Well, let us start with the bad news first:
- FQDN triggers (http://my.companyintranet.com
- Domain suffix based triggers *.companyintranet.com
do not work on WP 8.1!
Why? – Well, I do not know and I really tried hard! 😦
However, you should specify the DNS Suffix *.companyintranet.com as well as the corresponding IP-Range (e.g. 10.0.0.1/8) in any case in your MDM VPN profile, to enable VPN split tunnels (this means: Intranet traffic goes through tunnel, all the other traffic through normal network connection), which does work!
To trigger a VPN connection, using an MDM deployed “automatic” VPN Profile, you can use PIDs, which e.g. can be found here: https://msdn.microsoft.com/en-us/library/dn602089.aspx, or Product Family Names (PFNs, e.g. from package manifest, if you have a LOB app).
Generally VPN triggers do only work on “automatic” profiles!
PIDs only work with older WP8.0 or built-in apps (well, except for triggering IE, which does not work at all and that seems to be a bug).
If you have newer apps (e.g. based on Universal Windows Platform – UWP), only PFNs will work as triggers. Therefore, PFNs are the way to go forward.
Another trigger approach are IP-Range based triggers. If you call an IP-address in the intranet range specified ( 10.0.0.1/8 in our example) from an app, a VPN Tunnel is launched. An interesting thing is that the phone does not care, if the address really exists. So calling any of the addresses within the range from an app, will open a VPN Tunnel.
I nearly forgot DNS shortnames, such as http://my . This way to trigger a connection does work, but is not really often used, at least by my customers.