I'm afraid it won't work with legacy SM.
This document describes how to push VPN settings to devices tagged with "vpn" and passing the compliancy check. But it clearly states that it's not available to Legacy SM users:
So i cant even tag my VPN clients without SM paid? cause unless im not doing something right, i dont see the ability to tag the client devices.