Netskope Help

Create an iOS On-Demand VPN Profile

This topic describes configuring an iOS profile for on-demand VPN.  By default VPN is set to on-demand. On-demand VPN is a device-wide VPN. For this procedure you'll need the VPN Server name, URL String Probe, and PAC URL from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration).

Note

When deployed in CASB mode, the Netskope iOS solution will tunnel traffic on port 80.

To create an on-demand VPN profile:

  1. In the AirWatch Console, go to Devices > Profiles & Resources > Profiles, and then click Add > Add Profile.

  2. Select Apple iOS from the platform list.

  3. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always

    • Managed By: Netskope Inc.

    • Assigned Groups: Enter text in the field to select a smart group.

    • Exclusions: No

  4. Select Credentials in the left navigation panel, click Configure, and then enter these parameters:

    • Credential Source: Defined Certificate Authority

    • Certificate Authority: Select the CA you created previously.

    • Certificate Template: Select the certificate template you created previously for issuing certificates.

  5. Click on + in the bottom-right corner and enter these parameters:

    • Credential Source: Upload

    • Credential Name: rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    • Certificate: Upload 

  6. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: IPSec (Cisco)

    • Server: Enter your VPN server name from the Netskope UI.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Enter any domains that will be tunneled from a browser.

  7. Under Authentication, enter these parameters:

    • Machine Authentication: Certificate.

    • Identity Certificate: Choose the certificate credential you configured previously.

    • Include User Pin: Disable checkbox.

    • Enable VPN On Demand: Enable checkbox. 

    • Use New On-Demand Keys: Enable checkbox.

  8. Under On-Demand Rule, enter this parameter. Action: Evaluate Connection.

  9. Under Action Parameter, enter these parameters:

    MODE ↓

    Action

    Interface Match

    URL Probe

    CASB

    Evaluate Connection

    Enter the SaaS domains the devices will use

    Enter your tenants' URLStringProbe. To get your URL, go to Settings > Security Cloud Platform > Select MDM Distribution. The URLStringProbe is listed under the Create VPN Configuration section.

    Web

    Connect

    Any

    Enter your tenants' URLStringProbe. To get your URL, go to Settings > Security Cloud Platform > Select MDM Distribution. The URLStringProbe is listed under the Create VPN Configuration section. Enter your tenants' URL Probe.

  10. Click Add Rule. Set  the On-Demand Rule action to Disconnect. Enter the URL String probe provided in the Netskope tenant UI.

    Tip

    The On-Demand Rule option appears after you click the Add Rule.

  11. Under Proxy, enter these parameters:

    1. Proxy: Automatic.

    2. Proxy Server Auto Config URL: Enter the PAC URL in the Netskope tenant UI. For example: https://addon-<tenant hostname>/mobile/user/pac?orgkey=<org_key>&email={EmailAddress}

    3. Click Save & Publish.