.ps1"
2. Detection method: PowerShell script,
Get-VPNConnection -AllUserConnection "DEVICE TUNNEL" -ErrorAction SilentlyContinue
3. User Experience: Install for system; Whether or not a user is logged on; Minimized
4. Requirement: Only Windows 10
Deploy the application to a device collection.

User Tunnel (details)
1. Create the application which runs the configuration script: powershell.exe -ExecutionPolicy Bypass -File ".\UserTunnel_installer.ps1"
2. Detection method: PowerShell script,
Get-VPNConnection "USER TUNNEL" -ErrorAction SilentlyContinue
3. User Experience: Install for system; Only when a user is logged on; Minimized
4. Requirement: Only Windows 10
Deploy the application to a user collection.
Notice that the user experience is set to “Install for system”, but the application is deployed to a User collection. Based on my testing, it causes the program to run in SYSTEM context (admin rights!), but the detection method runs in the current user context (which is good in our case – and bad if you were trying to write a detection script which requires admin rights…).

Cheat: Scoped User Tunnel deployment (eg. notebooks only) (details)
If you want to limit the deployment of the User Tunnel to only selected devices, here is a workaround:
1. Create another application which creates a registry key, eg.:
HKEY_LOCAL_MACHINE\Software\AOVPN\UserTunnelDeploymentEnabled (DWORD) = 1
2. Configure this application as a dependency for the User Tunnel application with automatic install disabled
3. Deploy this application to those devices on which you want to enable the User Tunnel deployment

Extended edition

Device Tunnel
In the following steps I’m creating an application which configures an AlwaysOn VPN device tunnel, named F12_AOVPNDevice.

For scripts, information should be manually specified
Just the usual general informations
The deployment type is Script Installer
Give a name to the deployment type too

On the Content page, browse for the folder where the script can be found. The following installation program is specified in my case:

powershell -ExecutionPolicy Bypass -File ".\F12_AOVPN_D1.ps1"

The application detection method will be a PowerShell script, with the following content:
Get-VPNConnection -AllUserConnection "F12_AOVPNDevice" -ErrorAction SilentlyContinue

On the User Experience tab, configure the settings as follows:

On the Requirements page, one requirement will be specified: only Windows 10 (32/64 bits) operating systems are required:

The process is straightforward from this point. After creating the application, deploy it to the device collection. For testing purposes, I deployed it as Available:

After successful installation, the VPN connection can be verified several ways – I chose PowerShell:

User Tunnel

Deploying the user tunnel is almost the same, although there are some aspects to consider:
– If the application was successfully installed for a user on the computer, it may take some time for another user on the same machine (The next Application Deployment Evaluation cycle + User Policy Evaluation Cycle). Microsoft’s approach (deploy the package once for every user who logs on) is better in other ways: the profile will be installed immediately for users logging on for the first time; there is no need to evaluate user policies; etc.
– Deploying the application to a User Collection means that users will receive the VPN profile anywhere they log on – even on their PCs that doesn’t need it (cheat below).
– The detection method is only looking for a VPN connection with a particular name – make sure that this name is unique, or fine tune the detection method to check the server address too…

So let’s start:

Everything almost the same so far. I forgot to take screenshot of the Content page, but you can see my settings on the Summary screenshot below.
On the Detection Method page, the PowerShell script is a bit different:
Get-VPNConnection "F12_AOVPN_User" -ErrorAction SilentlyContinue
There is no -AllUserConnection parameter, because user tunnels are user specific.

On User Experience page, choose “Install for system” as installation behavior, so the script will run in SYSTEM context. The logon requirement should be set to “Only when a user is logged on”. I’m not sure if RDP sessions (or Hyper-V enhanced sessions) satisfy this criteria, but keep in mind that console sessions are required.

Now everything is ready, the application can be deployed to a user collection.

Cheat: Scoped User Tunnel deployment
If you want to restrict the user tunnel deployment to certain computers, there can be some standard ways (SCCM Global Conditions?) or uncommon solutions like this.

Before moving to this solution, consider the official Microsoft recommended deployment method (package for every user who logs on) as this can be deployed to device collections too. The only disadvantage is that anybody logging on the computer will receive this setting – but keep in mind that User Tunnel connection request are handled by NPS – so even if a not intended user receives the VPN settings, the connection won’t establish.

So the idea behind this workaround is to create a registry key on the target system to determine if User Tunnels can be deployed. The registry configuration is a separate SCCM application which can be used as a dependency for the User Tunnel application… not too elegant, but it works.

Create a separate application (Enable User Tunnel) with the following deployment type:

On Content page speficy the source directory and the installation program
powershell.exe -executionpolicy bypass -File ".\Enable_UserTunnel_Deployment.ps1"

Enable_UserTunnel_Deployment.ps1 content:
$key = 'registry::HKEY_LOCAL_MACHINE\SOFTWARE\F12_AOVPN'
$property = "UserTunnelDeploymentEnabled"
$value = 1
if (!(Test-Path $key)){New-Item -Path $key >> $null}
New-ItemProperty -Path $key -Name $property -PropertyType DWORD -Value $value -Force >> $null

The Detection method will consist of checking the registry setting:

After creating the application, modify the User Tunnel application so it will have this deployment type as a dependency. Navigate to the Dependencies tab of the deployment type and click on “Add..” and select this new application as dependency:

Make sure you unchecked the Auto Install box.

The next step is to deploy “Enable User Tunnel Deployment” application to those devices on which you want to enable user tunnel deployment. On those devices where this application is not installed, Software Center will not install the user tunnel with the following status: “This software is not applicable to your device”

Now I install the application on the computer:

After some time you can retry the installation of the user tunnel:

Restore deleted private Android application in Intune

This blogpost will describe the steps to restore a deleted Android private application in Intune.

TL;DR:
1. Login to https://play.google.com/work
2. In Admin Settings, find your Organization ID and search by this ID on top of the page
3. Click on the desired application and Approve it
4. Intune – Apps – All apps – Add – Managed Google Play app – Select
(Alternatively: Tenant administration – Connectors and tokens – Managed Google Play)
5. Click Sync, wait a minute then refresh the Apps page

Extended edition:

For demo purposes I “accidentally” delete my private Android app “F12HU Hello”

As you can see, Intune will tell you that it will programatically un-approve the application from managed Google Play

Don’t try to upload the APK again, because you can’t upload an application with the same package name (unique identifier of the application)

You have to Approve your application again from the Google play console. Go to https://play.google.com/work and log in with your Play account, then navigate to Admin Settings where you can find your Organization ID

Copy this ID in the search bar on top of the page and search for applications, you will see your private apps

Click on the app and select Approve, select your settings and you are done

Now, if you go back to Intune navigate to Tenant administration – Connectors and tokens – Managed Google Play and click on Sync

The application will now appear on the Apps page

adminconsent AlwaysOn VPN Android AOVPN APK Azure AzureAD AzureRM Bitlocker conditional access Exchange Exchange Online Get-AzureADMSConditionalAccessPolicy GPO Intune managed Google Play Office365 PowerShell Report SCCM Teams