Netskope Help

Configure XenMobile for iOS Per-App VPN

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

To configure XenMobile for iOS per-app VPN:

  1. Log in to your XenMobile account (https://xms.bowlins.com:4443). Go to Configure > Apps, click Add, and then select Public Store App.

    XenMobileAppStore.png
  2. Enter the name of the app and a description.

    Important

    iPhone and iPad should be the only platforms selected.

    When finished, click Next.

  3. Search for the app you entered in step 1.

    XenMobileAppSearch.png
  4. Select the app, enter these parameters:

    • Name: Leave as is or enter a new name.

    • Description: Leave as is or enter a new description.

    • Pad app: OFF.

    • Remove app if MDM profile is removed: ON.

    • Prevent app data backup: ON.

    • Force app to be managed: ON.

    • Force license association to device: ON.

    When finished, click Next.

  5. Repeat steps 3 and 4 for iPad.

  6. Select Delivery Groups Assignment in the left panel, select AllUsers, and click Save

  7. Now configure an App Inventory policy. Go to Configure > Device Policies and click Add. Click More to expand the options, and under Apps select App Inventory.

  8. Enter a policy name, and then click Next.

  9. Make sure iOS is the only platform selected, and the iOS Policy is ON. When finished, click Next.

    XenMobileAppInventoryPolicy.png
  10. On the Assignment page, choose the Delivery Groups, like AllUsers, and then click Save.

  11. Now configure your credentials for Device Policies. Go to Configure > Device Policies and click More to expand the options. Under Security, click Credentials.

  12. Enter a unique Policy Name and click Next.

  13. Make sure iOS is the only platform selected, and then enter these parameters:

    XenMobileCredentailsPolicy2.jpg
    • Credential type: Credential Provider.

    • Credential provider: Select the Netskope credential provider (If you do not see a Netskope Credential Provider in the dropdown list, refer to steps 1-9 in Configure XenMobile for iOS On-Demand VPN to create a Netskope Credential Provider).

    • Remove policy: Select date.

    • Allow user to remove policy: Always.

    When finished, click Assignment in the left panel.

  14. For Choose delivery groups, select AllUsers.

    XenMobileCredentialsPolicy3.jpg

    When finished, click Save.

  15. Now create a VPN policy. Go to Configure > Device Policies, click Add, and then click VPN.

  16. Make sure iOS is the only platform selected, and then enter a unique VPN policy name.

    XenMobileVPNpolicy1.jpg

    When finished, click Next.

  17. Make sure iOS is the only platform selected, and then enter these parameters:

    XenMobileVPNpolicy2.jpg
    • Connection name: Enter a unique connection name.

    • Connection type: Citrix VPN

    • Server name or IP address: Enter the VPN Server Name from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration.

    • User account: Enter an optional user account name.

    • Authentication type for the connection: Certificate

    • Identity credential: Select the Credentials Policy (you created in step 12 above).

    • Prompt for PIN when connecting: OFF

    • Enable VPN on demand: OFF

    • Enable per-app VPN: ON

    • On-demand match app enabled: ON

    • ActionParameters:DomainAction: ConnectIfNeeded.

    • RequiredURLStringProbe: Enter an HTTP or HTTPS URL to probe.

    • Next, add the Proxy parameters:

      XenMobileVPNpolicy6.jpg

      Proxy configuration: Automatic.

    • Proxy server URL: Enter the PAC URL from the Netskope UI Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration.

    • Remove policy: Select date.

    • Allow user to remove policy: Always.

  18. Click Assignment in the left panel, and enter these parameters:

    • Choose delivery groups: AllUsers

    • Expand the Deployment Schedule section to see these options.

      XenMobileVPNpolicy7.jpg

      Deploy: On

    • Deployment schedule: Now

    • Deployment condition: On every connection

    • Deploy for always-on connections: On

  19. When finished, click Save.

  20. Now create an App Attribute policy. Go to Configure > Device Policies and click Add. Click More to expand the options, and under Apps select App Attributes.

  21. Enter a unique App Attributes policy name and click Next.

  22. Enter these parameters:

    • Managed app bundle ID: Select the app ID for the app you selected in step 2. If it's not in the dropdown list, click Add New and enter it.

    • Per-App VPN Identifier: Select the VPN policy name you created in step 16.

    When finished, click Next.

  23. Select the delivery groups and click Save.

The configuration for the XenMobile per-app VPN is complete. Install the Citrix Secure Hub iOS App on your device, and then after that you can perform the server login, user login, and so on to register the device. Refer to the Citrix product documentation for more information.