Updated on July 18, 2024

Deploy Client on iOS Using Ivanti Neurons

Deploy Client on iOS Using Ivanti Neurons

The following sections explain how to upload and enroll certificates and how to configure an iOS profile for Ivanti Neurons (formerly known as MobileIron Cloud) for on-demand or per-app VPN. For information about iOS VPN fail-open, refer to iOS VPN Fail Open.

Create Certificates in Ivanti Neurons

To configure Ivanti Neurons, you need to create a local standalone CA, or use a third-party CA, and also Identity certificates in Ivanti Neurons.

Create a Standalone CA Certificate

To create a standalone CA certificate:

  1. In the Mobile Iron Cloud admin console, go to Admin > Certificate Authority and click Add.
  2. Click Continue under Create a Standalone Certificate Authority.
  3. Click Actions, and then select Download Certificate.
  4. Note where you saved the certificate.
  5. Open a Mac OS X terminal window, and then openssl to convert the certificate from .cer format to .pem format. To do this, open a terminal window and use openssl to convert the certificate format with this command: sudo openssl x509 -inform der -in cert.cer -out cert.pem
  6. After it’s converted, verify the .pem file using this command: cat cert.pem
  7. Upload the certificate to Netskope using the tenant UI. Go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then scroll down the page until you see the Upload Certificate to Netskope section.
  8. Click Upload/Replace Certificate, and then click Select Certificate to locate and select your certificate file.
  9. When finished, click Upload.
  10. When the Preview message box opens, click Save.

Create an Identity Certificate

To create an identity certificate:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.
  2. Select Identity Certificate.
    SelectIdentityCert.png
  3. Enter these parameters:
    • Name: Enter a unique name for the certificate.
    • In the Configuration Setup section, select Dynamically Generated from the Certificate Distribution dropdown list.
    • Source: Select the standalone certificate you created.
    • Signature Algorithm: SHA256 with RSA
    • Subject:
      • emailAddress: ${userEmailAddress}
      • CN: ${userEmailAddress}
      • OU: <Tenant OU from the Netskope UI>
      • O: <Organization Name from the Netskope UI>
      • L: <Your city>
      • ST: <Your state> (in two letter format)
      • C: <Your country> (in two letter format)
    • Subject Alternate Name Type: (Optional)
    • Key Size: 2048
  4. Save this configuration and distribute this certificate to relevant devices.

Here’s an example of an identify certificate configuration:

IdentityCertConfig.png

Provision Certificates to Devices

To provision certificates to devices:

  1. Locate the Netskope Root certificate you downloaded from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution).
  2. In the Mobile Iron Cloud admin console, select Configurations and click Add.
  3. Select Certificate, enter a name, and then upload the Netskope Root certificate.
  4. Distribute the certificate configuration to relevant devices.

Configure an On-Demand VPN

To configure an on-demand VPN:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  2. Select VPN On-Demand.

    SelectOnDemandVPN.png

  3. Enter these parameters:

    • Name: Enter a unique name.

    • Connection Type: Custom SSL

    • Identifier: com.netskope.Netskope

    • Server: <Tenant Gateway name>

    • Account: Leave blank.

    • Custom Data:

      • OrgKey: Use the tenant organizational key

      • AddonHost: Use the addon URL for the tenant: addon-<tenant-URL>.

      • UserEmail: Use the variable that contains the user identity for the enrolment: {EmailAddress}.

      • enrollauthtoken: Use Secure Enrollment Authentication token.

      • enrollencryptiontoken: Use Secure Enrollment Encryption token.

        Use enrollauthtoken and enrollencryptiontoken only if you have enabled secure enrollment in your tenant.

    •  User Authentication: Certificate.

    • Credential: Select the identity certificate you created.

    • Proxy Setup: Auto

    • Enable VPN On Demand: On

    • Enable iOS Rules: Selected

  4. Choose to apply this configuration to All Devices, No Devices, or use Custom to specify devices.

  5. When finished, click Done.

Distribute to Devices

To distribute this configuration to devices:

  1. In the Mobile Iron Cloud admin console, select Devices.
  2. Force device check in.
  3. Select Configurations to view the device details.
    PerAppDeviceDetails.png

Configure a Per-App VPN

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

To configure a Per-App VPN:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  2. Select Per-App VPN.

    SelectPerAppVPN.png

  3. Enter these parameters:

    • Connection Type: Custom SSL

    • Server: <Tenant Gateway name>

    • Account: Leave blank.

    • Custom Data:

      • OrgKey: Use the tenant organizational key

      • AddonHost: Use the addon URL for the tenant: addon-<tenant-URL>.

      • UserEmail: Use the variable that contains the user identity for the enrolment: {EmailAddress}

      • enrollauthtoken: Use Secure Enrollment Authentication token.

      • enrollencryptiontoken: Use Secure Enrollment Encryption token.

        Use enrollauthtoken and enrollencryptiontoken only if you have enabled secure enrollment in your tenant.

    • User Authentication: Certificate

    • Credential: Select the identity certificate you created.

    • Proxy Setup: None

    • Enable VPN On Demand: On

    • Enable iOS Rules: On

    • On Demand Match App Enabled: On

    • Provider Type: packet-tunnel

  4. When finished, click Save.

Select Apps for the Per-App VPN

To select apps for the Per-App VPN:

  1. In the Mobile Iron Cloud admin console, select Apps and click Add.
  2. Select App Catalog to go through the wizard to select the apps to be distributed to the devices.
    SelectPerAppVPNconfig.png
  3. Select App Configurations, and then select Per-App VPN.
    EnableAppForVPN.png
  4. Enter these parameters:
    • Name: Enter a name.
    • Enable Per-App VPN for this App: On
    • Dropdown list: Select the Per-App VPN configuration you created.
  5. When finished, click Update.
Distribute to Devices

To validate the device has the necessary configurations:

  1. In the Mobile Iron Cloud admin console, select Devices.
  2. Force device check-in.
  3. Select Configurations to view the device details.
    PerAppDeviceDetails.png

iOS VPN Fail Open

Fail open function allows traffic from a device using iOS VPN to bypass Netskope and directly go to an app or service. When fail open is enabled, all iOS devices will no longer steer traffic to Netskope. Fail open occurs when Netskope initiates it due to a service interruption and when an admin enables it in the Netskope UI.

To enable fail open for iOS VPN:

  1. In the Netskope UI, go to Settings > Security Cloud Platform > MDM Distribution.
  2. In the Create VPN Configuration section, confirm that your iOS VPN is operational. If so, click the ToolIcon.png icon to open the Advanced Configuration dialog box.
    iOSvpnFailOpen.png
  3. Enable the toggle and then click Save
Share this Doc

Deploy Client on iOS Using Ivanti Neurons

Or copy link

In this topic ...