Netskope Help

Create a Per-App VPN Profile

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

You need to know the VPN Server Name and PAC URL shown in the VPN Configuration section of the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution) to complete these steps.

To create a Per-App VPN profile:

  1. Go to Profiles > Create Profile.

  2. Enter and select these parameters: 

    • Name: Enter a unique name.

    • Platform: iOS

    • Profile type: VPN

  3. In the Base VPN panel, enter and select these parameters:

    • Connection Type: Cisco (IPSec).

    • Click Base VPN to open a second Base VPN panel, and then enter and select these parameters:

    • Connection Name: Enter a name that users will recognize when the profile is installed on their device.

    • IP Address or FQDN: Enter the VPN Server Name from the VPN Configuration section in the Netskope UI.

    • Authentication Method: Certificates.

    • Authentication Certificate: Click Select a certificate, select the SCEP certificate profile you previously created, and then click OK.

    • Split Tunneling: Disabled

    When finished, click OK in the Authentication Certificate panel and the second Base VPN panel.

  4. Click Automatic VPN, and then enter and select these parameters:

    • For Type of automatic VPN, select Per-app VPN.

    • Safari URLS that will trigger this VPN: Add the domains for per-app VPN, like, and so on (separated by a comma). After entering the URLs, click Add.

  5. Click OK in the Automatic VPN panel.

  6. Click Proxy in the left panel to enter this parameter:

    • Use Automatic Configuration Script: Enter the PAC URL from the VPN Configuration section in the Netskope UI.

  7. Click OK in the Proxy panel and remaining Base VPN panel.

  8. In the Create Profile panel, click Create.

  9. Associate the Per-App VPN profile with the applications to steer through the VPN connection. Go to Intune > Client Apps > App Licenses, select one of the apps listed there, and then click Assignments

  10. Click Add group, select Required for Assignment Type, click Yes to include Users and Devices (per your needs), and then click Select groups to include.

  11. Search for and choose one or more groups, and then click Select. Click OK in the Assign and Add Group panels.