Microsoft Tunnel for Mobile Application Management

Question 1

What is Tunnel for MAM?

Answer 1

with a device that isn’t enrolled with Intune, users can access to the organizations on-premises apps and resources using modern authentication, single sign-on, and Conditional Access

Question 2

Which 2 platforms support Microsoft Tunnel for MAM ?

Answer 2

• Android Enterprise version 10.0 or +
• iOS version 14.0 or +

Question 3

What must be already deployed before using Tunnel for MAM?

Answer 3

Microsoft Tunnel gateway

Question 4

6

What do you need to set up the tunnel ?

Answer 4

• An Azure subscription
• An Intune subscription, with Tunnel standalone or Intune suite license
• A Linux server running containers in your on-premises network
• A transport layer security (TLS) certificate for the Linux server
• Devices running iOS or Android
• Client apps:
  ■ Android Microsoft Defender for Endpoint
  ■ iOS Microsoft Defender for Endpoint or Microsoft Tunnel client app

Question 5

What are the 5 steps to set up the tunnel?

Answer 5

1. Create a server configuration on Intune.
2. Create a site in Intune.
3. Install a Microsoft Tunnel Gateway on a Linux server in your on-premises environment (by using an Intune script).
4. Deploy the Microsoft Tunnel client app to your iOS and Android devices.
5. Create and deploy VPN profiles to your iOS and Android devices.

Question 6

What are the 6 steps to create the server for Tunnel?

Answer 6

In Intune
1. Go to Tenant admin | Tenant status page and select Microsoft Tunnel Gateway
2. Click the Server configurations tile then Create new
3. Basics: name + description
4. In **Settings ** page enter
* IP address range for android an iOS devices when they connect
* Server port : TCP one usually 443
* DNS servers IPadds
* DNS suffix search
* Split tunneling rules
5.Scope tags
6.Review+create

Question 7

What are the 5 steps to create the site for Tunnel ?

Answer 7

1. On the Tenant admin | Microsoft Tunnel Gateway page, click the Sites tile, then Create
2. Basics: Name and Description.
3. On the Settings tab, enter the following and click Next:
   - Public IP address or FQDN The IP or URL used to connect to the target server
   - **Server configuration **The configuration you previously configured.
   - URL for internal network access
   - Automatically upgrade servers as this site Enables you to keep your servers up to date automatically, which is recommended.
   - Limit server upgrades to maintenance window Enables you to control when such upgrades might occur.

4.Scope tags
5.Review + create

Question 8

Where can you find the script to ruin your Linux server ?

Answer 8

1. On the Tenant admin | Microsoft Tunnel Gateway page, click the Servers tile.
2. On the Servers page, click Create.
3. On the Create a server page, click Download script

Question 9

Before you deploy VPN profiles to direct devices to use the tunnel, which app must be deployed ?

Answer 9

Microsoft Defender for Endpoint

Question 10

For a managed device, what are the 7 steps to create a VPN profiles with a connection type of Microsoft Tunnel ?

Answer 10

1. Devices > Manage devices > Configuration > on the Policies tab, select Create
2. For Platform, select Android Enterprise or iOS
3. For Profile select VPN for either Corporate-Owned Work Profile or Personally-Owned Work Profile, and then select Create
4. Basics: name+description
5. Connection type select Microsoft Tunnel and configure the details
   For all platforms, as Base VPN:
   - For Connection name, specify a name to display to users.
   - For Microsoft Tunnel Site, select the Tunnel site that this VPN profile uses.
6. Assignments
7. Review + create

Question 11

For an Android MS tunnel VPN profile, which 3 connection type options do you have ?

Answer 11

• Per-app VPN : select Add and then browse to the custom or public apps that have been imported to Intune.
• Always-on VPN : select Enable to set the VPN client to automatically connect and reconnect to the VPN. Always-on VPN connections stay connected.
• Proxy

You can have both Per-app and always on enabled

Question 12

For an iOS MS tunnel VPN profile, which 3 connection type options do you have ?

Answer 12

• Per-app VPN : select Enable and configure Extra configuration steps
• On-Demand VPN Rules : Define on-demand rules that allow use of the VPN when conditions are met for specific FQDNs or IP addresses.
• Proxy

Question 13

To extend your existing Microsoft Tunnel configuration to support MAM, what are the 3 profiles that must be configured to support on your Android unenrolled devices?

Answer 13

• App configuration policy for Microsoft Defender. This policy configures Microsoft Defender for Endpoint on a device as the VPN tunnel client app.
• App configuration policy for Microsoft Edge. This policy configures Microsoft Edge to support identity-switch, which automatically connects and disconnects the VPN tunnel when switching from a Microsoft “Work or school” account to a Microsoft “personal account” in Microsoft Edge.
• App protection policy to automatically start the connection to Microsoft Tunnel when the MAM enabled app on the device accesses corporate resources.

Question 14

To extend your existing Microsoft Tunnel configuration to support MAM, what are the 3 profiles that must be configured to support on your iOS unenrolled devices?

Answer 14

• App configuration policy - Configures the Microsoft Tunnel Gateway settings for Edge and LOB apps. You can add any trusted certificates required for on-premises resource access.
• App protection policy - Configures data protection settings. It also establishes a way to deploy an app configuration policy that configures the Microsoft Tunnel settings for Edge and LOB apps.
• Trusted certificate profile - For apps that connect to on-premises resources and are protected by an SSL/TLS certificate issued by an on-premises or private certificate authority (CA).