End-of-Life (EoL)

Configure a Device-Level VPN Configuration for iOS Devices Using AirWatch

You can easily enable access to internal resources from your managed mobile endpoints by configuring VPN access using AirWatch. In a device-level VPN configuration, you route all of the traffic that matches the access routes configured on the GlobalProtect gateway through the GlobalProtect VPN.
  1. Download the GlobalProtect app for iOS.
  2. From the AirWatch console, modify or add a new Apple iOS profile.
    1. Navigate to
      List View
    2. Select an existing profile to add the VPN configuration to it or add a new one (select
      Apple iOS)
    3. Configure
      profile settings:
      • Description
        —A brief description of the profile that indicates its purpose.
      • Deployment
        —Determines if the profile will be automatically removed upon unenrollment, either
        (the profile is removed) or
        (the profile remains installed until removed by the end user).
      • Assignment Type
        —Determines how the profile is deployed to devices:
        • Auto
          —The profile is deployed to all devices automatically.
        • Optional
          —The end user can optionally install the profile from the Self-Service Portal (SSP) or can be deployed to individual devices at the administrator's discretion.
        • Compliance
          —The profile is deployed when the end user violates a compliance policy applicable to the device.
      • Managed By
        —The Organization Group with administrative access to the profile.
      • Assigned Smart Group
        —The Smart Group to which you want the device profile added. Includes an option to create a new Smart Group which can be configured with specs for minimum OS, device models, ownership categories, organization groups and more.
      • Allow Removal
        —Determines whether or not the profile can be removed by the device's end user:
        • Always
          —The end user can manually remove the profile at any time.
        • With Authorization
          —The end user can remove the profile with the authorization of the administrator. Choosing this option adds a required Password field.
        • Never
          —The end user cannot remove the profile from the device.
      • Exclusions
        is selected, a new field
        Excluded Smart Groups
        displays, enabling you to select those Smart Groups you wish to exclude from the assignment of this device profile.
  3. Configure the VPN settings.
    1. Select
      and then click
    2. Configure Connection information, including:
      • Connection Name
        —Enter the name of the connection name to be displayed.
      • Connection Type
        Palo Alto Networks GlobalProtect
        as the network connection method.
      • Server
        —Enter the hostname or IP address of the GlobalProtect portal to which to connect.
      • Account
        —Enter the username of the VPN account or click add ( “
        ” ) to view supported lookup values you can insert.
      • Authentication
        —Choose the method to authenticate end users. Follow the related prompts to enter a
        or upload an
        Identity Certificate
        to use to authenticate users; Or, if you selected
        Password + Certificate
        , follow the related prompts for both.
    3. Click
      Save & Publish

Recommended For You