Configure a Per-App VPN Configuration for iOS Endpoints Using AirWatch

You can enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using AirWatch. In a per-app VPN configuration, you can specify which managed apps can route traffic through the VPN tunnel. Unmanaged apps will continue to connect directly to the internet instead of through the VPN tunnel.
Use the following steps to configure a per-app VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS:
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select
      Devices
      Profiles & Resources
      Profiles
      , and then
      ADD
      a new profile.
    2. Select
      iOS
      from the platform list.
      airwatch-add-ios-profile.png
  3. Configure the
    General
    settings:
    1. Enter a
      Name
      for the profile.
    2. (
      Optional
      ) Enter a brief
      Description
      of the profile that indicates its purpose.
    3. (
      Optional
      ) Select the
      Deployment
      method, which indicates whether the profile will be removed automatically upon unenrollment—either
      Managed
      (the profile is removed) or
      Manual
      (the profile remains installed until it is removed by the end user).
    4. (
      Optional
      ) Select an
      Assignment Type
      to determine how the profile is deployed to endpoints. Select
      Auto
      to deploy the profile to all endpoints automatically,
      Optional
      to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or
      Compliance
      to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (
      Optional
      ) Select whether or not you want to
      Allow Removal
      of the profile by the end user. Select
      Always
      to enable the end user to manually remove the profile at any time,
      Never
      to prevent the end user from removing the profile, or
      With Authorization
      to enable the end user to remove the profile with the authorization of the administrator. Choosing
      With Authorization
      adds a required Password.
    6. (
      Optional
      ) In the
      Managed By
      field, enter the Organization Group with administrative access to the profile.
    7. (
      Optional
      ) In the
      Assigned Groups
      field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (
      Optional
      ) Indicate whether you want to include any
      Exclusions
      to the assignment of this profile. If you select
      Yes
      , the
      Excluded Groups
      field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    airwatch-ios-general-settings.png
  4. Configure the
    Credentials
    settings:
    All per-app VPN configurations require certificate-based authentication.
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the
        Credential Source
        to
        User Certificate
        .
      2. Select the
        S/MIME Signing Certificate
        (default).
      airwatch-ios-credentials-user-cert.png
    • To upload a client certificate manually:
      1. Set the
        Credential Source
        to
        Upload
        .
      2. Enter a
        Credential Name
        .
      3. Click
        UPLOAD
        to locate and select the certificate that you want to upload.
      4. After you select a certificate, click
        SAVE
        .
      airwatch-ios-credentials-upload.png
    • To use a predefined certificate authority and template:
      1. Set the
        Credential Source
        to
        Defined Certificate Authority
        .
      2. Select the
        Certificate Authority
        from which you want obtain certificates.
      3. Select the
        Certificate Template
        for the certificate authority.
      airwatch-ios-credentials-CA.png
  5. Configure the
    VPN
    settings:
    1. Enter the
      Connection Name
      that the endpoint displays.
    2. Select the network
      Connection Type
      :
      • For GlobalProtect app 4.1.x and earlier releases, select
        Palo Alto Networks GlobalProtect
        .
      • For GlobalProtect app 5.0 and later releases, select
        Custom
        .
    3. (
      Optional
      ) If you set the
      Connection Type
      to
      Custom
      , enter the following bundle ID in the
      Identifier
      field to identify the GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
      airwatch-ios-vpn-custom.png
    4. In the
      Server
      field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (
      Optional
      ) Enter the username of the VPN
      Account
      or click the add (
      +
      ) button to view supported lookup values that you can insert.
    6. (
      Optional
      ) In the
      Disconnect on idle
      field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. Enable
      Per App VPN Rules
      to route all traffic for managed apps through the GlobalProtect VPN tunnel.
      • Enable GlobalProtect to
        Connect Automatically
        to specified
        Safari Domains
        . You can add multiple
        Safari Domains
        by clicking the add (
        +
        ) button.
      • Select a
        Provider Type
        to indicate how traffic will be tunneled—either at the application layer or the IP layer.
        airwatch-ios-vpn-per-app-rules.png
    8. In the Authentication area, set the user
      Authentication
      method to
      Certificate
      .
      All per-app VPN configurations require certificate-based authentication.
    9. When prompted, select the
      Identity Certificate
      that GlobalProtect will use to authenticate users. The
      Identity Certificate
      is the same certificate that you configured in the
      Credentials
      settings.
      airwatch-ios-vpn-authentication-always-on.png
    10. (
      Optional
      ) Select the
      Proxy
      type and configure the relevant settings.
  6. (
    Optional
    ) (
    starting with GlobalProtect app 5.0
    ) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the
      Palo Alto Networks GlobalProtect
      network
      Connection Type
      , go to the
      VPN
      settings and enable
      Vendor Keys
      in the Vendor Configuration area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid.png
    • If you are using the
      Custom
      network
      Connection Type
      , go to the
      VPN
      settings and
      ADD
      Custom Data
      in the Connection Info area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid-custom.png
  7. SAVE & PUBLISH
    your changes.
  8. Configure per-app VPN settings for a new managed app or modify the settings for an existing managed app.
    After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.
    1. Select
      APPS & BOOKS
      Applications
      Native
      Public
      .
    2. To add a new app, select
      ADD APPLICATION
      . To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit ( airwatch-edit-icon.png ) icon in the actions menu next to the row.
      airwatch-add-application.png
    3. In the
      Managed By
      field, select the organization group that will manage this app.
    4. Set the
      Platform
      to
      Apple iOS
      .
    5. Select your preferred
      Source
      for locating the app:
      airwatch-ios-add-app.png
    6. Click
      NEXT
      .
      If you chose to search the App Store, you must also
      SELECT
      the app from the list of search results.
      airwatch-ios-select-app.png
    7. On the Add Application dialog, ensure that the app
      Name
      is correct. This is the name that will appear in the AirWatch App Catalog.
    8. (
      Optional
      ) Assign the app to pre-defined or custom
      Categories
      for ease-of-access in the AirWatch App Catalog.
      airwatch-ios-add-app-dialog.png
    9. SAVE & ASSIGN
      the new app.
    10. Select the newly added app from the list of Public apps (List View).
    11. From the
      Applications
      Details View
      , click
      ASSIGN
      at the top-right corner of the screen.
      airwatch-ios-app-details-view.png
    12. Select
      Assignments
      and then click
      ADD ASSIGNMENT
      to add the Smart Groups that will have access to this app.
      1. In the
        Select Assignment Groups
        field, select the Smart Groups that you want to grant access to this app.
      2. Select the
        App Delivery Method
        . If you select
        AUTO
        , the app is automatically deployed to the specified Smart Groups. If you select
        ON DEMAND
        , the app must be deployed manually.
      3. Set the
        Managed Access
        option to
        ENABLED
        . This option gives users access to the app based on the management policies that you apply.
      4. Configure the remaining settings as needed.
      5. ADD
        the new assignment.
      airwatch-ios-app-assignment.png
    13. (
      Optional
      ) To exclude certain Smart Groups from accessing the app, select
      Exclusions
      and then select the Smart Groups that you want to exclude from the
      Exclusion
      field.
      airwatch-ios-app-exclusion.png
    14. SAVE & PUBLISH
      the configuration to the assigned Smart Groups.

Related Documentation