End-of-Life (EoL)

Configure a Per-App VPN Configuration for iOS Devices Using AirWatch

You can easily enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using AirWatch. In a per-app VPN configuration, you can specify which managed apps on the endpoint can send traffic through the GlobalProtect VPN tunnel. Unmanaged apps will continue to connect directly to the Internet instead of through the GlobalProtect VPN tunnel.
  1. Download the GlobalProtect app for iOS:
  2. From the AirWatch console, modify or add a new Apple iOS profile:
    1. Navigate to
      Devices
      Profiles
      List View
      .
    2. Select an existing profile to add the VPN configuration to it or add a new one (select
      Add
      Apple iOS
      ).
  3. Configure
    General
    profile settings:
    • Description
      —A brief description of the profile that indicates its purpose.
    • Deployment
      —Determines if the profile will be automatically removed upon unenrollment, either
      Managed
      (the profile is removed) or
      Manual
      (the profile remains installed until removed by the end user).
    • Assignment Type
      —Determines how the profile is deployed to endpoints. Select
      Auto
      to deploy the profile to all endpoints automatically,
      Optional
      to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or
      Compliance
      to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    • Managed By
      —The Organization Group with administrative access to the profile.
    • Assigned Smart Group
      —The Smart Group to which you want the device profile added. Includes an option to create a new Smart Group which can be configured with specs for minimum OS, device models, ownership categories, organization groups and more.
    • Allow Removal
      —Determines whether or not the profile can be removed by the endpoint's end user. Select
      Always
      to enable the end user to manually remove the profile at any time,
      Never
      to prevent the end user from removing the profile from the endpoint, or
      With Authorization
      to enable the end user to remove the profile with the authorization of the administrator. Choosing
      With Authorization
      adds a required Password.
    • Exclusions
      —If
      Yes
      is selected, a new field
      Excluded Smart Groups
      displays, enabling you to select those Smart Groups you wish to exclude from the assignment of this device profile.
  4. To configure the per-app VPN settings in the Apple iOS profile, select
    VPN
    and then click
    Configure
    .
  5. Configure connection information, including:
    • Connection Name
      —Enter the name of the connection name to be displayed.
    • Connection Type
      —Select
      Palo Alto Networks GlobalProtect
      as the network connection method.
    • Server
      —Enter the hostname or IP address of the GlobalProtect portal to which to connect.
    • Account
      —Enter the username of the VPN account or click add ( “
      +
      ” ) to view supported lookup values that you can insert.
    • Send All Traffic
      —Select this check box to force all traffic through the specified network.
    • Disconnect on Idle
      —Allow the VPN to auto-disconnect after a specific amount of time.
    • Enable
      Per App VPN
      to route all of the traffic for a managed app traffic through the GlobalProtect VPN.
    • Connect Automatically
      —Select this check box to allow the VPN to connect automatically to chosen Safari Domains.
  6. Configure the authentication method to use to authenticate users. For per-app VPN, you must use certificate-based authentication. Select
    User Authentication: Certificate
    , and then follow the prompts to upload an
    Identity Certificate
    to use for authentication.
  7. Select either
    Manual
    or
    Auto Proxy
    type and enter the specific information needed.
  8. Click
    Save & Publish
    .
  9. Configure per-app VPN settings for a new managed app, or modify the settings for an existing managed apps.
    After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.
    1. On the main page, select
      Apps & Books
      Public.
    2. To add a new app, select
      Add Application
      . Or, to modify the settings of an existing app, locate the GlobalProtect app in the list of Public apps and then select the edit icon in the actions menu next to the row.
    3. Select the organization group by which this app will be managed.
    4. Select
      Apple iOS
      as the
      Platform
      .
    5. Select your preferred method for locating the app, either by searching the App Store (by Name), or specifying a URL for the app in the App Store (for example, to add the Box app, enter https://itunes.apple.com/us/app/box-for-iphone-and-ipad/id290853822?mt=8&uo=4), and then click
      Next
      . If you choose to search the App Store, you must
      Select
      the app from the list of search results.
    6. On the
      Assignment
      tab, select
      Assigned Smart Groups
      that will have access to this app.
    7. On the
      Deployment
      tab, select the
      Push Mode
      , either
      Auto
      or
      On Demand
      .
    8. Select
      Use VPN
      and then select the Apple iOS profile that you created earlier in this workflow.
    Only profiles that have per-app VPN enabled are available from the drop-down.
    1. Select
      Save & Publish
      to push the App Catalog to the endpoints in the Smart Groups you assigned in the
      Assignment
      section.

Recommended For You