Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE
Updated on
Wed Nov 08 00:04:05 UTC 2023
Focus
Download PDF
Updated on
Wed Nov 08 00:04:05 UTC 2023
Focus
- Home
- GlobalProtect
- Mobile Device Management
- Manage the GlobalProtect App Using Workspace ONE
- Configure Workspace ONE for iOS Endpoints
- Configure a Per-App VPN Configuration for iOS Endpoints Using Workspace ONE
Download PDF
GlobalProtect
Table of Contents
You can enable access to internal resources from your managed mobile endpoints by configuring GlobalProtect VPN access using Workspace ONE. In a per-app VPN configuration, you can specify which managed apps can route traffic through the VPN tunnel. Unmanaged apps will continue to connect directly to the internet instead of through the VPN tunnel.
Use the following steps to configure a per-app VPN configuration for iOS endpoints using Workspace ONE:
Download the GlobalProtect app for iOS:
Deploy the GlobalProtect Mobile App Using Workspace ONE.
Download the GlobalProtect app directly from the App Store.
From the Workspace ONE console, modify an existing Apple iOS profile or add a new one.
Select
, and thenDevices
Profiles & Resources
Profiles
ADD
a new profile.Select
iOS
from the platform list.
Configure the
General
settings:Enter a
Name
for the profile.(
Optional
) Enter a brief
Description
ofthe profile that indicates its purpose.(
Optional
) Select the
Deployment
method,which indicates whether the profile will be removed automaticallyupon unenrollment—eitherManaged
(the profileis removed) orManual
(the profile remainsinstalled until it is removed by the end user).(
Optional
) Select an
Assignment Type
todetermine how the profile is deployed to endpoints. SelectAuto
todeploy the profile to all endpoints automatically,Optional
toenable the end user to install the profile from the Self-ServicePortal (SSP) or to manually deploy the profile to individual endpoints,orCompliance
to deploy the profile whenan end user violates a compliance policy applicable to the endpoint.(
Optional
) Select whether or not you want to
AllowRemoval
of the profile by the end user. SelectAlways
toenable the end user to manually remove the profile at any time,Never
toprevent the end user from removing the profile, orWithAuthorization
to enable the end user to remove the profilewith the authorization of the administrator. ChoosingWithAuthorization
adds a required Password.(
Optional
) In the
Managed By
field, enterthe Organization Group with administrative access to the profile.(
See AlsoConfigure Anyconnect PerApp VPN for iOS with Meraki System ManagerWas ist ein VPN auf deinem iPhone und brauchst du eines? (Update 2024)Set up per-app VPN for iOS/iPadOS devices in Microsoft IntuneHow to Configure Per-App VPN in iOS Devices?Optional
) In the
Assigned Groups
field,add the Smart Groups to which you want the profile added. This fieldincludes an option to create a new Smart Group, which can be configuredwith specs for minimum OS, device models, ownership categories,organization groups, and more.(
Optional
) Indicate whether you want to includeany
Exclusions
to the assignment of thisprofile. If you selectYes
, theExcludedGroups
field displays, enabling you to select the SmartGroups that you wish to exclude from the assignment of this profile.
Configure the
Credentials
settings:All per-app VPN configurations require certificate-based authentication.
Starting with iOS 12, if you want to use client certificatesfor GlobalProtect client authentication, you must deploy the clientcertificates as part of the VPN profile that is pushed from theMDM server. If you deploy client certificates from the MDM serverusing any other method, the certificates cannot be used by the GlobalProtectapp.
To pull client certificates from Workspace ONE users:
Set the
Credential Source
toUserCertificate
.Select the
S/MIME Signing Certificate
(default).
To upload a client certificate manually:
Setthe
Credential Source
toUpload
.Enter a
Credential Name
.Click
UPLOAD
to locate and selectthe certificate that you want to upload.After you select a certificate, click
SAVE
.
To use a predefined certificate authority and template:
Set the
Credential Source
toDefinedCertificate Authority
.Select the
Certificate Authority
fromwhich you want obtain certificates.Select the
Certificate Template
forthe certificate authority.
Configure the
VPN
settings:Enter the
Connection Name
that theendpoint displays.Select the network
Connection Type
:For GlobalProtect app 4.1.x and earlier releases, select
PaloAlto Networks GlobalProtect
.For GlobalProtect app 5.0 and later releases, select
Custom
.
(
Optional
) If you set the
Connection Type
toCustom
,enter the bundle ID (com.paloaltonetworks.globalprotect.vpn
)in theIdentifier
field to identify the GlobalProtectapp.In the
Server
field, enter the hostnameor IP address of the GlobalProtect portal to which users connect.(
Optional
) Enter the username of the VPN
orclick the add (Account
+
) button to view supportedlookup values that you can insert.(
Optional
) In the
Disconnect on idle
field,specify the amount of time (in seconds) at which an endpoint logsout of the GlobalProtect app after the app stops routing trafficthrough the VPN tunnel.Enable
Per App VPN Rules
to routeall traffic for managed apps through the GlobalProtect VPN tunnel.Enable GlobalProtect to
Connect Automatically
tospecifiedSafari Domains
. You can add multipleSafariDomains
by clicking the add (+
) button.Set the
Provider Type
to indicatehow traffic will be tunneled—either at the application layer orthe IP layer. Use PacketTunnel.
In the Authentication area, set the user
Authentication
methodtoCertificate
.All per-app VPNconfigurations require certificate-based authentication.
When prompted, select the
Identity Certificate
thatGlobalProtect will use to authenticate users. TheIdentityCertificate
is the same certificate that you configuredin theCredentials
settings.(
Optional
) Select the
Proxy
typeand configure the relevant settings.
(
Optional
) (
starting with GlobalProtectapp 5.0
) If your GlobalProtect deployment requires HIP integrationwith MDM, specify the unique device identifier (UDID) attribute.
GlobalProtect supports integration with MDM to obtain mobiledevice attributes from the MDM server for use in HIP-based policyenforcement. In order for the MDM integration to work, the GlobalProtectapp must present the UDID of the endpoint to the GlobalProtect gateway.The UDID attribute enables the GlobalProtect app to retrieve anduse UDID information in MDM-based deployments. If you remove the UDIDattribute from the profile, you can no longer use the MDM integration.The GlobalProtect app generates a new UDID, but it cannot be usedfor the integration.
If you are using the
Palo Alto Networks GlobalProtect
networkConnectionType
, go to theVPN
settingsand enableVendor Keys
in the Vendor Configurationarea. Set theKey
tomobile_id
andtheValue
to{DeviceUid}
.If you are using the
Custom
networkConnectionType
, go to theVPN
settingsandADD
Custom Data
in theConnection Info area. Set theKey
tomobile_id
andtheValue
to{DeviceUid}
.
SAVE & PUBLISH
your changes.Configure per-app VPN settings for a new managed appor modify the settings for an existing managed app.
After configuring the settings for the app and enablingper-app VPN, you can publish the app to a group of users and enablethe app to send traffic through the GlobalProtect VPN tunnel.
Select
.APPS & BOOKS
Applications
Native
Public
To add a new app, select
ADD APPLICATION
.To modify the settings for an existing app, locate the app in the listof Public apps (List View) and then select the edit () iconin the actions menu next to the row.In the
Managed By
field, selectthe organization group that will manage this app.Set the
Platform
toApple iOS
.Select your preferred
Source
for locatingthe app:SEARCH APP STORE
—Enter theName
ofthe app.ENTER URL
—Enter the App Store URLfor the app (for example, to add the Box app, enter https://itunes.apple.com/us/app/box-for-iphone-and-ipad/id290853822?mt=8&uo=4).
Click
NEXT
.If you chose to search the App Store, you must also
SELECT
theapp from the list of search results.On the Add Application dialog, ensure that the app
Name
is correct. This is the name that will appear in the Workspace ONE App Catalog.(
Optional
) Assign the app to pre-defined or custom
Categories
for ease-of-access in the Workspace ONE App Catalog.SAVE & ASSIGN
the new app.Select the newly added app from the list of Publicapps (List View).
From the
, clickApplications
Details View
ASSIGN
atthe top-right corner of the screen.Select
Assignments
and thenclickADD ASSIGNMENT
to add the Smart Groupsthat will have access to this app.In the
Select Assignment Groups
field,select the Smart Groups that you want to grant access to this app.Select the
App Delivery Method
. Ifyou selectAUTO
, the app is automaticallydeployed to the specified Smart Groups. If you selectONDEMAND
, the app must be deployed manually.Set the
Managed Access
option toENABLED
.This option gives users access to the app based on the managementpolicies that you apply.Configure the remaining settings as needed.
ADD
the new assignment.
(
Optional
) To exclude certain Smart Groupsfrom accessing the app, select
Exclusions
andthen select the Smart Groups that you want to exclude from theExclusion
field.SAVE & PUBLISH
the configurationto the assigned Smart Groups.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}