Configure an Always On VPN Configuration for iOS Endpoints Using AirWatch

In an Always On VPN configuration, the secure GlobalProtect connection is always on. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is always routed through the VPN tunnel.
Use the following steps to configure an Always On VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS.
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select
      Devices
      Profiles & Resources
      Profiles
      , and then
      ADD
      a new profile.
    2. Select
      iOS
      from the platform list.
      airwatch-add-ios-profile.png
  3. Configure the
    General
    settings:
    1. Enter a
      Name
      for the profile.
    2. (
      Optional
      ) Enter a brief
      Description
      of the profile that indicates its purpose.
    3. (
      Optional
      ) Select the
      Deployment
      method, which indicates whether the profile will be removed automatically upon unenrollment—either
      Managed
      (the profile is removed) or
      Manual
      (the profile remains installed until it is removed by the end user).
    4. (
      Optional
      ) Select an
      Assignment Type
      to determine how the profile is deployed to endpoints. Select
      Auto
      to deploy the profile to all endpoints automatically,
      Optional
      to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or
      Compliance
      to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (
      Optional
      ) Select whether or not you want to
      Allow Removal
      of the profile by the end user. Select
      Always
      to enable the end user to manually remove the profile at any time,
      Never
      to prevent the end user from removing the profile, or
      With Authorization
      to enable the end user to remove the profile with the authorization of the administrator. Choosing
      With Authorization
      adds a required Password.
    6. (
      Optional
      ) In the
      Managed By
      field, enter the Organization Group with administrative access to the profile.
    7. (
      Optional
      ) In the
      Assigned Groups
      field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (
      Optional
      ) Indicate whether you want to include any
      Exclusions
      to the assignment of this profile. If you select
      Yes
      , the
      Excluded Groups
      field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    9. (
      Optional
      ) If you enable the option to
      Install only on devices inside selected areas
      , the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in the
      Assigned Geofence Areas
      field.
    10. (
      Optional
      ) If you
      Enable Scheduling and install only during selected time periods
      , you can apply a time schedule (
      Devices
      Profiles & Resources
      Profiles Settings
      Time Schedules
      ) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the
      Assigned Schedules
      field.
    11. (
      Optional
      ) Select the
      Removal Date
      on which you want the profile to be removed from all endpoints.
    airwatch-ios-general-settings.png
  4. (
    Optional
    ) If your GlobalProtect deployment requires client certificate authentication, configure the
    Credentials
    settings:
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the
        Credential Source
        to
        User Certificate
        .
      2. Select the
        S/MIME Signing Certificate
        (default).
      airwatch-ios-credentials-user-cert.png
    • To upload a client certificate manually:
      1. Set the
        Credential Source
        to
        Upload
        .
      2. Enter a
        Credential Name
        .
      3. Click
        UPLOAD
        to locate and select the certificate that you want to upload.
      4. After you select a certificate, click
        SAVE
        .
      airwatch-ios-credentials-upload.png
    • To use a predefined certificate authority and template:
      1. Set the
        Credential Source
        to
        Defined Certificate Authority
        .
      2. Select the
        Certificate Authority
        from which you want obtain certificates.
      3. Select the
        Certificate Template
        for the certificate authority.
      airwatch-ios-credentials-CA.png
  5. Configure the
    VPN
    settings:
    1. Enter the
      Connection Name
      that the endpoint displays.
    2. Select the network
      Connection Type
      :
      • For GlobalProtect app 4.1.x and earlier releases, select
        Palo Alto Networks GlobalProtect
        .
      • For GlobalProtect app 5.0 and later releases, select
        Custom
        .
    3. (
      Optional
      ) If you set the
      Connection Type
      to
      Custom
      , enter the following bundle ID in the
      Identifier
      field to identify the GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
      airwatch-ios-vpn-custom.png
    4. In the
      Server
      field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (
      Optional
      ) Enter the username of the VPN
      Account
      or click the add (
      +
      ) button to view supported lookup values that you can insert.
    6. (
      Optional
      ) In the
      Disconnect on idle
      field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. In the Authentication area, select a user
      Authentication
      method:
      Password
      ,
      Certificate
      ,
      Password + Certificate
      .
    8. When prompted, enter a
      Password
      and/or select the
      Identity Certificate
      that GlobalProtect will use to authenticate users. The
      Identity Certificate
      is the same certificate that you configured in the
      Credentials
      settings.
    9. Disable the option to
      Enable VPN On Demand
      (enabled by default).
      airwatch-ios-vpn-authentication-always-on.png
    10. (
      Optional
      ) Select the
      Proxy
      type and configure the relevant settings.
  6. (
    Optional
    ) (
    starting with GlobalProtect app 5.0
    ) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the
      Palo Alto Networks GlobalProtect
      network
      Connection Type
      , go to the
      VPN
      settings and enable
      Vendor Keys
      in the Vendor Configurations area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid.png
    • If you are using the
      Custom
      network
      Connection Type
      , go to the
      VPN
      settings and
      ADD
      Custom Data
      in the Connection Info area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid-custom.png
  7. SAVE & PUBLISH
    your changes.

Related Documentation