Configure an Always On VPN Configuration for iOS Endpoints Using AirWatch

In an Always On VPN configuration, the secure GlobalProtect connection is always on. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is always routed through the VPN tunnel.
Use the following steps to configure an Always On VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS.
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
    2. Select iOS from the platform list.
  3. Configure the General settings:
    1. Enter a Name for the profile.
    2. (Optional) Enter a brief Description of the profile that indicates its purpose.
    3. (Optional) Select the Deployment method, which indicates whether the profile will be removed automatically upon unenrollment—either Managed (the profile is removed) or Manual (the profile remains installed until it is removed by the end user).
    4. (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (Optional) Select whether or not you want to Allow Removal of the profile by the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
    6. (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
    7. (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    9. (Optional) If you enable the option to Install only on devices inside selected areas, the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in the Assigned Geofence Areas field.
    10. (Optional) If you Enable Scheduling and install only during selected time periods, you can apply a time schedule (DevicesProfiles & ResourcesProfiles SettingsTime Schedules) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the Assigned Schedules field.
    11. (Optional) Select the Removal Date on which you want the profile to be removed from all endpoints.
  4. (Optional) If your GlobalProtect deployment requires client certificate authentication, configure the Credentials settings:
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the Credential Source to User Certificate.
      2. Select the S/MIME Signing Certificate (default).
    • To upload a client certificate manually:
      1. Set the Credential Source to Upload.
      2. Enter a Credential Name.
      3. Click UPLOAD to locate and select the certificate that you want to upload.
      4. After you select a certificate, click SAVE.
    • To use a predefined certificate authority and template:
      1. Set the Credential Source to Defined Certificate Authority.
      2. Select the Certificate Authority from which you want obtain certificates.
      3. Select the Certificate Template for the certificate authority.
  5. Configure the VPN settings:
    1. Enter the Connection Name that the endpoint displays.
    2. Select the network Connection Type:
      • For GlobalProtect app 4.1.x and earlier releases, select Palo Alto Networks GlobalProtect.
      • For GlobalProtect app 5.0 and later releases, select Custom.
    3. (Optional) If you set the Connection Type to Custom, enter the following bundle ID in the Identifier field to identify the GlobalProtect app:
    4. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (Optional) Enter the username of the VPN Account or click the add (+) button to view supported lookup values that you can insert.
    6. (Optional) In the Disconnect on idle field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. In the Authentication area, select a user Authentication method: Password, Certificate, Password + Certificate.
    8. When prompted, enter a Password and/or select the Identity Certificate that GlobalProtect will use to authenticate users. The Identity Certificate is the same certificate that you configured in the Credentials settings.
    9. Disable the option to Enable VPN On Demand (enabled by default).
    10. (Optional) Select the Proxy type and configure the relevant settings.
  6. (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the Palo Alto Networks GlobalProtect network Connection Type, go to the VPN settings and enable Vendor Keys in the Vendor Configurations area. Set the Key to mobile_id and the Value to {DeviceUid}.
    • If you are using the Custom network Connection Type, go to the VPN settings and ADDCustom Data in the Connection Info area. Set the Key to mobile_id and the Value to {DeviceUid}.
  7. SAVE & PUBLISH your changes.

Related Documentation