Skip to main content

Netskope Help

Deploying Client on iOS VPN Using VMware Workspace ONE

A VPN profile is required for sending traffic to Netskope’s gateway for advanced DLP and risk analytics. In iOS, a VPN profile can be created for On-Demand or Per-App VPN. You should already have a configuration of VMware Workspace ONE with a Certificate Authority and Template with the Subject Name in PEM format to generate user certificates for VPN authentication.

Root CA and any intermediate CA certificates used for issuing device certificates have to be configured in the Netskope VPN server so that the Netskope VPN server can validate the user certificates when the device connects to the Netskope VPN server.

Important

Please retrieve any certificate chains from your Certificate Authority and provide them to the Netskope support team.

The steps required to get the needed certificate information are:

  1. Create a Certificate Authority using SCEP to issue device certificates.

  2. Create a Certificate Template with Subject Name in a specific format.

  3. Upload Certificates to Netskope.

  4. Download Netskope Certificates.

For information about iOS VPN fail-open, refer to iOS VPN Fail Open.

If you already have a Certificate Authority, skip to the next section to create your Certificate Template.

To configure the Microsoft ADCS SCEP server as the Certificate Authority in VMware Workspace ONE:

  1. In the VMware Workspace ONE console, go to Devices > Certificates > Certificate Authorities.

  2. Click + Add.

  3. Enter these parameters:

    • Name: Enter a unique name.

    • Authority Type: Microsoft ADCS

    • Protocol: SCEP

    • Version: Select current SCEP version.

    • SCEP URL: For example, http://<fqdn>/certsrv/mscep/mscep.dll

    • Challenge Type: Enter the type required by your SCEP server.

    • Challenge Username: Enter the username for your SCEP server.

    • Challenge Password: Enter the password for your SCEP server.

    • SCEP Challenge URL: For example, http://<fqdn>/certsrv/mscep_admin/

    • Enable Proxy: Disabled

  4. Click Save to create a new Certificate Authority.

A Certificate Template is used to issue device certificates with the Subject Name in the PEM format required by the Netskope VPN server. For this procedure you'll need the OU (Tenant) and O (Organization Name) values from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Certificate Setup)

To create a Certificate Template:

  1. In the VMware Workspace ONE console, go to Devices > Certificates > Certificate Authorities.

  2. Click Request Templates.

  3. Click + Add.

  4. Enter these parameters:

    • Name: Enter a unique name.

    • Certificate Authority: Select the CA you created previously for issuing device certificates.

    • Subject Name: CN=<EmailAddress>,E=<EmailAddress>,OU=<Tenant OU>,O=<Organization Name>,L=<Location>,T=<State>,C=<Country>.

      Use the OU and O values from the Netskope UI.

      Important

      Location (L), State (ST), and country (C) must be unique for your CA.

    • Private Key Length: 2048

    • Private Key Type: Signing

  5. Click Save to create a new request template.

The Root CA and any intermediate CA certificates used for certificates have to be uploaded to Netskope so the Netskope VPN infrastructure can validate certificates from devices.

Retrieve root and intermediate CA certificates from the SCEP server and upload them in the Netskope UI in PEM format. Copy the intermediate certificate first, and the root certificate last, into one file.

To upload your complete certificate chain used to validate mobile devices:

  1. Go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then scroll down the page until you see the Upload Certificate to Netskope section.

  2. Click Upload/Replace Certificate, and then click Select Certificate to locate and select your certificate file.

  3. When finished, click Upload.

  4. When the Preview message box opens, click Save.

GRE traffic does not require the Netskope Client to be present on the end users' devices. As the intercepted HTTPS traffic will now present a Netskope SSL certificate to the end user, their devices need to trust the Netskope certificate in order to ensure a smooth user experience. In order to achieve this, security administrators can download and distribute the Netskope certificate to all their endpoints during deployment.

To download the Netskope certificates, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then in the Certificate Setup section click the Download Netskope Root Certificate and the Download Netskope Intermediate Certificate buttons.

This topic describes configuring an iOS profile for on-demand VPN.  By default VPN is set to on-demand. On-demand VPN is a device-wide VPN. For this procedure you'll need the VPN Server name, URL String Probe, and PAC URL from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration).

Note

When deployed in CASB mode, the Netskope iOS solution will tunnel traffic on port 80.

To create an on-demand VPN profile:

  1. In the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu.

  3. Select Apple iOS from the platform list.

  4. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always

    • Managed By: Netskope Inc.

    • Smart Groups: Enter text in the field to select a smart group.

    • Exclusions: No

  5. Select Credentials in the left navigation panel, click Configure, and then enter these parameters:

    • Credential Source: Defined Certificate Authority

    • Certificate Authority: Select the CA you created previously.

    • Certificate Template: Select the certificate template you created previously for issuing certificates.

  6. Click on + in the bottom-right corner and enter these parameters:

    • Credential Source: Upload

    • Credential Name: rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    • Certificate: Upload 

  7. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: IPSec (Cisco)

    • Server: Enter your VPN server name from the Netskope UI.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Enter any domains that will be tunneled from a browser.

  8. Under Authentication, enter these parameters:

    • Machine Authentication: Certificate.

    • Identity Certificate: Choose the certificate credential you configured previously.

    • Include User Pin: Disable checkbox.

    • Enable VPN On Demand: Enable checkbox. 

    • Use New On-Demand Keys: Enable checkbox.

  9. Under On-Demand Rule, enter this parameter. Action: Evaluate Connection.

  10. Under Action Parameter, enter these parameters:

    MODE ↓

    Action

    Interface Match

    URL Probe

    CASB

    Evaluate Connection

    Enter the SaaS domains the devices will use

    Enter your tenants' URLStringProbe. To get your URL, go to Settings > Security Cloud Platform > Select MDM Distribution. The URLStringProbe is listed under the Create VPN Configuration section.

    Web

    Connect

    Any

    Enter your tenants' URLStringProbe. To get your URL, go to Settings > Security Cloud Platform > Select MDM Distribution. The URLStringProbe is listed under the Create VPN Configuration section. Enter your tenants' URL Probe.

  11. Click Add Rule. Set  the On-Demand Rule action to Disconnect. Enter the URL String probe provided in the Netskope tenant UI.

    Tip

    The On-Demand Rule option appears after you click the Add Rule.

  12. Under Proxy, enter these parameters:

    1. Proxy: Automatic.

    2. Proxy Server Auto Config URL: Enter the PAC URL in the Netskope tenant UI. For example: https://addon-<tenant hostname>/mobile/user/pac?orgkey=<org_key>&email={EmailAddress}

    3. Click Save & Publish.

Per-App VPN is primarily for those looking to support BYOD devices where privacy and/or security are concerns, and neither the end user or the admins want personal, non-work data being steered to Netskope. 

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

For this procedure you'll need the VPN Server name and PAC URL from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration).

Note

When deployed in CASB mode, the Netskope iOS solution will tunnel traffic on port 80.

To create a Per-App VPN profile:

  1. In the VMware Workspace ONE Console, go to Resources > Profiles & Baselines > Profiles.

  2. Select Add Profile from the Add dropdown menu.

  3. Select Apple iOS from the platform list.

  4. On the General page, enter these parameters:

    • Name: Enter a unique name.

    • Deployment: Managed

    • Assignment Type: Auto

    • Allow Removal: Always

    • Managed By: Netskope Inc.

    • Assigned Groups: Enter text in the field to select a smart group.

    • Exclusions: No

  5. Select Credentials in the left navigation panel, click Configure, and then enter these parameters:

    • Credential Source: Defined Certificate Authority

    • Certificate Authority: Select the CA you created previously.

    • Certificate Template: Select the certificate template you created previously for issuing certificates.

  6. Click on + in the bottom-right corner and enter these parameters:

    • Credential Source: Upload

    • Credential Name: rootcaCert.pem. This is the name of the Netskope Root certificate so a browser can trust the certificates issued by the Netskope proxy.

    • Certificate: Upload

  7. Select VPN in the left navigation panel, click Configure, and then enter these parameters:

    • Connection Name: Enter a unique name.

    • Connection Type: IPSec (Cisco)

    • Server: Enter your VPN server name in the Netskope UI.

    • Account: Click the + symbol and select EnrollmentUserID.

    • Per-App VPN Rules: Enable checkbox.

    • Connect Automatically: Enable checkbox.

    • Provider Type: None

    • Enter any domains that will be tunneled from a browser.

  8. Under Authentication, enter these parameters:

    • Machine Authentication: Certificate.

    • Identity Certificate: Choose the certificate credential you configured previously.

    • Include User Pin: Disable checkbox.

    • Enable VPN On-Demand: Enable checkbox.

  9. Under Proxy, enter these parameters:

    1. Proxy: Automatic.

    2. Proxy Server Auto Config URL: Enter the PAC URL in the Netskope tenant UI. For example: https://addon-<tenant hostname>/mobile/user/pac?orgkey=<org_key>&email={EmailAddress}

    3. Click Save & Publish.

These steps are for configuring Per-App VPN. Skip this section if you are using On-Demand VPN.

By default all Netskope tenants are set to On-Demand VPN. If you want to use Per-App VPN, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

To configure managed apps for Per-App VPN:

  1. In the VMware Workspace ONE Console, go to Resources > Apps > Native.

  2. Select the Public tab and click Add Application.

  3. Select Apple iOS from the Platform dropdown list.

  4. Select Search App Store, enter an app name (for example, Box) for Name, and then click Next

  5. In the Search box opens, select the app you want. When the Add Application box opens, click Save & Assign.

  6. In the Update Assignment box, click Add Assignment.

  7. Select the Assignment Group from the dropdown list, enable App Tunneling, and then select the Per-App profile you created from the Per-App VPN Profile dropdown list.

  8. Click Save & Publish.

Fail open function allows traffic from a device using iOS VPN to bypass Netskope and directly go to an app or service. When fail open is enabled, all iOS devices will no longer steer traffic to Netskope. Fail open occurs when Netskope initiates it due to a service interruption and when an admin enables it in the Netskope UI.

To enable fail open for iOS VPN:

  1. In the Netskope UI, go to Settings > Security Cloud Platform > MDM Distribution.

  2. In the Create VPN Configuration section, confirm that your iOS VPN is operational. If so, click the ToolIcon.png icon to open the Advanced Configuration dialog box.

    iOSvpnFailOpen.png
  3. Enable the toggle and then click Save

To restore steering traffic through Netskope, disable the toggle in the Advanced Configuration dialog box.