GlobalProtect
Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE
In an Always On VPN configuration, the secure
GlobalProtect connection is always on. Traffic that matches specific
filters (such as port and IP address) configured on the GlobalProtect
gateway is always routed through the VPN tunnel.
Use the following steps to configure an Always On VPN configuration for iOS endpoints using
Workspace ONE:
- Download the GlobalProtect app for iOS.
- Download the GlobalProtect app directly from the App Store.
The GlobalProtect app for iOS is also available in the Apple App Store in China. - From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.
- Select ResourcesProfiles & BaselinesProfilesADD, and then Add Profile.
- Select iOS from the platform list.
- Select Device Profile from the Select Context window.
- Configure the General settings:
- Enter a Name for the profile.
- (Optional) Enter a brief Description of the profile that indicates its purpose.
- (Optional) Select the Deployment method, which indicates whether the profile will be removed automatically upon unenrollment—either Managed (the profile is removed) or Manual (the profile remains installed until it is removed by the end user).
- (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
- (Optional) Select whether or not you want to Allow Removal of the profile by the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
- (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
- (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
- (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
- (Optional) If you enable the option to Install only on devices inside selected areas, the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in the Assigned Geofence Areas field.
- (Optional) If you Enable Scheduling and install only during selected time periods, you can apply a time schedule (DevicesProfiles & ResourcesProfiles SettingsTime Schedules) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the Assigned Schedules field.
- (Optional) Select the Removal Date on which you want the profile to be removed from all endpoints.
- (Optional) If your GlobalProtect deployment requires client certificate authentication, configure the Credentials settings:Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
- To pull client certificates from Workspace ONE users:
- Set the Credential Source to User Certificate.
- Select the S/MIME Signing Certificate (default).
- To upload a client certificate manually:
- Set the Credential Source to Upload.
- Enter a Credential Name.
- Click UPLOAD to locate and select the certificate that you want to upload.
- After you select a certificate, click SAVE.
- To use a predefined certificate authority and template:
- Set the Credential Source to Defined Certificate Authority.
- Select the Certificate Authority from which you want obtain certificates.
- Select the Certificate Template for the certificate authority.
- Configure the VPN settings:
- Enter the Connection Name that the endpoint displays.
- Select the network Connection Type:
- For GlobalProtect app 4.1.x and earlier releases, select Palo Alto Networks GlobalProtect.
- For GlobalProtect app 5.0 and later releases, select Custom.
- (Optional) If you set the Connection Type to Custom, enter the bundle ID (com.paloaltonetworks.globalprotect.vpn) in the Identifier field to identify the GlobalProtect app.If you downloaded the GlobalProtect app directly from the Apple App Store in China, enter the bundle ID (com.paloaltonetworks.globalprotect.vpncn) in the Identifier field.
- In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
- (Optional) Enter the username of the VPN Account or click the add (+) button to view supported lookup values that you can insert.
- (Optional) In the Disconnect on idle field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
- In the Authentication area, select a user Authentication method: Password, Certificate, Password + Certificate.
- When prompted, enter a Password and/or select the Identity Certificate that GlobalProtect will use to authenticate users. The Identity Certificate is the same certificate that you configured in the Credentials settings.
- Enable VPN On Demand and Use new on demand keys .
- Configure an on-demand rule with Action: Connect.
- (Optional) Select the Proxy type and configure the relevant settings.
- (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
- If you are using the Palo Alto Networks GlobalProtect network Connection Type, go to the VPN settings and enable Vendor Keys in the Vendor Configurations area. Set the Key to mobile_id and the Value to {DeviceUid}.
- If you are using the Custom network Connection Type, go to the VPN settings and ADD Custom Data in the Connection Info area. Set the Key to mobile_id and the Value to {DeviceUid}.
- SAVE & PUBLISH your changes.