Mobile Device Management Changes

GlobalProtect app 5.0 for iOS introduces mobile device management changes.
GlobalProtect app 5.0 for iOS endpoints introduces the following mobile device management (MDM) changes:
The MDM configurations described in these sections are based on the AirWatch MDM solution; exact workflows will vary based on the MDM vendor. If you are using any other MDM solution, please contact your MDM vendor for assistance with implementing these changes.
You can contact your MDM vendor with regards to implementing these changes natively in the product.

Configuration and Deployment of VPN Profiles

If you manage iOS endpoints using an MDM system, use the following steps to deploy a VPN profile from the MDM so that you can automatically set up the GlobalProtect app for your end users:
  1. On the MDM, create a custom VPN profile.
  2. Deploy the custom VPN profile on all enrolled iOS endpoints that will be using GlobalProtect app 5.0.
  3. Delete the VPN profiles and client certificates associated with previous versions of the GlobalProtect app (4.1.x and earlier releases) from the MDM.

MDM-based Client Certificate Deployment

If you manage iOS endpoints using an MDM system and want to use client certificates for GlobalProtect client authentication, you must now deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
This deployment is based on changes from iOS 11 to iOS 12.
Use the following steps to deploy a client certificate on an AirWatch MDM VPN profile:
  1. Log in to the AirWatch Console.
  2. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
    airwatch-add-profile.png
  3. Select iOS from the platform list.
    iOS-profile.png
  4. Configure the General settings.
  5. Configure one of the following Credentials settings:
    • To pull client certificates from AirWatch users, set the Credential Source to User Certificate and then use the S/MIME Signing Certificate (default).
      airwatch-credentials.png
    • To upload a client certificate manually, set the Credential Source to Upload. Enter a Credential Name and then UPLOAD the certificate. Click SAVE to upload the selected certificate.
      airwatch-credentials-upload.png
    • To use a predefined certificate authority and template, set the Credential Source to Defined Certificate Authority. Select the Certificate Authority from which you want obtain certificates and the Certificate Template for the certificate authority.
      airwatch-ios-credentials-CA.png
  6. Configure the following VPN settings:
    1. In the Connection Info area, enter a Connection Name.
    2. Set the Connection Type to Custom.
    3. When the Identifier field appears, enter the following bundle ID to identify the new GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
    4. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
      airwatch-vpn-profile-custom.png
    5. In the Authentication area, set User Authentication to Certificate.
    6. Select the Identity Certificate (configured in step 5) that GlobalProtect will use to authenticate users.
      airwatch-vpn-profile-authentication.png
    7. Configure the remaining settings as needed.
  7. SAVE & PUBLISH your changes.

MDM Integration for HIP-based Policy Enforcement

GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the unique device identifier (UDID) of the endpoint to the GlobalProtect gateway.
GlobalProtect app 5.0 cannot retrieve UDIDs directly from endpoints, as in previous versions of the app. To enable the GlobalProtect app to retrieve and use UDID information in MDM-based deployments, you must now specify the UDID attribute in the VPN profile that is pushed from the MDM server.
If you remove the UDID attribute from a VPN profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the MDM integration.
Use the following steps to add the UDID attribute to an AirWatch MDM VPN profile:
  1. Log in to the AirWatch Console.
  2. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
  3. Select iOS from the platform list.
  4. Configure the General settings.
  5. Configure the Credentials settings.
  6. Configure the following VPN settings:
    1. In the Connection Info area, enter a Connection Name.
    2. Set the Connection Type to Custom.
    3. When the Identifier field appears, enter the following bundle ID to identify the new GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
    4. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. In the Custom Data field, ADD the following vendor key information:
      • Key
        mobile_id
      • Value
        {DeviceUid}
      airwatch-VPN-profile-UDID-config-custom.png
    6. Configure the remaining settings as needed.
  7. SAVE & PUBLISH your changes.

Related Documentation