Configure Microsoft Intune MDM for Android

Push the SMCS App to Android

Push the Skyhigh Mobile Cloud Security (SMCS) application to the Android device.

1. Click on Client apps → Apps → Add
   
2. App type → Choose Managed Google Play → Search with Mobile Cloud Security in android app store → Select the Mobile Cloud Security application. Approve &  Save and click OK → to finish the step click Sync.

Give SMCS Access to Users

1. Client apps → Apps → select the Mobile Cloud Security Client from the list.
2. Select Assignments → Add group → select the group to give access of the MCS application.

Configure SMCS

1. Client apps → App configuration policies → Add.
   
2. Select Managed devices from the drop-down that appears.
   
3. Enter a valid name for the policy, set the Platform to Android Enterprise.
4. Select the SMCS app and then click Next.
   
5. From the Configuration Settings drop-down list, select Use configuration designer, and click Add. In the right pane, select all four values, and then click OK.
   
6. Enter the following values for each field and then click Next.

• Local ID: {{IMEI}}@domain.com where domain.com is the DNS domain associated with your AzureAD tenant.
• Remote ID: vpn.skyhigh.cloud
  The ID of the VPN Responder as provided by Skyhigh.
• User Certificate: set_certificate_alias
• Excluded Subnets: Configure single or multiple subnets (such as 192.128.0.0/24 172.0.0.0/8 using space separators) so that the traffic to these subnets will not be routed via VPN.
• SMCS Gateway Address: c<customer ID>.smcs.skyhigh.cloud
  You can get this information from the certificate page.
   

7. Click the drop-down to assign the policy to All users and all devices. Then click Next.
   
8. Click Create to confirm the policy.

Configure Always-On VPN Connection via Intune for Android

You can configure an Always-On VPN connection for Android devices using Microsoft Intune to encrypt all traffic and route it through the VPN, even when the device is not connected to your organization's network. 

To configure an Always-On VPN connection:

1. In the Intune admin center, go to Devices > Android > Configuration profiles.
2. Click Create profile.
   
3. On the Create a profile panel, configure the following:
   • Platform. Select Android Enterprise as the platform for the profile. 
   • Profile type. Select Device restrictions as the profile type.
4. Click Next.
   
5. Under Basics, configure the following:
   • Name. Enter a descriptive name for the device restriction profile.
6. Click Next.
   
7. Under Configuration settings > Connectivity, configure the following settings:
   • For Fully managed, dedicated, and corporate-owned work profile devices:
     • Always-on VPN (work profile-level). Select Enable to enable the Always-on VPN connection for your SMCS app.
     • VPN client. Select Custom as the VPN client. 
     • Package ID. Enter com.skyhigh.mcs as the package ID of your SMCS app.
8. Click Next.
   
9. Under Assignments, configure the following:
   • Add groups. Click Add groups to assign the device restriction profile to Azure AD groups.
     •  Select groups to include. Select the Azure AD groups from the list. These groups must include the Android devices where you want to enable the Always-On VPN connection.
10. Click Select.
    
11. Under Review + create, review the summary of the device restriction profile.

12. Click Create.
    

Once you have created and assigned the device restriction profile, the Always-On VPN connection is enabled on Android devices.