Skip to main content

Netskope Help

Deploy VPN Profiles In iOS Devices Using Intune

Netskope supports Intune on-demand and per-app VPN for iOS devices, so you can provide users with access to corporate applications, data, and resources while keeping your sensitive information secure. For information about iOS VPN fail-open, refer to iOS VPN Fail Open.

This documents illustrates the procedure to deploy VPN profies in iOS devices using Intune.

Prerequisites

Before you configure Intune:

  • If you want to use per-app VPN, make sure your Netskope tenant is provisioned in the Per-App VPN mode. Netskope tenants are set to on-demand by default unless specifically requested. To use per-app VPN, open a Support ticket to convert your tenant to Per-App VPN mode.

  • In the Netskope UI, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution. In the Certificate Setup section, copy the Tenant OU and Organization Name values, and then download the Netskope Root Certificate. These are needed to configure Intune certificate profiles.

  • On the same page, in the Create VPN Configuration section, copy the VPN Server Name and PAC URL. These are needed for configuring Intune VPN profiles. This section also shows the VPN mode that is currently configured.

To configure Intune, you need to create a trusted certificate profile, a SCEP certificate profile, and a trusted Netskope certificate profile. Create a Trusted Certificate profile before creating the SCEP or .PFX certificate profile. You will need your SCEP server certificate to complete these steps.

To create a trusted certificate profile:

  1. Log in to the Microsoft Endpoint Manager (MEM) using your admin account.

  2. In the MEM console, go to Devices > Configuration Profiles and click Create Profile

    img-02-memCreateProfile.png
  3. You need to create a Trusted certificate profile before you can create a SCEP or Netskope certificate profile. Select these parameters:

    • Plaftform: ios

    • Profile type: Truster certificates

    img-03-mem-trustedCert-a.png
  4. Enter and select these parameters: 

    1. In the Basics tab, provide a name for the profile. Click Next to continue

      img-04-mem-uploadCer-a.png
    2. In the Configuration Settings tab, upload the .cer file.

      img-04-mem-uploadCer.png
    3. In the Assignment tab, you can select your target audience (groups, users, or all devices) to push the configuration profiles.

    4. In the Review + create tab, verify your profile settings and click the Create button.

After creating a Trusted CA certificate profile, create a SCEP certificate profile. When you create a SCEP certificate profile, you must specify a Trusted certificate profile for it. This associates the two profiles that you must deploy separately.

You need to copy the Tenant OU and Organization Name values from the Netskope UI. To get the values, go to  Settings > Security Cloud Platform > Netskope Client > MDM Distribution. You also need to know your SCEP server URL to complete these steps.

To create a SCEP certificate profile:

  1. Click Profile > Create Profile. Enter and select these parameters:

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: SCEP certificate.

    img-05-scep.png

    Click Create to continue.

  2. In the SCEP Certificate panel, do the following:

    1. In the Basics tab, provide a name and click Next.

    2. In the Configurations tab, enter the following:

      img-06-scepParams.png
      • 1. Subject Name Format: Custom and then enter this in the Custom text field: CN={{EmailAddress}},E={{EmailAddress}},OU= <Tenant OU from Netskope UI>,O= <CompanyName>

      • 2. Subject Alternate Name: Select both Email Address and User Principal Name (UPN).

      • 3. Certificate Validity Period: Select how long to keep the certificate valid.

      • 4. Key Usage: Select both Digital Signature and Key Encipherment.

      • 5. Key Size: 2048.

      • 6. Root Certificate: Click Select a Certificate and then in the Root Certificate panel, select the Trusted Certificate profile created previously. When finished, click OK.

      • 7. Extended Key Usage: Select Client Authentication from the Predefined Values dropdown list which will populate the Name and Object Identifier fields. 

      • 8. Renewal Threshold: Leave the default value (recommended) or enter a new one.

      • 9. SCEP Server URLs: Enter your SCEP server URL. For example: http://<fqdn>/certsrv/mscep/mscep.dll

    3. In the Assignment tab, select the target audience for this iOS profile deployment.

    4. In the Review + Create tab, verify your settings and click Create .

After creating a SCEP certificate profile, create a Trusted Root certificate profile for Netskope.

You need to download the Netskope Root certificate from the Netskope UI to complete these steps. To get the certificate, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution .

Important

The Netskope Root certificate is in .pem format. You will need to convert it to .cer or .crt format before importing it. Rename the file to convert from .pem to .cer format.

To create a trusted Netskope certificate profile:

  1. Click Profile > Create Profile. Enter and select these parameters:

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: Trusted certificate.

    img-03-mem-trustedCert-a.png
  2. In the Trusted Certificate panel, provide a name in the Basics tab and click Next.

  3. In the Configurations settings tab, upload the Netskope Root certificate.

  4. Review your settings, and click Create.

The Root CA and any intermediate CA certificates used for certificates have to be uploaded to Netskope so the Netskope VPN infrastructure can validate certificates from devices.

Retrieve root and intermediate CA certificates from the SCEP server and upload them in the Netskope UI in PEM format. Copy the intermediate certificate first, and the root certificate last, into one file.

To upload your complete certificate chain used to validate mobile devices:

  1. Go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then scroll down the page until you see the Upload Certificate to Netskope section.

  2. Click Upload/Replace Certificate, and then click Select Certificate to locate and select your certificate file.

  3. When finished, click Upload.

  4. When the Preview message box opens, click Save.

You need to know the VPN Server Name and PAC URL shown in the VPN Configuration section of the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution) to complete these steps.

To create an on-demand VPN profile:

  1. Go to Devices > Configuration Profiles > Create Profile. Enter and select these parameters

    img-07-vpnProfile.png
  2. In the Basics tab of the VPN panel, provide a name for the profile and click Next.

    • Name: Enter a unique name.

    • Platform: iOS

    • Profile type: VPN

  3. In the Configuration settings panel, specify the following VPN settings.:

    • Select Connection type as Cisco (IPSec).

    • In the Base VPN section, enter and select these parameters

      img-08-vpnBaseVPN.png
      • Connection Name: Enter a name that users will recognize when the profile is installed on their device.

      • VPN Server address: Enter the VPN Server Name from the VPN Configuration section in the Netskope tenant WebUI.

      • Authentication Method: Certificates.

      • Authentication Certificate: Click Select a client authentication certificate, select the SCEP certificate profile you previously created, and then click OK.

      • Split Tunneling: Disabled

    • In the Automatic VPN section, enter and select these parameters:

      img-09-vpnAutoVPN.png
      • For Type of automatic VPN, select On-demand VPN.

      • For On-demand rules, click Add to enter and select these parameters in the Add Row panel:

        img-09-vpnAutoVPN-addRow.png
        • I want to do the following: Evaluate each connection attempt.

        • Choose whether to connect: Connect if needed.

        • When users try to access these domains: Add the domains for on-demand VPN, like Box.com, and so on (separated by a comma). After entering the URLs, click Add. When this URL is unreachable, force-connect the VPN.

        • When domains resolve using any of these DNS servers: Enter the domains to resolve with DNS servers. (Optional)

    • In the Proxy section, enter the location for PAC URL from the VPN configuration section in the Netskope tenant WebUI.

      10-vpnProxy.png
  4. In the Assignment tab, select the target audience.

  5. In the Review + Create tab, verify the settings and click Create.

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

You need to know the VPN Server Name and PAC URL shown in the VPN Configuration section of the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution) to complete these steps.

To create a Per-App VPN profile:

  1. Go to Devices > Configuration Profiles > Create Profile.

    img-07-vpnProfile.png
  2. In the Basics tab of the VPN panel, provide a name for the profile and click Next.

    • Name: Enter a unique name.

    • Platform: iOS

    • Profile type: VPN

  3. In the Base VPN panel, enter and select these parameters:

    • Connection Type: Cisco (IPSec).

    • In the Base VPN section, enter and select these parameters

      img-08-vpnBaseVPN.png
      • Connection Name: Enter a name that users will recognize when the profile is installed on their device.

      • VPN Server address: Enter the VPN Server Name from the VPN Configuration section in the Netskope tenant WebUI.

      • Authentication Method: Certificates.

      • Authentication Certificate: Click Select a client authentication certificate, select the SCEP certificate profile you previously created, and then click OK.

      • Split Tunneling: Disabled

  4. In the Automatic VPN section , and then enter and select these parameters:

    • For Type of automatic VPN, select Per-app VPN.

    • Safari URLS that will trigger this VPN: Add the domains for per-app VPN, like Box.com, and so on (separated by a comma). After entering the URLs, click Add.

  5. In the Proxy section, for Automatic Configuration Script, enter the PAC URL from the VPN configuration section in the Netskope tenant webUI. Click Next to continue

  6. In the Assignments tab, select your target audience for this profile. Click Next to continue.

  7. In the Review + Create tab, verify your settings and click Create.XYZ

  8. Associate the Per-App VPN profile with the applications to steer through the VPN connection. Go to Intune > Client Apps > App Licenses, select one of the apps listed there, and then click Assignments

    PerAppAssignment.png
  9. Click Add group, select Required for Assignment Type, click Yes to include Users and Devices (per your needs), and then click Select groups to include.

    PerAppSelectGroups.png
  10. Search for and choose one or more groups, and then click Select. Click OK in the Assign and Add Group panels.

Associating the Per-App VPN profile with the Apps

Associate the Per-App VPN profile with the applications to steer through the VPN connection

  1. In the MEM admin console, go to Apps > All apps , select one of the apps listed there, and then click Properties.

    11-perApp.png
  2. In the app properties page, click Edit.

    12-perApp-assignments.png
  3. In the Required section, click Add Group. Search and choose one or more groups, and then click Select.

    13-perApp-addGroup.png

Fail open function allows traffic from a device using iOS VPN to bypass Netskope and directly go to an app or service. When fail open is enabled, all iOS devices will no longer steer traffic to Netskope. Fail open occurs when Netskope initiates it due to a service interruption and when an admin enables it in the Netskope UI.

To enable fail open for iOS VPN:

  1. In the Netskope UI, go to Settings > Security Cloud Platform > MDM Distribution.

  2. In the Create VPN Configuration section, confirm that your iOS VPN is operational. If so, click the ToolIcon.png icon to open the Advanced Configuration dialog box.

    iOSvpnFailOpen.png
  3. Enable the toggle and then click Save

To restore steering traffic through Netskope, disable the toggle in the Advanced Configuration dialog box.