Client Connector
Dual Tunnel Feature Configuration with Microsoft Intune for iOS
With the dual tunnel feature, organizations can capture Per App traffic via a secondary tunnel and send it to the Zscaler Private Access (ZPA) applications, while all other apps still tunnel to Zscaler Internet Access (ZIA) through the primary tunnel.
Before following this guide, ensure that Zscaler Client Connector is installed on your device. To learn more, see Deploying Zscaler Client Connector with Microsoft Intune for iOS.
With Microsoft Intune, you can configure the dual tunnel feature for iOS devices:
- Step 1: Create and Push Primary Tunnel Configuration Profile from Microsoft Intune
- In the Create a Profile section:
- Profile type: Select Templates.
- Template name: Select Custom.
- Click Create.
- In the Basics section, enter a Name and provide an optional Description.
- Click Next.
- In the Configuration settings section:
- Custom configuration profile name: Enter the name of the configuration profile.
- Configuration profile file: Upload the Dual Tunnel Primary VPN mobileconfig file. The mobileconfig file is populated in the box.
- Click Next.
- In the Assignment section, assign groups/users to the profiles.
- Click Create to publish the profile.
- In the Create a Profile section:
- Step 2: Create and Push Secondary Tunnel Configuration Profile from Microsoft Intune
- In the Create a Profile section:
- Profile type: Select Templates.
- Template name: Select VPN.
- Click Create.
- In the Basics section, enter a Name and provide an optional Description.
- Click Next.
- In the Configuration settings section:
- Connection type: Choose Custom VPN.
- Connection name: Enter a name for the VPN connection.
- VPN server address: Enter a VPN server address.
- Authentication method: Enter your authentication method.
- Split tunneling: Select Disable.
- VPN identifier: Enter
com.zscaler.zscaler. - Enter key and value pairs for the custom VPN attributes: Enter the key
tunnelTypeand the valueAPP. To add other key value pairs, see Deploying Zscaler Client Connector with Microsoft Intune for iOS.
- Click Next.
- In Automatic VPN:
- Type of automatic VPN: Select Per-app VPN.
- Provider Type: Select packet-tunnel.
- Click Next.
- In the Assignment section, assign groups/users to the profiles.
- Click Create to publish the profile.
- In the Create a Profile section:
- Step 3: Assign Secondary Tunnel Configuration Profile to a Third Party App
- Go to Apps > iOS/iPadOS apps.
- Search for the app you want to assign the secondary tunnel configuration profile to.
- Click the app to select it.
- From the menu on the left, go to Properties.
- Click Edit next to Assignments.
- Scroll down to the Per-App Networking section. For Per-App VPN, select the Per-App VPN profile that you created in Step 2: Create and Push Secondary Tunnel Configuration Profile from Microsoft Intune.
- In App settings, for VPN, select None from the drop-down menu. A list of VPNs you created appear.
- Click Ok.
- Click Review+save.
- Click Save to publish the change.
- Step 4: Verify Profiles Created on iOS VPN Settings
- In the Settings section of your iPhone, go to VPN.
- The two VPN profiles that you created are shown in the Device VPN and Per-App VPN sections.
