Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using AirWatch

In a remote access (On-Demand) VPN configuration, users must manually launch the app to establish the secure GlobalProtect connection. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is routed through the VPN tunnel only after users initiate and establish the connection.
Use the following steps to configure a user-initiated remote access VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS.
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select
      Devices
      Profiles & Resources
      Profiles
      , and then
      ADD
      a new profile.
    2. Select
      iOS
      from the platform list.
      airwatch-add-ios-profile.png
  3. Configure the
    General
    settings:
    1. Enter a
      Name
      for the profile.
    2. (
      Optional
      ) Enter a brief
      Description
      of the profile that indicates its purpose.
    3. (
      Optional
      ) Select the
      Deployment
      method, which indicates whether the profile will be removed automatically upon unenrollment—either
      Managed
      (the profile is removed) or
      Manual
      (the profile remains installed until it is removed by the end user).
    4. (
      Optional
      ) Select an
      Assignment Type
      to determine how the profile is deployed to endpoints. Select
      Auto
      to deploy the profile to all endpoints automatically,
      Optional
      to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or
      Compliance
      to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (
      Optional
      ) Select whether or not you want to
      Allow Removal
      of the profile by the end user. Select
      Always
      to enable the end user to manually remove the profile at any time,
      Never
      to prevent the end user from removing the profile, or
      With Authorization
      to enable the end user to remove the profile with the authorization of the administrator. Choosing
      With Authorization
      adds a required Password.
    6. (
      Optional
      ) In the
      Managed By
      field, enter the Organization Group with administrative access to the profile.
    7. (
      Optional
      ) In the
      Assigned Groups
      field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (
      Optional
      ) Indicate whether you want to include any
      Exclusions
      to the assignment of this profile. If you select
      Yes
      , the
      Excluded Groups
      field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    9. (
      Optional
      ) If you enable the option to
      Install only on devices inside selected areas
      , the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in the
      Assigned Geofence Areas
      field.
    10. (
      Optional
      ) If you
      Enable Scheduling and install only during selected time periods
      , you can apply a time schedule (
      Devices
      Profiles & Resources
      Profiles Settings
      Time Schedules
      ) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the
      Assigned Schedules
      field.
    11. (
      Optional
      ) Select the
      Removal Date
      on which you want the profile to be removed from all endpoints.
    airwatch-ios-general-settings.png
  4. Configure the
    Credentials
    settings:
    All remote access VPN configurations for iOS endpoints require certificate-based authentication.
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the
        Credential Source
        to
        User Certificate
        .
      2. Select the
        S/MIME Signing Certificate
        (default).
      airwatch-ios-credentials-user-cert.png
    • To upload a client certificate manually:
      1. Set the
        Credential Source
        to
        Upload
        .
      2. Enter a
        Credential Name
        .
      3. Click
        UPLOAD
        to locate and select the certificate that you want to upload.
      4. After you select a certificate, click
        SAVE
        .
      airwatch-ios-credentials-upload.png
    • To use a predefined certificate authority and template:
      1. Set the
        Credential Source
        to
        Defined Certificate Authority
        .
      2. Select the
        Certificate Authority
        from which you want obtain certificates.
      3. Select the
        Certificate Template
        for the certificate authority.
      airwatch-ios-credentials-CA.png
  5. Configure the
    VPN
    settings:
    1. Enter the
      Connection Name
      that the endpoint displays.
    2. Select the network
      Connection Type
      :
      • For GlobalProtect app 4.1.x and earlier releases, select
        Palo Alto Networks GlobalProtect
        .
      • For GlobalProtect app 5.0 and later releases, select
        Custom
        .
    3. (
      Optional
      ) If you set the
      Connection Type
      to
      Custom
      , enter the following bundle ID in the
      Identifier
      field to identify the GlobalProtect app:
      com.paloaltonetworks.globalprotect.vpn
      airwatch-ios-vpn-custom.png
    4. In the
      Server
      field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (
      Optional
      ) Enter the username of the VPN
      Account
      or click the add (
      +
      ) button to view supported lookup values that you can insert.
    6. (
      Optional
      ) In the
      Disconnect on idle
      field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. In the Authentication area, set the user
      Authentication
      method to
      Certificate
      .
      All remote access VPN configurations for iOS endpoints require certificate-based authentication.
    8. When prompted, select the
      Identity Certificate
      that GlobalProtect will use to authenticate users. The
      Identity Certificate
      is the same certificate that you configured in the
      Credentials
      settings.
    9. Ensure that the
      Enable VPN On Demand
      option is enabled (default setting).
      airwatch-ios-vpn-authentication-on-demand.png
    10. (
      Optional
      ) Configure legacy
      VPN On-Demand
      connection rules:
      • Match Domain or Host
        —Enter the domain or hostname that triggers the GlobalProtect connection to establish when accessed by users.
      • On Demand Action
        —Set the
        On Demand Action
        to
        Establish if Needed
        or
        Always Establish
        to establish the GlobalProtect connection only if users cannot reach the specified domain or hostname directly. Set the
        On Demand Action
        to
        Never Establish
        to prevent the GlobalProtect connection from establishing when users access the specified domain or hostname. If the connection is already established, it can continue to be used.
      airwatch-ios-vpn-authentication-on-demand-legacy.png
    11. (
      Optional
      ) Set more granular On-Demand connection rules by enabling the GlobalProtect app to
      Use new on-demand keys
      . You can add multiple rules by clicking
      ADD RULE
      .
      airwatch-ios-vpn-authentication-on-demand-new.png
      • In the On-Demand Rule area, select an
        Action
        to apply to the GlobalProtect connection based on the Criteria that you define:
        • Evaluate Connection
          —Automatically establish the GlobalProtect connection based on the network and connection settings. This evaluation occurs each time a user attempts to connect to a domain.
        • Connect
          —Automatically establish the GlobalProtect connection.
        • Disconnect
          —Automatically disable GlobalProtect and prevent GlobalProtect from reconnecting.
        • Ignore
          —Leave the existing GlobalProtect connection as is and prevent GlobalProtect from reconnecting if it disconnects.
          airwatch-ios-vpn-authentication-on-demand-rule.png
      • (
        Optional
        ) If you set the
        Action
        for your On-Demand connection rule to
        Evaluate Connection
        , you must also configure an Action Parameter to specify whether or not GlobalProtect can attempt to reconnect if domain name resolution fails during the connection evaluation (for example, if the DNS server fails to respond due to a timeout). You can add multiple parameters by clicking
        ADD ACTION PARAMETERS
        .
        • Set the
          Domain Action
          to
          Connect if Needed
          to enable GlobalProtect to reconnect or to
          Never Connect
          to prevent GlobalProtect from reconnecting.
        • Enter the
          Domains
          for which this
          Action Parameter
          applies.
        • (
          Optional
          ) If you set the
          Domain Action
          to
          Connect if Needed
          , enter the HTTP or HTTPS URL that you want to probe in the
          URL Probe
          field. If the hostname of the URL cannot be resolved, the server is unreachable, or the server does not respond with a 200 HTTP status code, the GlobalProtect connection establishes.
        • (
          Optional
          ) If you set the
          Domain Action
          to
          Connect if Needed
          , enter the IP addresses of the
          DNS Servers
          (internal or trusted external) used to resolve the specified
          Domains
          . If the DNS servers are not reachable, the GlobalProtect connection establishes.
          airwatch-ios-vpn-authentication-on-demand-action-parameter.png
      • Configure the following Criteria to match against for your On-Demand connection rule. If an endpoint matches all specified criteria, the On-Demand connection rule is applied to that endpoint.
        • Interface Match
          —Specify the connection type to match against the endpoint’s network adapter:
          Any
          ,
          Ethernet
          ,
          Wi-Fi
          ,
          Cellular
          .
        • URL Probe
          —Enter the HTTP or HTTPS URL to match against. If the match is successful, a 200 HTTP status code is returned.
        • SSID Match
          —Enter the network SSID to match against. You can add multiple network SSIDs by clicking the add (
          +
          ) button. For a successful match, the endpoint must match at least one specified network SSID.
        • DNS Domain Match
          —Enter the DNS search domain to match against. You can also match with a Wildcard record (such as
          *.example.com
          ) to include all subdomains.
        • DNS Address Match
          —Enter the DNS server IP address to match against. You can add multiple DNS server IP addresses by clicking the add (
          +
          ) button. You can also match with a single Wildcard record (such as
          17.*
          ) that includes all DNS servers without IP addresses. For a successful match, all DNS server IP addresses listed on the endpoint must match the specified DNS server IP addresses.
          airwatch-ios-vpn-authentication-on-demand-criteria.png
    12. (
      Optional
      ) Select the
      Proxy
      type and configure the relevant settings.
  6. (
    Optional
    ) (
    starting with GlobalProtect app 5.0
    ) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the
      Palo Alto Networks GlobalProtect
      network
      Connection Type
      , go to the
      VPN
      settings and enable
      Vendor Keys
      in the Vendor Configuration area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid.png
    • If you are using the
      Custom
      network
      Connection Type
      , go to the
      VPN
      settings and
      ADD
      Custom Data
      in the Connection Info area. Set the
      Key
      to
      mobile_id
      and the
      Value
      to
      {DeviceUid}
      .
      airwatch-ios-vpn-udid-custom.png
  7. SAVE & PUBLISH
    your changes.

Related Documentation