Authentication Changes

GlobalProtect app 5.0 for iOS introduces authentication changes.
GlobalProtect app 5.0 for iOS endpoints introduces the following authentication changes:

Enhanced User Experience for Two-Factor Authentication Using One-Time Passwords

When users authenticate to GlobalProtect portals or gateways using two-factor authentication with one-time passwords (OTPs), the OTP authentication prompt on the GlobalProtect app for iOS no longer blocks access to other applications on the endpoint. In previous versions of the GlobalProtect app (4.1.x and earlier releases), users must tap Cancel on the OTP authentication prompt in order to switch from the GlobalProtect app to other applications for OTP retrieval (for example, if users need to open the Messages app to retrieve OTPs that are sent through text message). Starting with GlobalProtect app 5.0, users can now tap the home button during OTP authentication to switch from the GlobalProtect app to other applications for OTP retrieval. After users retrieve the OTP, they can directly return to the OTP authentication prompt on the GlobalProtect app to complete the authentication attempt.

Client Certificate Deployment

GlobalProtect app 5.0 for iOS uses the Apple NetworkExtension framework for VPN tunnel configuration. With this framework, you can deploy VPN client certificates only by embedding the certificate within a VPN profile. If the certificate is imported directly on an endpoint using methods such as email-based installation, VPN providers cannot access the certificate.
GlobalProtect app 4.1.x and earlier releases used a different VPN framework that allowed system-wide access to any client certificates. This VPN framework has been deprecated by Apple.
GlobalProtect app 5.0 for iOS supports the following client certificate deployment methods:
  • Client certificate deployment from an MDM system—If you manage iOS endpoints using an MDM system, you must deploy the client certificate as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, GlobalProtect cannot access these certificates.
  • Client certificate deployment from the GlobalProtect portal—If you do not use an MDM system to manage your iOS endpoints, you can deploy client certificates from the GlobalProtect portal.
    These client certificates can be used only for gateway authentication.
  • Client certificate deployment using the Apple Configurator—If you do not use an MDM system to manage your iOS endpoints, you can deploy client certificates using the Apple Configurator. From the Apple Configurator, you can generate a .mobileconfig file that contains the entire VPN profile configuration (including client certificates). You can then send the .mobileconfig file to your end users (using methods such as email) so that they can install the file and import the VPN profile configuration on their endpoints. Refer to the Apple Configurator Help for more details.

Related Documentation