GlobalProtect
Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
- 10.1 & Later
- 9.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
-
- 6.1
- 6.0
- 5.2
- 5.1
-
- 6.3
- 6.2
- 6.1
- 6.0
- 5.3
- 5.2
- 5.1
Configure an Always On VPN Configuration for iOS Endpoints Using Workspace ONE
In an Always On VPN configuration, the secure
GlobalProtect connection is always on. Traffic that matches specific
filters (such as port and IP address) configured on the GlobalProtect
gateway is always routed through the VPN tunnel.
Use the following steps to configure an Always On VPN configuration for iOS endpoints using
Workspace ONE:
- Download the GlobalProtect app for iOS.
- Download the GlobalProtect app directly from the App Store.
- From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.
- Select, and thenDevicesProfiles & ResourcesProfilesADDa new profile.
- SelectiOSfrom the platform list.
- Configure theGeneralsettings:
- Enter aNamefor the profile.
- (Optional) Enter a briefDescriptionof the profile that indicates its purpose.
- (Optional) Select theDeploymentmethod, which indicates whether the profile will be removed automatically upon unenrollment—eitherManaged(the profile is removed) orManual(the profile remains installed until it is removed by the end user).
- (Optional) Select anAssignment Typeto determine how the profile is deployed to endpoints. SelectAutoto deploy the profile to all endpoints automatically,Optionalto enable the end user to install the profile from the Self-Service Portal (SSP) or to manually deploy the profile to individual endpoints, orComplianceto deploy the profile when an end user violates a compliance policy applicable to the endpoint.
- (Optional) Select whether or not you want toAllow Removalof the profile by the end user. SelectAlwaysto enable the end user to manually remove the profile at any time,Neverto prevent the end user from removing the profile, orWith Authorizationto enable the end user to remove the profile with the authorization of the administrator. ChoosingWith Authorizationadds a required Password.
- (Optional) In theManaged Byfield, enter the Organization Group with administrative access to the profile.
- (Optional) In theAssigned Groupsfield, add the Smart Groups to which you want the profile added. This field includes an option to create a new Smart Group, which can be configured with specs for minimum OS, device models, ownership categories, organization groups, and more.
- (Optional) Indicate whether you want to include anyExclusionsto the assignment of this profile. If you selectYes, theExcluded Groupsfield displays, enabling you to select the Smart Groups that you wish to exclude from the assignment of this profile.
- (Optional) If you enable the option toInstall only on devices inside selected areas, the profile can be installed only on endpoints in specified geofence or iBeacon regions. When prompted, add the geofence or iBeacon regions in theAssigned Geofence Areasfield.
- (Optional) If youEnable Scheduling and install only during selected time periods, you can apply a time schedule () to the profile installation, which limits the periods of time during which the profile can be installed on endpoints. When prompted, enter the schedule name in theDevicesProfiles & ResourcesProfiles SettingsTime SchedulesAssigned Schedulesfield.
- (Optional) Select theRemoval Dateon which you want the profile to be removed from all endpoints.
- (Optional) If your GlobalProtect deployment requires client certificate authentication, configure theCredentialssettings:Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from the MDM server. If you deploy client certificates from the MDM server using any other method, the certificates cannot be used by the GlobalProtect app.
- To pull client certificates from Workspace ONE users:
- Set theCredential SourcetoUser Certificate.
- Select theS/MIME Signing Certificate(default).
- To upload a client certificate manually:
- Set theCredential SourcetoUpload.
- Enter aCredential Name.
- ClickUPLOADto locate and select the certificate that you want to upload.
- After you select a certificate, clickSAVE.
- To use a predefined certificate authority and template:
- Set theCredential SourcetoDefined Certificate Authority.
- Select theCertificate Authorityfrom which you want obtain certificates.
- Select theCertificate Templatefor the certificate authority.
- Configure theVPNsettings:
- Enter theConnection Namethat the endpoint displays.
- Select the networkConnection Type:
- For GlobalProtect app 4.1.x and earlier releases, selectPalo Alto Networks GlobalProtect.
- For GlobalProtect app 5.0 and later releases, selectCustom.
- (Optional) If you set theConnection TypetoCustom, enter the bundle ID (com.paloaltonetworks.globalprotect.vpn) in theIdentifierfield to identify the GlobalProtect app.
- In theServerfield, enter the hostname or IP address of the GlobalProtect portal to which users connect.
- (Optional) Enter the username of the VPNAccountor click the add (+) button to view supported lookup values that you can insert.
- (Optional) In theDisconnect on idlefield, specify the amount of time (in seconds) at which an endpoint logs out of the GlobalProtect app after the app stops routing traffic through the VPN tunnel.
- In the Authentication area, select a userAuthenticationmethod:Password,Certificate,Password + Certificate.
- When prompted, enter aPasswordand/or select theIdentity Certificatethat GlobalProtect will use to authenticate users. TheIdentity Certificateis the same certificate that you configured in theCredentialssettings.
- Enable VPN On DemandandUse new on demand keys.
- Configure an on-demand rule withAction: Connect.
- (Optional) Select theProxytype and configure the relevant settings.
- (Optional) (starting with GlobalProtect app 5.0) If your GlobalProtect deployment requires HIP integration with MDM, specify the unique device identifier (UDID) attribute.GlobalProtect supports integration with MDM to obtain mobile device attributes from the MDM server for use in HIP-based policy enforcement. In order for the MDM integration to work, the GlobalProtect app must present the UDID of the endpoint to the GlobalProtect gateway. The UDID attribute enables the GlobalProtect app to retrieve and use UDID information in MDM-based deployments. If you remove the UDID attribute from the profile, you can no longer use the MDM integration. The GlobalProtect app generates a new UDID, but it cannot be used for the integration.
- If you are using thePalo Alto Networks GlobalProtectnetworkConnection Type, go to theVPNsettings and enableVendor Keysin the Vendor Configurations area. Set theKeytomobile_idand theValueto{DeviceUid}.
- If you are using theCustomnetworkConnection Type, go to theVPNsettings andADDCustom Datain the Connection Info area. Set theKeytomobile_idand theValueto{DeviceUid}.
- SAVE & PUBLISHyour changes.