Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using AirWatch

In a remote access (On-Demand) VPN configuration, users must manually launch the app to establish the secure GlobalProtect connection. Traffic that matches specific filters (such as port and IP address) configured on the GlobalProtect gateway is routed through the VPN tunnel only after users initiate and establish the connection.
Use the following steps to configure a user-initiated remote access VPN configuration for iOS endpoints using AirWatch:
  1. Download the GlobalProtect app for iOS.
  2. From the AirWatch console, modify an existing Apple iOS profile or add a new one.
    1. Select DevicesProfiles & ResourcesProfiles, and then ADD a new profile.
    2. Select iOS from the platform list.
  3. Configure the General settings:
    1. Enter a Name for the profile.
    2. (Optional) Enter a brief Description of the profile that indicates its purpose.
    3. (Optional) Select the Deployment method, which indicates whether the profile will be removed automatically upon unenrollment—either Managed (the profile is removed) or Manual (the profile remains installed until it is removed by the end user).
    4. (Optional) Select an Assignment Type to determine how the profile is deployed to endpoints. Select Auto to deploy the profile to all endpoints automatically, Optional to enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, or Compliance to deploy the profile when an end user violates a compliance policy applicable to the endpoint.
    5. (Optional) Select whether or not you want to Allow Removal of the profile by the end user. Select Always to enable the end user to manually remove the profile at any time, Never to prevent the end user from removing the profile, or With Authorization to enable the end user to remove the profile with the authorization of the administrator. Choosing With Authorization adds a required Password.
    6. (Optional) In the Managed By field, enter the Organization Group with administrative access to the profile.
    7. (Optional) In the Assigned Groups field, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
    8. (Optional) Indicate whether you want to include any Exclusions to the assignment of this profile. If you select Yes, the Excluded Groups field displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
    9. (Optional) If you enable the option to Install only on devices inside selected areas, the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in the Assigned Geofence Areas field.
    10. (Optional) If you Enable Scheduling and install only during selected time periods, you can apply a time schedule (DevicesProfiles & ResourcesProfiles SettingsTime Schedules) to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in the Assigned Schedules field.
    11. (Optional) Select the Removal Date on which you want the profile to be removed from all endpoints.
  4. Configure the Credentials settings:
    All remote access VPN configurations for iOS endpoints require certificate-based authentication.
    Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
    • To pull client certificates from AirWatch users:
      1. Set the Credential Source to User Certificate.
      2. Select the S/MIME Signing Certificate (default).
    • To upload a client certificate manually:
      1. Set the Credential Source to Upload.
      2. Enter a Credential Name.
      3. Click UPLOAD to locate and select the certificate that you want to upload.
      4. After you select a certificate, click SAVE.
    • To use a predefined certificate authority and template:
      1. Set the Credential Source to Defined Certificate Authority.
      2. Select the Certificate Authority from which you want obtain certificates.
      3. Select the Certificate Template for the certificate authority.
  5. Configure the VPN settings:
    1. Enter the Connection Name that the endpoint displays.
    2. Select the network Connection Type:
      • For GlobalProtect app 4.1.x and earlier releases, select Palo Alto Networks GlobalProtect.
      • For GlobalProtect app 5.0 and later releases, select Custom.
    3. (Optional) If you set the Connection Type to Custom, enter the following bundle ID in the Identifier field to identify the GlobalProtect app:
    4. In the Server field, enter the hostname or IP address of the GlobalProtect portal to which users connect.
    5. (Optional) Enter the username of the VPN Account or click the add (+) button to view supported lookup values that you can insert.
    6. (Optional) In the Disconnect on idle field, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
    7. In the Authentication area, set the user Authentication method to Certificate.
      All remote access VPN configurations for iOS endpoints require certificate-based authentication.
    8. When prompted, select the Identity Certificate that GlobalProtect will use to authenticate users. The Identity Certificate is the same certificate that you configured in the Credentials settings.
    9. Ensure that the Enable VPN On Demand option is enabled (default setting).
    10. (Optional) Configure legacy VPN On-Demand connection rules:
      • Match Domain or Host—Enter the domain or hostname that triggers the GlobalProtect connection to establish when accessed by users.
      • On Demand Action—Set the On Demand Action to Establish if Needed or Always Establish to establish the GlobalProtect connection only if users cannot reach the specified domain or hostname directly. Set the On Demand Action to Never Establish to prevent the GlobalProtect connection from establishing when users access the specified domain or hostname. If the connection is already established, it can continue to be used.
    11. (Optional) Set more granular On-Demand connection rules by enabling the GlobalProtect app to Use new on-demand keys. You can add multiple rules by clicking ADD RULE.
      • In the On-Demand Rule area, select an Action to apply to the GlobalProtect connection based on the Criteria that you define:
        • Evaluate Connection—Automatically establish the GlobalProtect connection based on the network and connection settings. This evaluation occurs each time a user attempts to connect to a domain.
        • Connect—Automatically establish the GlobalProtect connection.
        • Disconnect—Automatically disable GlobalProtect and prevent GlobalProtect from reconnecting.
        • Ignore—Leave the existing GlobalProtect connection as is and prevent GlobalProtect from reconnecting if it disconnects.
      • (Optional) If you set the Action for your On-Demand connection rule to Evaluate Connection, you must also configure an Action Parameter to specify whether or not GlobalProtect can attempt to reconnect if domain name resolution fails during the connection evaluation (for example, if the DNS server fails to respond due to a timeout). You can add multiple parameters by clicking ADD ACTION PARAMETERS.
        • Set the Domain Action to Connect if Needed to enable GlobalProtect to reconnect or to Never Connect to prevent GlobalProtect from reconnecting.
        • Enter the Domains for which this Action Parameter applies.
        • (Optional) If you set the Domain Action to Connect if Needed, enter the HTTP or HTTPS URL that you want to probe in the URL Probe field. If the hostname of the URL cannot be resolved, the server is unreachable, or the server does not respond with a 200 HTTP status code, the GlobalProtect connection establishes.
        • (Optional) If you set the Domain Action to Connect if Needed, enter the IP addresses of the DNS Servers (internal or trusted external) used to resolve the specified Domains. If the DNS servers are not reachable, the GlobalProtect connection establishes.
      • Configure the following Criteria to match against for your On-Demand connection rule. If an endpoint matches all specified criteria, the On-Demand connection rule is applied to that endpoint.
        • Interface Match—Specify the connection type to match against the endpoint’s network adapter: Any, Ethernet, Wi-Fi, Cellular.
        • URL Probe—Enter the HTTP or HTTPS URL to match against. If the match is successful, a 200 HTTP status code is returned.
        • SSID Match—Enter the network SSID to match against. You can add multiple network SSIDs by clicking the add (+) button. For a successful match, the endpoint must match at least one specified network SSID.
        • DNS Domain Match—Enter the DNS search domain to match against. You can also match with a Wildcard record (such as * to include all subdomains.
        • DNS Address Match—Enter the DNS server IP address to match against. You can add multiple DNS server IP addresses by clicking the add (+) button. You can also match with a single Wildcard record (such as 17.*) that includes all DNS servers without IP addresses. For a successful match, all DNS server IP addresses listed on the endpoint must match the specified DNS server IP addresses.
    12. (Optional) Select the Proxy type and configure the relevant settings.
  6. (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.
    GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
    • If you are using the Palo Alto Networks GlobalProtect network Connection Type, go to the VPN settings and enable Vendor Keys in the Vendor Configuration area. Set the Key to mobile_id and the Value to {DeviceUid}.
    • If you are using the Custom network Connection Type, go to the VPN settings and ADDCustom Data in the Connection Info area. Set the Key to mobile_id and the Value to {DeviceUid}.
  7. SAVE & PUBLISH your changes.

Related Documentation