Our organization is looking to deploy Windows machines remotely using Microsoft's AutoPilot feature. There is a one-time domain join requirement in which a VPN connection is required to access on-prem AD -- this VPN connection needs to be establish prior to user login (since setup / domain join is not complete yet). Intune can provison and push down configs, but I am not sure how to configure PCS/client to get a prelogin tunnel established. Is Pulse able to accomplish this? Anyone have luck with this?
I've read about Credential Provider, but get hung up on the likely requirement for the endpoint to be joined to the domain (which is not true for this scenario). I've read about doing Machine login, but unsure about the config needed for this as well.
This VPN tunnel is a one-time need to join the domain. Once logged in to the endpoint, the desire is to use standard user VPN setup in the Pulse Client, so I'd like anything setup for the prelogin tunnel to be removed (not seen by the user).
Appreciate any insights from others that have accomplished this or simply have ideas. Thanks!
@elevator4 Machine tunnel (using machine certificate) with stealth mode enabled (not displayed to the users) and manual user connection for the user to connect after logged into Windows which will delete the machine tunnel configuration.
Machine should be having a valid machine certificate installed prior to the Intune provision process, which the Pulse Client can be configured to use and authenticate to form a VPN tunnel.
So, the process overview would be,
1) Prepping the machines with machine cert and install Pulse Client with preconfiguration created on the VPN server and ship it to the end users,
2) Subject machine will be connected to the Internet > Pulse Client will form a machine tunnel > Intune provision will take place.
3) User logs into windows domain profile.
4) Opens Pulse Client and connects to the manual user connection (only one present).
5) After successful connection, VPN server will push a different connection set that will remove the invisible machine tunnel config and keeps the user connection intact.
I actually never pursued this configuratio/solution as we were simultaneously looking at another platform/vendor to accomplish the end goal. The other platform is likely what we'll end up using based on progress thus far. Apologies I don't have better info for you!