Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE (2024)

Download the GlobalProtect app for iOS:

Deploy the GlobalProtect Mobile App Using Workspace ONE.

Download the GlobalProtect app directly from the App Store.

From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.

Select

Devices

Profiles & Resources

Profiles

, and then

ADD

a new profile.

Select

iOS

from the platform list.



Configure the

General

settings:

Enter a

Name

for the profile.

(

Optional

) Enter a brief

Description

ofthe profile that indicates its purpose.

(

Optional

) Select the

Deployment

method,which indicates whether the profile will be removed automaticallyupon unenrollment—either

Managed

(the profileis removed) or

Manual

(the profile remainsinstalled until it is removed by the end user).

(

Optional

) Select an

Assignment Type

todetermine how the profile is deployed to endpoints. Select

Auto

todeploy the profile to all endpoints automatically,

Optional

toenable the end user to install the profile from the Self-ServicePortal (SSP) or to manually deploy the profile to individual endpoints,or

Compliance

to deploy the profile whenan end user violates a compliance policy applicable to the endpoint.

(

Optional

) Select whether or not you want to

AllowRemoval

of the profile by the end user. Select

Always

toenable the end user to manually remove the profile at any time,

Never

toprevent the end user from removing the profile, or

WithAuthorization

to enable the end user to remove the profilewith the authorization of the administrator. Choosing

WithAuthorization

adds a required Password.

(

Optional

) In the

Managed By

field, enterthe Organization Group with administrative access to the profile.

(

See Also

Configure Anyconnect PerApp VPN for iOS with Meraki System ManagerWas ist ein VPN auf deinem iPhone und brauchst du eines? (Update 2024)Set up per-app VPN for iOS/iPadOS devices in Microsoft IntuneHow to Configure Per-App VPN in iOS Devices?

Optional

) In the

Assigned Groups

field,add the Smart Groups to which you want the profile added. This fieldincludes an option to create a new Smart Group, which can be configuredwith specs for minimum OS, device models, ownership categories,organization groups, and more.

(

Optional

) Indicate whether you want to includeany

Exclusions

to the assignment of thisprofile. If you select

Yes

, the

ExcludedGroups

field displays, enabling you to select the SmartGroups that you wish to exclude from the assignment of this profile.



Configure the

Credentials

settings:

All per-app VPN configurations require certificate-based authentication.

Starting with iOS 12, if you want to use client certificatesfor GlobalProtect client authentication, you must deploy the clientcertificates as part of the VPN profile that is pushed from theMDM server. If you deploy client certificates from the MDM serverusing any other method, the certificates cannot be used by the GlobalProtectapp.

To pull client certificates from Workspace ONE users:

Set the

Credential Source

to

UserCertificate

.

Select the

S/MIME Signing Certificate

(default).



To upload a client certificate manually:

Setthe

Credential Source

to

Upload

.

Enter a

Credential Name

.

Click

UPLOAD

to locate and selectthe certificate that you want to upload.

After you select a certificate, click

SAVE

.



To use a predefined certificate authority and template:

Set the

Credential Source

to

DefinedCertificate Authority

.

Select the

Certificate Authority

fromwhich you want obtain certificates.

Select the

Certificate Template

forthe certificate authority.



Configure the

VPN

settings:

Enter the

Connection Name

that theendpoint displays.

Select the network

Connection Type

:

For GlobalProtect app 4.1.x and earlier releases, select

PaloAlto Networks GlobalProtect

.

For GlobalProtect app 5.0 and later releases, select

Custom

.

(

Optional

) If you set the

Connection Type

to

Custom

,enter the bundle ID (

com.paloaltonetworks.globalprotect.vpn

)in the

Identifier

field to identify the GlobalProtectapp.



In the

Server

field, enter the hostnameor IP address of the GlobalProtect portal to which users connect.

(

Optional

) Enter the username of the VPN

Account

See Also

Apple finalisiert seine VPN-Strategie: iOS 9 bringt Per-App-VPN für jedermann

orclick the add (

+

) button to view supportedlookup values that you can insert.

(

Optional

) In the

Disconnect on idle

field,specify the amount of time (in seconds) at which an endpoint logsout of the GlobalProtect app after the app stops routing trafficthrough the VPN tunnel.

Enable

Per App VPN Rules

to routeall traffic for managed apps through the GlobalProtect VPN tunnel.

Enable GlobalProtect to

Connect Automatically

tospecified

Safari Domains

. You can add multiple

SafariDomains

by clicking the add (

+

) button.

Set the

Provider Type

to indicatehow traffic will be tunneled—either at the application layer orthe IP layer. Use PacketTunnel.



In the Authentication area, set the user

Authentication

methodto

Certificate

.

All per-app VPNconfigurations require certificate-based authentication.

When prompted, select the

Identity Certificate

thatGlobalProtect will use to authenticate users. The

IdentityCertificate

is the same certificate that you configuredin the

Credentials

settings.



(

Optional

) Select the

Proxy

typeand configure the relevant settings.

(

Optional

) (

starting with GlobalProtectapp 5.0

) If your GlobalProtect deployment requires HIP integrationwith MDM, specify the unique device identifier (UDID) attribute.

GlobalProtect supports integration with MDM to obtain mobiledevice attributes from the MDM server for use in HIP-based policyenforcement. In order for the MDM integration to work, the GlobalProtectapp must present the UDID of the endpoint to the GlobalProtect gateway.The UDID attribute enables the GlobalProtect app to retrieve anduse UDID information in MDM-based deployments. If you remove the UDIDattribute from the profile, you can no longer use the MDM integration.The GlobalProtect app generates a new UDID, but it cannot be usedfor the integration.

If you are using the

Palo Alto Networks GlobalProtect

network

ConnectionType

, go to the

VPN

settingsand enable

Vendor Keys

in the Vendor Configurationarea. Set the

Key

to

mobile_id

andthe

Value

to

{DeviceUid}

.



If you are using the

Custom

network

ConnectionType

, go to the

VPN

settingsand

ADD

Custom Data

in theConnection Info area. Set the

Key

to

mobile_id

andthe

Value

to

{DeviceUid}

.



SAVE & PUBLISH

your changes.

Configure per-app VPN settings for a new managed appor modify the settings for an existing managed app.

After configuring the settings for the app and enablingper-app VPN, you can publish the app to a group of users and enablethe app to send traffic through the GlobalProtect VPN tunnel.

Select

APPS & BOOKS

Applications

Native

Public

.

To add a new app, select

ADD APPLICATION

.To modify the settings for an existing app, locate the app in the listof Public apps (List View) and then select the edit () iconin the actions menu next to the row.



In the

Managed By

field, selectthe organization group that will manage this app.

Set the

Platform

to

Apple iOS

.

Select your preferred

Source

for locatingthe app:

SEARCH APP STORE

—Enter the

Name

ofthe app.

ENTER URL

—Enter the App Store URLfor the app (for example, to add the Box app, enter https://itunes.apple.com/us/app/box-for-iphone-and-ipad/id290853822?mt=8&uo=4).



Click

NEXT

.

If you chose to search the App Store, you must also

SELECT

theapp from the list of search results.



On the Add Application dialog, ensure that the app

Name

is correct. This is the name that will appear in the Workspace ONE App Catalog.

(

Optional

) Assign the app to pre-defined or custom

Categories

for ease-of-access in the Workspace ONE App Catalog.



SAVE & ASSIGN

the new app.

Select the newly added app from the list of Publicapps (List View).

From the

Applications

Details View

, click

ASSIGN

atthe top-right corner of the screen.



Select

Assignments

and thenclick

ADD ASSIGNMENT

to add the Smart Groupsthat will have access to this app.

In the

Select Assignment Groups

field,select the Smart Groups that you want to grant access to this app.

Select the

App Delivery Method

. Ifyou select

AUTO

, the app is automaticallydeployed to the specified Smart Groups. If you select

ONDEMAND

, the app must be deployed manually.

Set the

Managed Access

option to

ENABLED

.This option gives users access to the app based on the managementpolicies that you apply.

Configure the remaining settings as needed.

ADD

the new assignment.



(

Optional

) To exclude certain Smart Groupsfrom accessing the app, select

Exclusions

andthen select the Smart Groups that you want to exclude from the

Exclusion

field.



SAVE & PUBLISH

the configurationto the assigned Smart Groups.

{{ } else { }}