Skip to main content

Netskope Help

Deploy Client on iOS Using VMware Workspace ONE

A VPN profile is required for sending traffic to Netskope’s gateway for advanced DLP and risk analytics. In iOS, a VPN profile can be created for On-Demand or Per-App VPN. You should already have a configuration of VMware Workspace ONE with a Certificate Authority and Template with the Subject Name in PEM format to generate user certificates for VPN authentication.

Create an iOS Profile

This topic describes configuring an iOS profile for on-demand VPN.  By default VPN is set to on-demand. On-demand VPN is a device-wide VPN.

To create an iOS profile:

  1. On the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu.

  3. Select Apple iOS from the platform list.

  4. Select Device Profile in Select Context.

  5. On the General page, enter the following parameters:

    • Name: Enter a unique name

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always

    • Managed By: Netskope Inc.

    • Smart Groups: Select a smart group

    • Exclusions: No

  6. Next, configure the relevant sections to create an iOS profile.

  7. Select VPN in the left navigation panel. Click Configure and enter the following parameters:

    1. Connection Name: Enter a unique name.

    2. Connection Type: Select Custom.

    3. Identifier: Enter the bundle ID of the identifier. For example, com.netskope.Netskope (case sensitive).

    4. Server: Enter your VPN server name from the Netskope UI. For example, gateway-[tenantname][.eu]

    5. Account: Click the + symbol and select EnrollmentUserID.

    6. User Authentication: Select Certificate.

    7. Identity Certificate: None

    8. Identity Certificate: None

    9. Enable VPN On Demand: Select the checkbox to enable this option.

    10. Use new on-demand Keys: select the checkbox to enable this option.

    11. Action: Select Connect in the Action field under On-Demand Rule.

    12. In the Criteria and Value pair, select Any for Interface Match.

  8. If you want to enable Zero-Touch configuration to allow automated deployment of the Client, leverage the Custom VPN data. Select VPN in the left navigation panel. Click Configure and enter the following parameters:


    You can skip this step if you are adding the key-value pair while assigning app settings.

    • Connection Name: Enter a unique name.

    • Connection Type: Select Custom.

    • Identifier: Enter the bundle ID of the identifier: com.netskope.Netskope (case sensitive).

    • Server: Enter your VPN server name from the Netskope UI. For example, gateway-[tenantname][.eu]

    • Account: Click + and select EnrollmentUserID.

    • Custom Data: Add the following Key-value pairs:

      • OrgKey: Use the tenant organizational key.

      • AddonHost: Use the addon URL for the tenant: addon-[tenant].[eu]

      • UserEmail: Use the variable that contains the user identity for the enrolment: {EmailAddress}.

  9. Select Notifications in the left navigation pane. Click Configure and perform the following actions:

    • Select App: Choose Netskope Client.

    • You can keep the default settings for the later options in this section.


      This is only valid if the device is supervised (Company-owned).

  10. Select Credentials in the left navigation panel. Click Configure and enter the following parameters:

    • Credential Source: Select Upload.

    • Credential Name: Enter rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    • Certificate: Click Upload.


    Click + in the bottom-right corner and enter these parameters:

    • Credential Source: Click Upload.

    • Credential Name:Enter caCert.pem. This is the name of the Netskope Tenant Certificate.


    To get the root and tenant certificates, view Certificates.

  11. Click Save & Publish.

Add Netskope Client App

The following section describes the steps to add the application from the public store in VMware Workspace ONE.

To add Netskope Client:

  1. Go to Resources > Apps > Native.

  2. Click the Public tab.


  4. Select Apple iOS from the Platform dropdown menu.

  5. In Source, click SEARCH APP STORE.

  6. Enter Netskope Client in the Name field.

  7. Click Next.

  8. Click +Select for Netskope Client application.

  9. In the Add Application - Netskope Client window, click Save & Assign.

  10. After you click Save & Assign, it navigates to the assignment configuration for the app.

  11. In Netskope Client - Assignment > Distribution, enter the assignment name and select a target.

  12. In Netskope Client - Assignment > Restrictions, configure the app restrictions.

  13. In Netskope Client - Assignment > Tunnel & Other Attributes, select Per App VPN Profile (Optional).

  14. In Netskope Client - Assignment > Application Configuration, configure the app for automatic enrollment. You can provide the following Key-Value pair:

    • OrgKey: Value of the tenant organizational key (string).

    • UserEmail: Use environment variable {EmailAddress} from Airwatch (string).

    • AddonHost: Provide the addon URL addon-[tenant name].[eu] (string).



    Skip this step if you choose Zero-Touch configuration.

  15. Click Create and save the assignments.

  16. Click Publish once you review the app setting.