>
    Create a Device Profile with Prisma Access Agent for iOS Endpoints Using Microsoft Intune
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Agent
    3. Prisma Access Agent Administration
    4. Deploy the Prisma Access Agent
    5. Deploy Prisma Access Agents Using Microsoft Intune
    6. Deploy Prisma Access Agents to iOS Endpoints Using Microsoft Intune
    7. Create a Device Profile with Prisma Access Agent for iOS Endpoints Using Microsoft Intune
    Download PDF
    Prisma Access Agent

    Create a Device Profile with Prisma Access Agent for iOS Endpoints Using Microsoft Intune

    Table of Contents

    Create a Device Profile with Prisma Access Agent for iOS Endpoints Using Microsoft Intune

    Create a Device Profile with Prisma Access Agent for iOS Endpoints Using Microsoft Intune
    You must create a device profile and configure Prisma Access Agent in the VPN settings of the profile using Microsoft Intune with desired authentication method and connect method. When you deploy the Prisma Access Agent, these settings are pushed to your managed iOS endpoints and based on these settings, the Prisma Access Agent connection is established for you to access your organization’s network.
    On the Microsoft Intune admin center
    1. On the Microsoft Intune admin center, click Devices iOS/iPadOSManage Devices Configuration.
    2. Click CreateNew Policy.
    3. Select profile type to Template and select VPN as the template name.
    4. Click Create to create VPN settings for Prisma Access Agent.
    5. In the Basics tab, enter a name and description and click Next.
    6. In the Configuration settings tab, specify the connection type as Custom VPN.
    7. Expand the Base VPN section and specify the following details:
      1. Enter the Connection name will be displayed to end users on their endpoints.
      2. In the VPN server address, specify the server address of the Prisma Access Agent Manager.
      3. Select the authentication method as per your requirement. If you are using Certificates to authenticate to the app, you must push the certificate to the endpoints. The supported authentication methods are:
        Authentication MethodSteps
        SAML authentication
        Set authentication method to Username and passwordUsername and password. You must select the Username and password and leave the fields blank.
        Local authentication is not supported
        SAML authentication isn’t supported for the Always-On connect method.
        Certificates
        1. Set authentication method to Certificates.
        2. Select the SCEP certificate to authenticate the connection.
        You can leave the Split tunneling option blank. If you desire split-tunneling, then Per-App configuration is recommended.
      4. Specify the VPN Identifier as com.paloaltonetworks.prismaaccessagent .
      5. Enter key-value pairs for your organization's custom VPN attributes. The following pairs are supported on Microsoft Intune for iOS devices.
        KeyValue TypeDescriptionExample
        tagString
        Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.
        		GuestAccount, HRdeparment
        complianceString
        Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.
        		yes
        ownershipString
        Tag to identify devices in security policies. You can specify any value for this parameter, it will appear in the HIP report and can be used to create security policies with.
        		corporation owned
    8. Expand the Automatic VPN section and configure one of the connect methods as required.
      Connect MethodConfiguration
      On-Demand
      Users must manually open the Prisma Access Agent to initiate a connection.
      Set Type of Automatic VPN to Not Configured.
      Always-On
      Automatically connects Prisma Access Agent.
      1. Set Type of Automatic VPN to On-demand VPN.
      2. Add an on-demand rule by clicking Add.
      3. Set I want to do the following to connect VPN.
      4. Set I want to restrict to All domains.
      5. Click Save.
      Per-App
      In a per-app configuration, you can configure the managed apps that will route traffic through Prisma Access Agent. When the users access the managed app, Prisma Access Agent will automatically connect and only traffic for the managed apps you have configured under the configuration profile will be routed through Prisma Access Agent.
      You can attach VPN profile to an app, add URLs for the app you want access to, or do a combination of both.
      To add app URLs:
      1. Type of Automatic VPN to Per-app VPN.
      2. Add one or more website URLs. When these URLs are visited using the Safari browser on the device, the VPN connection is automatically established.
      3. Enter Associated Domains to use with Prisma Access Agent.
      4. In Excluded Domains, enter Safari domains that can bypass Prisma Access Agent for the per-app connect method. Traffic to the excluded domains uses the public internet even if Prisma Access Agent is connected.
      5. You can Block users from disabling automatic VPN.
    9. Click Next.
    10. Assign user groups and device groups to the device profile. To deploy the policy broadly to all applicable devices, select Add all users or Add all devices.
    11. Click Next.
    12. Review the policy summary and click Create to create the device configuration profile.

    © 2025 Palo Alto Networks, Inc. All rights reserved.