End-of-Life (EoL)

Mobile Device Management Changes

GlobalProtect app 5.0 for iOS introduces mobile device management changes.
GlobalProtect app 5.0 for iOS endpoints introduces the following mobile device management (MDM) changes:
The MDM configurations described in these sections are based on the AirWatch MDM solution; exact workflows will vary based on the MDM vendor. If you are using any other MDM solution, please contact your MDM vendor for assistance with implementing these changes.
You can contact your MDM vendor with regards to implementing these changes natively in the product.

Configuration and Deployment of VPN Profiles

If you manage iOS endpoints using an MDM system, use the following steps to deploy a VPN profile from the MDM so that you can automatically set up the GlobalProtect app for your end users:
  1. On the MDM, create a custom VPN profile.
  2. Deploy the custom VPN profile on all enrolled iOS endpoints that will be using GlobalProtect app 5.0.
  3. Delete the VPN profiles and client certificates associated with previous versions of the GlobalProtect app (4.1.x and earlier releases) from the MDM.

MDM-based Client Certificate Deployment

If you manage iOS endpoints using an MDM system and want to use client certificates for GlobalProtect client authentication, you must now deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
This deployment is based on changes from iOS 11 to iOS 12.
Use the following steps to deploy a client certificate on an AirWatch MDM VPN profile:
  1. Log in to the AirWatch Console.
  2. Select
    Devices
    Profiles & Resources
    Profiles
    , and then
    ADD
    a new profile.
  3. Select
    iOS
    from the platform list.
  4. Configure the
    General
    settings.
  5. Configure one of the following
    Credentials
    settings:
    • To pull client certificates from AirWatch users, set the
      Credential Source
      to
      User Certificate
      and then use the
      S/MIME Signing Certificate
      (default).
    • To upload a client certificate manually, set the
      Credential Source
      to
      Upload
      . Enter a
      Credential Name
      and then
      UPLOAD
      the certificate. Click
      SAVE
      to upload the selected certificate.
    • To use a predefined certificate authority and template, set the
      Credential Source
      to
      Defined Certificate Authority
      . Select the
      Certificate Authority
      from which you want obtain certificates and the
      Certificate Template
      for the certificate authority.
  6. Configure the following
    VPN
    settings:
    1. In the Connection Info area, enter a
      Connection Name
      .
    2. Set the
      Connection Type
      to
      Custom
      .
    3. When the
      Identifier
      field appears, enter the following bundle ID to identify the new GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
    4. In the
      Server
      field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. In the Authentication area, set
      User Authentication
      to
      Certificate
      .
    6. Select the
      Identity Certificate
      (configured in step 5) that GlobalProtect will use to authenticate users.
    7. Configure the remaining settings as needed.
  7. SAVE & PUBLISH
    your changes.

MDM Integration for HIP-based Policy Enforcement

GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the unique device identifier (UDID) of the endpoint to the GlobalProtect gateway.
GlobalProtect app 5.0 cannot retrieve UDIDs directly from endpoints, as in previous versions of the app. To enable the GlobalProtect app to retrieve and use UDID information in MDM-based deployments, you must now specify the UDID attribute in the VPN profile that is pushed from the MDM server.
If you remove the UDID attribute from a VPN profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the MDM integration.
Use the following steps to add the UDID attribute to an AirWatch MDM VPN profile:
  1. Log in to the AirWatch Console.
  2. Select
    Devices
    Profiles & Resources
    Profiles
    , and then
    ADD
    a new profile.
  3. Select
    iOS
    from the platform list.
  4. Configure the
    General
    settings.
  5. Configure the
    Credentials
    settings.
  6. Configure the following
    VPN
    settings:
    1. In the Connection Info area, enter a
      Connection Name
      .
    2. Set the
      Connection Type
      to
      Custom
      .
    3. When the
      Identifier
      field appears, enter the following bundle ID to identify the new GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
    4. In the
      Server
      field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. In the
      Custom Data
      field,
      ADD
      the following vendor key information:
      • Key
        mobile_id
      • Value
        {DeviceUid}
    6. Configure the remaining settings as needed.
  7. SAVE & PUBLISH
    your changes.

Recommended For You