Configure GlobalProtect Settings on iOS Devices via Microsoft Intune

1. On the Microsoft Intune admin center, navigate to DevicesiOS/iPadOS devicesConfiguration.
2. Click CreateNew Policy.
3. Set the Profile type to Templates and select VPN as the template name.
4. Click Create.

5. Enter a name and description and click Next.

6. In the Configuration settings tab, specify the Connection type as Custom VPN.
7. Expand the Base VPN section and enter the Connection name that will be displayed to end users on their endpoints.
8. In the VPN server address, enter the GlobalProtect portal name.
9. Select the authentication method.

   Authentication Method	Steps
   SAML authentication	Set Authentication method to Username and password. Local authentication is also supported. SAML authentication isn’t supported for the Always-On connect method.
   Certificates	Set Authentication method to Certificates. Select the SCEP certificate to authenticate the connection. For information on creating the certificate, see User Authentication for iOS on Microsoft Intune.

10. Split tunneling is not supported, so you can leave the default value as is.
11. Specify the VPN identifier as com.paloaltonetworks.globalprotect.vpn.
12. Enter key-value pairs for your organization's custom VPN attributes. The following pairs are supported on Microsoft Intune for iOS devices.

    Key	Value Type	Description	Example
    tag	String	Tags enable you to match the device against other attributes.	GuestAccount, HRdeparment
    compliance	String	Indicates whether the device is compliant.	yes
    ownership	String	Indicates ownership category of the device, such as employee.	corporation owned
    mobile_id	String	If this is specified, it gets set as the host ID.	device_id

13. Expand the Automatic VPN section and do one of the following depending on the connect method.

    Connect Method	Steps to Follow
    On-Demand Ensures that users manually connect GlobalProtect through the application.	Set Type of Automatic VPN to Not Configured.
    Always-On Automatically connects GlobalProtect with your credentials.	Set Type of Automatic VPN to On-demand VPN. Add an on-demand rule by clicking Add. Set I want to do the following to Custom VPN. Set I want to restrict to All domains. Click Save. If there is a match to your rule, then the device does the action you select.
    Per-App Associates specific apps to the GlobalProtect connection. When the app runs, traffic is automatically routed through GlobalProtect.	You can attach a VPN profile to an app, add URLs for the app you want access to, or do a combination of both. To attach a profile, see Attach your iOS VPN Profile to an App. To add app URLs: Type of Automatic VPN to Per-app VPN. Add one or more website URLs. When these URLs are visited using the Safari browser on the device, the VPN connection is automatically established. Enter Associated Domains to use with GlobalProtect. In Excluded Domains, enter Safari domains that can bypass GlobalProtect for the per-app connect method. Traffic to the excluded domains uses the public internet even if GlobalProtect is connected. You can Block users from disabling automatic VPN.

14. Click Next.
15. Select user assignments as appropriate and click Next.
16. Review the policy summary and click Create.