Updated on January 24, 2024

Deploy Client on iOS Using VMware Workspace ONE

Deploy Client on iOS Using VMWare Workspace ONE

This article covers the steps to deploy Netskope Client for iOS devices using VMware Workspace One.

Prerequisites

  • In the Netskope UI, go to Settings > Security Cloud Platform > Netskope Client > MDM. Download the Netskope Root and Intermediate Certificate.
  • On the same page locate and save Organization ID token value.
  • User accounts provisioned within MDM/EMM platform must match those provisioned with the Netskope tenant.

Netskope Root CA Certificates Distribution

In this section, you can upload the root and tenant certificates to the VMware Workspace console and use these certificates to securely access resources.

To add the Netskope root and tenant certificates:

  1. In the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu.

    Ios Vmware Addprofile 102.png

  3. Select Apple iOS from the platform list.

  4. Select Device Profile in Select Context.

  5. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always( You can select the desired option)

    • Managed By: Netskope Inc.

    • Smart Groups: Start typing to select a smart group.

    • Exclusions: No

  6. Select Credentials in the left navigation panel, click Configure, and then enter the following parameters:

    1. Credential Source: Defined Certificate Authority. Select Upload.

    2. Credential Name: Enter rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    3. Certificate: Click Upload.

      Ios Vmware Credentials Certificates1 102.jpeg

    4. Click + in the bottom-right corner and enter the following parameters:

      • Credential Source: Click Upload.

      • Credential Name: Enter IntermediateCert.pem. This is the name of the Netskope Intermediate Certificate.

        To get the root and intermediate certificates, view Certificates.

        Ios Vmware Credentials Certificates2 102.jpeg

  7. Click  Save & Publish.

Add VPN Profile

Administrators must select the preferred VPN profile type according to their requirement. There are options to use either On-Demand VPN or Per App VPN. Netskope Client does not allow coexistence of multiple VPN profiles on the same device. You can create multiple VPN profiles in the Workspace One  console and assign them to various smart groups to accommodate corporate and BYOD use cases.

On-Demand VPN

To create On-Demand VPN profile:

  1. In the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu.

    If you have an existing profile, click the profile name and proceed to Step 7 to add the appropriate VPN settings. 

  3. Select Apple iOS from the platform list.

  4. Select Device Profile in Select Context.

  5. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always( You can select the desired option)

    • Managed By: Netskope Inc.

    • Smart Groups: Start typing to select a smart group.

    • Exclusions: No

  6. Next, configure the relevant sections to create the VPN profile.

  7. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: Select Custom.

    • Identifier: Enter the bundle ID of the identifier: com.netskope.Netskope (case sensitive).

    • Server: Enter your VPN server name from the Netskope UI. For example, gateway-<tenant-URL>.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Custom Data: Add the following Key:value pairs:

      • OrgKey: Use the tenant organizational key

      • AddonHost: Use the addon URL for the tenant: addon-<tenant-URL>.

      • UserEmail: Use the variable that contains the user identity for the enrolment: {EmailAddress}

      If you want Netskope client to steer only Private Access traffic, provide the following Key-Value pair: ForceDisabledSteering: True.

    • User Authentication: Select Certificate.

    • Identity Certificate: None

    • Enable VPN On Demand: Select the checkbox to enable this option.

    • Use new on-demand Keys: Select the checkbox to enable this option.

    • Action: Select Connect in the Action field under On-Demand Rule.

    • In the Criteria and Value pair, select Any for Interface Match.

  8. Click  Save & Publish.

Per App VPN

To create Per App VPN profile:

  1. In the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu. If you have an existing profile, click the profile name and proceed to Step 7 to add the appropriate VPN settings.

  3. Select Apple iOS from the platform list.

  4. Select Device Profile in Select Context.

  5. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always( You can select the desired option)

    • Managed By: Netskope Inc.

    • Smart Groups: Start typing to select a smart group.

    • Exclusions: No

  6. Next, configure the relevant sections to create an VPN profile.

  7. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: Select Custom.

    • Identifier: Enter the bundle ID of the identifier: com.netskope.Netskope (case sensitive).

    • Server: Enter your VPN server name from the Netskope UI. For example, gateway-<tenant-URL>.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Provider Type: Select Packet Tunnel

    • Custom Data: Add the following Key:Value pairs:

      • OrgKey: Use the tenant organizational key

      • AddonHost: Use the addon URL for the tenant: addon-<tenant-URL>.

      • UserEmail: Use the variable that contains the user identity for the enrollment: {EmailAddress}

        • If you want Netskope client to steer only Private Access traffic, provide the following Key-Value pair:

          • Key: ForceDisabledSteering

          • Value: True.

        • To define timeout to control the iOS On-demand connections hold feature, add the key-value pair: OnDemandConnectionsHoldTimeout: <numeric value in seconds>. This numeric value in the VPN profile can hold the connection for a longer time until it establishes the tunnel successfully and handles traffic. Netskope recommends using values that are large enough to cover normal connection time. For example,

          • Key: OnDemandConnectionsHoldTimeout

          • Value: 20

            This numeric value defines the timeout.

    • Per-App VPN Rules: Select the checkbox to enable this option.

    • Connect Automatically: Select the checkbox to enable this option.

    • Provider Type: Select Packet Tunnel from the options in the dropdown menu.

    • User Authentication: Select Certificate.

    • Identity Certificate: None

    • Enable VPN On Demand: Select the checkbox to enable this option.

    • Use new on-demand Keys: select the checkbox to enable this option.

    • Action: Select Connect in the Action field under On-Demand Rule.

    • In the Criteria and Value pair, select Any for Interface Match.

  8. Click Save & Publish.

Associate Per App VPN profile with managed App configuration

The following section describes the steps to associate managed applications with Per App VPN profile  in VMware Workspace ONE.

Perform the following steps to add Netskope Client:

  1. Go to Resources > Apps > Native.

  2. Click the Public tab.

  3. Select managed application (For example, Box) and click the application.

  4. Click Assignment and click on assignment rule.

  5. Select Tunnel & Other Attributes, click Edit and select Per App VPN profile from the dropdown.

  6. Click Save and Publish.

Zero-Touch Enrollment

Netskope client is capable of enrolling silently without any user action when enrollment data supplied through a VPN profile. For a limited number of use cases such as testing mapped to single identity, kiosks deployments and alike enrollment data should be populated through VPN profile and email key must use static email address value (which is provisioned in Netskope tenant).

Add Netskope Client App

Public Apple Store

The following section describes the steps to add the application from the public store in VMware Workspace ONE.

Perform the following steps to add Netskope Client:

  1. Go to Resources > Apps > Native.

  2. Click the Public tab.

  3. Click +ADD APPLICATION.

  4. Select Apple iOS from the Platform dropdown menu.

  5. In Source, click SEARCH APP STORE.

Purchased App via Apple Business / School Manager

Purchase Netskope Client through the respective tools if your organization is leveraging Apple Business Manager or Apple School Manager. The Netskope Client shows up in the list of applications available for deployment after the tokens are synchronized.

  1. Go to Resources > Apps > Native.

  2. Click Purchased Tab.

  3. Click +Select for Netskope Client application.

    Ios Vmware Native Addapplication 2 102.jpeg

Netskope Client assignment settings

  1. In the Add Application – Netskope Client window, click Save & Assign.

    Ios Vmware Native Editnetskopeapp 102.png

  2. After you click Save & Assign, it navigates to the assignment configuration for the App.

  3. In Netskope Client – Assignment > Distribution, enter the assignment Name and select a target smart group.

  4. In Netskope Client – Assignment > Restrictions, configure the app restrictions.

  5. Click Create and save the assignments.

  6. Click Publish once you review the app setting.

Share this Doc

Deploy Client on iOS Using VMware Workspace ONE

Or copy link

In this topic ...