GlobalProtect
Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1 (EoL)
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- 6.1
- 6.0
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
End-of-Life (EoL)
Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE
You can enable access to internal resources from your managed mobile endpoints by configuring
GlobalProtect VPN access using Workspace ONE. In a per-app VPN configuration, you
can specify which managed apps can route traffic through the VPN tunnel. Unmanaged
apps will continue to connect directly to the internet instead of through the VPN
tunnel.
Use the following steps to configure a per-app VPN configuration for iOS endpoints using
Workspace ONE:
- Download the GlobalProtect app for iOS:
- Download the GlobalProtect app directly from the App Store.
- From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.
- Select, and thenDevicesProfiles & ResourcesProfilesADDa new profile.
- SelectiOSfrom the platform list.
- Configure theGeneralsettings:
- Enter aNamefor the profile.
- (Optional) Enter a briefDescriptionof the profile that indicates its purpose.
- (Optional) Select theDeploymentmethod, which indicates whether the profile will be removed automatically upon unenrollment—eitherManaged(the profile is removed) orManual(the profile remains installed until it is removed by the end user).
- (Optional) Select anAssignment Typeto determine how the profile is deployed to endpoints. SelectAutoto deploy the profile to all endpoints automatically,Optionalto enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, orComplianceto deploy the profile when an end user violates a compliance policy applicable to the endpoint.
- (Optional) Select whether or not you want toAllow Removalof the profile by the end user. SelectAlwaysto enable the end user to manually remove the profile at any time,Neverto prevent the end user from removing the profile, orWith Authorizationto enable the end user to remove the profile with the authorization of the administrator. ChoosingWith Authorizationadds a required Password.
- (Optional) In theManaged Byfield, enter the Organization Group with administrative access to the profile.
- (Optional) In theAssigned Groupsfield, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
- (Optional) Indicate whether you want to include anyExclusionsto the assignment of this profile. If you selectYes, theExcluded Groupsfield displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
- Configure theCredentialssettings:All per-app VPN configurations require certificate-based authentication.Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
- To pull client certificates from Workspace ONE users:
- Set theCredential SourcetoUser Certificate.
- Select theS/MIME Signing Certificate(default).
- To upload a client certificate manually:
- Set theCredential SourcetoUpload.
- Enter aCredential Name.
- ClickUPLOADto locate and select the certificate that you want to upload.
- After you select a certificate, clickSAVE.
- To use a predefined certificate authority and template:
- Set theCredential SourcetoDefined Certificate Authority.
- Select theCertificate Authorityfrom which you want obtain certificates.
- Select theCertificate Templatefor the certificate authority.
- Configure theVPNsettings:
- Enter theConnection Namethat the endpoint displays.
- Select the networkConnection Type:
- For GlobalProtect app 4.1.x and earlier releases, selectPalo Alto Networks GlobalProtect.
- For GlobalProtect app 5.0 and later releases, selectCustom.
- (Optional) If you set theConnection TypetoCustom, enter the bundle ID (com.paloaltonetworks.globalprotect.vpn) in theIdentifierfield to identify the GlobalProtect app.
- In theServerfield, enter the hostname or IP address of the GlobalProtect portal to which users connect.
- (Optional) Enter the username of the VPNAccountor click the add (+) button to view supported lookup values that you can insert.
- (Optional) In theDisconnect on idlefield, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
- EnablePer App VPN Rulesto route all traffic for managed apps through the GlobalProtect VPN tunnel.
- Enable GlobalProtect toConnect Automaticallyto specifiedSafari Domains. You can add multipleSafari Domainsby clicking the add (+) button.
- Set theProvider Typeto indicate how traffic will be tunneled—either at the application layer or the IP layer. Use PacketTunnel.
- In the Authentication area, set the userAuthenticationmethod toCertificate.All per-app VPN configurations require certificate-based authentication.
- When prompted, select theIdentity Certificatethat GlobalProtect will use to authenticate users. TheIdentity Certificateis the same certificate that you configured in theCredentialssettings.
- (Optional) Select theProxytype and configure the relevant settings.
- (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
- If you are using thePalo Alto Networks GlobalProtectnetworkConnection Type, go to theVPNsettings and enableVendor Keysin the Vendor Configuration area. Set theKeytomobile_idand theValueto{DeviceUid}.
- If you are using theCustomnetworkConnection Type, go to theVPNsettings andADDCustom Datain the Connection Info area. Set theKeytomobile_idand theValueto{DeviceUid}.
- SAVE & PUBLISHyour changes.
- Configure per-app VPN settings for a new managed app or modify the settings for an existing managed app.After configuring the settings for the app and enabling per-app VPN, you can publish the app to a group of users and enable the app to send traffic through the GlobalProtect VPN tunnel.
- Select.APPS & BOOKSApplicationsNativePublic
- To add a new app, selectADD APPLICATION. To modify the settings for an existing app, locate the app in the list of Public apps (List View) and then select the edit (
- In theManaged Byfield, select the organization group that will manage this app.
- Set thePlatformtoApple iOS.
- Select your preferredSourcefor locating the app:
- SEARCH APP STORE—Enter theNameof the app.
- ENTER URL—Enter the App Store URL for the app (for example, to add the Box app, enter https://itunes.apple.com/us/app/box-for-iphone-and-ipad/id290853822?mt=8&uo=4).
- ClickNEXT.If you chose to search the App Store, you must alsoSELECTthe app from the list of search results.
- On the Add Application dialog, ensure that the appNameis correct. This is the name that will appear in the Workspace ONE App Catalog.
- (Optional) Assign the app to pre-defined or customCategoriesfor ease-of-access in the Workspace ONE App Catalog.
- SAVE & ASSIGNthe new app.
- Select the newly added app from the list of Public apps (List View).
- From the, clickApplicationsDetails ViewASSIGNat the top-right corner of the screen.
- SelectAssignmentsand then clickADD ASSIGNMENTto add the Smart Groups that will have access to this app.
- In theSelect Assignment Groupsfield, select the Smart Groups that you want to grant access to this app.
- Select theApp Delivery Method. If you selectAUTO, the app is automatically deployed to the specified Smart Groups. If you selectON DEMAND, the app must be deployed manually.
- Set theManaged Accessoption toENABLED. This option gives users access to the app based on the management policies that you apply.
- Configure the remaining settings as needed.
- ADDthe new assignment.
- (Optional) To exclude certain Smart Groups from accessing the app, selectExclusionsand then select the Smart Groups that you want to exclude from theExclusionfield.
- SAVE & PUBLISHthe configuration to the assigned Smart Groups.