Skip to main content

Netskope Help

Create an iOS Per-App VPN Profile

Per-App VPN is primarily for those looking to support BYOD devices where privacy and/or security are concerns, and neither the end user or the admins want personal, non-work data being steered to Netskope. 

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

For this procedure you'll need the VPN Server name and PAC URL from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration).


When deployed in CASB mode, the Netskope iOS solution will tunnel traffic on port 80.

To create a Per-App VPN profile:

  1. In the AirWatch Console, go to Devices > Profiles & Resources > Profiles, and then click Add > Add Profile.

  2. Select Apple iOS from the platform list.

  3. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always

    • Managed By: Netskope Inc.

    • Assigned Groups: Enter text in the field to select a smart group.

    • Exclusions: No

  4. Select Credentials in the left navigation panel, click Configure, and then enter these parameters:

    • Credential Source: Defined Certificate Authority

    • Certificate Authority: Select the CA you created previously.

    • Certificate Template: Select the certificate template you created previously for issuing certificates.

  5. Click on + in the bottom-right corner and enter these parameters:

    • Credential Source: Upload

    • Credential Name: rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    • Certificate: Upload

  6. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: IPSec (Cisco)

    • Server: Enter your VPN server name in the Netskope UI.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Per-App VPN Rules: Enable checkbox.

    • Connect Automatically: Enable checkbox.

    • Provider Type: None

    • Enter any domains that will be tunneled from a browser.

  7. Under Authentication, enter these parameters:

    • Machine Authentication: Certificate.

    • Identity Certificate: Choose the certificate credential you configured previously.

    • Include User Pin: Disable checkbox.

    • Enable VPN On-Demand: Enable checkbox.

  8. Under Proxy, enter these parameters:

    1. Proxy: Automatic.

    2. Proxy Server Auto Config URL: Enter the PAC URL in the Netskope tenant UI. For example: https://addon-<tenant hostname>/mobile/user/pac?orgkey=<org_key>&email={EmailAddress}

    3. Click Save & Publish.