Configure a Per-App VPN Configuration for iOS Endpoints Using AirWatch

You can enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using AirWatch. In a per-app VPN configuration, you can specify which managed apps can route traffic through the VPN tunnel. Unmanaged apps will continue to connect directly to the internet instead of through the VPN tunnel.
Use the following steps to configure a per-app VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS:
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
    2. Select iOS from the platform list.
      airwatch-add-ios-profile.png
  3. Configure the General settings:
    1. Enter a Name for the profile.
    2. (Optional) Enter a brief Description of the profile that indicates its purpose.
    3. (Optional) Select the Deployment method, which indicates whether the profile will be removed automatically upon unenrollment—either Managed (the profile is removed) or Manual (the profile remains installed until it is removed by the end user).
    4. (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (Optional) Select whether or not you want to Allow Removal of the profile by the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
    6. (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
    7. (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    airwatch-ios-general-settings.png
  4. Configure the Credentials settings:
    All per-app VPN configurations require certificate-based authentication.
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the Credential Source to User Certificate.
      2. Select the S/MIME Signing Certificate (default).
      airwatch-ios-credentials-user-cert.png
    • To upload a client certificate manually:
      1. Set the Credential Source to Upload.
      2. Enter a Credential Name.
      3. Click UPLOAD to locate and select the certificate that you want to upload.
      4. After you select a certificate, click SAVE.
      airwatch-ios-credentials-upload.png
    • To use a predefined certificate authority and template:
      1. Set the Credential Source to Defined Certificate Authority.
      2. Select the Certificate Authority from which you want obtain certificates.
      3. Select the Certificate Template for the certificate authority.
      airwatch-ios-credentials-CA.png
  5. Configure the VPN settings:
    1. Enter the Connection Name that the endpoint displays.
    2. Select the network Connection Type:
      • For GlobalProtect app 4.1.x and earlier releases, select Palo Alto Networks GlobalProtect.
      • For GlobalProtect app 5.0 and later releases, select Custom.
    3. (Optional) If you set the Connection Type to Custom, enter the following bundle ID in the Identifier field to identify the GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
      airwatch-ios-vpn-custom.png
    4. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (Optional) Enter the username of the VPN Account or click the add (+) button to view supported lookup values that you can insert.
    6. (Optional) In the Disconnect on idle field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. Enable Per App VPN Rules to route all traffic for managed apps through the GlobalProtect VPN tunnel.
      • Enable GlobalProtect to Connect Automatically to specified Safari Domains. You can add multiple Safari Domains by clicking the add (+) button.
      • Select a Provider Type to indicate how traffic will be tunneled—either at the application layer or the IP layer.
        airwatch-ios-vpn-per-app-rules.png
    8. In the Authentication area, set the user Authentication method to Certificate.
      All per-app VPN configurations require certificate-based authentication.
    9. When prompted, select the Identity Certificate that GlobalProtect will use to authenticate users. The Identity Certificate is the same certificate that you configured in the Credentials settings.
      airwatch-ios-vpn-authentication-always-on.png
    10. (Optional) Select the Proxy type and configure the relevant settings.
  6. (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the Palo Alto Networks GlobalProtect network Connection Type, go to the VPN settings and enable Vendor Keys in the Vendor Configuration area. Set the Key to mobile_id and the Value to {DeviceUid}.
      airwatch-ios-vpn-udid.png
    • If you are using the Custom network Connection Type, go to the VPN settings and ADDCustom Data in the Connection Info area. Set the Key to mobile_id and the Value to {DeviceUid}.
      airwatch-ios-vpn-udid-custom.png
  7. SAVE & PUBLISH your changes.
  8. Configure per-app VPN settings for a new managed app or modify the settings for an existing managed app.
    After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.
    1. Select APPS & BOOKSApplicationsNativePublic.
    2. To add a new app, select ADD APPLICATION. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit ( airwatch-edit-icon.png ) icon in the actions menu next to the row.
      airwatch-add-application.png
    3. In the Managed By field, select the organization group that will manage this app.
    4. Set the Platform to Apple iOS.
    5. Select your preferred Source for locating the app:
      airwatch-ios-add-app.png
    6. Click NEXT.
      If you chose to search the App Store, you must also SELECT the app from the list of search results.
      airwatch-ios-select-app.png
    7. On the Add Application dialog, ensure that the app Name is correct. This is the name that will appear in the AirWatch App Catalog.
    8. (Optional) Assign the app to pre-defined or custom Categories for ease-of-access in the AirWatch App Catalog.
      airwatch-ios-add-app-dialog.png
    9. SAVE & ASSIGN the new app.
    10. Select the newly added app from the list of Public apps (List View).
    11. From the ApplicationsDetails View, click ASSIGN at the top-right corner of the screen.
      airwatch-ios-app-details-view.png
    12. Select Assignments and then click ADD ASSIGNMENT to add the Smart Groups that will have access to this app.
      1. In the Select Assignment Groups field, select the Smart Groups that you want to grant access to this app.
      2. Select the App Delivery Method. If you select AUTO, the app is automatically deployed to the specified Smart Groups. If you select ON DEMAND, the app must be deployed manually.
      3. Set the Managed Access option to ENABLED. This option gives users access to the app based on the management policies that you apply.
      4. Configure the remaining settings as needed.
      5. ADD the new assignment.
      airwatch-ios-app-assignment.png
    13. (Optional) To exclude certain Smart Groups from accessing the app, select Exclusions and then select the Smart Groups that you want to exclude from the Exclusion field.
      airwatch-ios-app-exclusion.png
    14. SAVE & PUBLISH the configuration to the assigned Smart Groups.

Related Documentation