topic Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles. in GlobalProtect Discussions

Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Fri, 03 Nov 2023 15:41:29 GMT

We have been trying to migrate a client from Airwatch to Intune for MDM management. Part of this deployment was implementing certificate-based authentication for their Global Protect VPN client. We have been successful with Windows, and Android. However, we have not been able to get MacOS, iPadOs, or IOS to work successfully. all the Error logs indicate that the Global Protect application does not know how to identify the certificate that is being deployed via Intune. We have validated that Root and Intermediate certificates are on the devices. I am all ears as to any help anyone can provide on this.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

TorstenForster — Sun, 21 Apr 2024 15:37:38 GMT

Hi Ben,
I also work on the same setup with intune and ios.

It seems that we run into the same issue.

Did you find a solution for that?

In the PANGPS log I found the errors:

"Couldn't find any matching identities. Trying to continue without client cert

Client cert error detail is Client cert usage check failed

error detail is Client cert usage check failed"

Any Idea? Is it a problem with the certificate store lookup?

kind regards

Torsten

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Tue, 23 Apr 2024 23:06:51 GMT

We ended up scaping the project , and going back to Airwatch. if you ever figure it out, i would be interested to know how to get around those errors.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

TorstenForster — Fri, 26 Apr 2024 06:56:07 GMT

Yes, we found a solution right know.

The Problem was that the intune vpn profile wasn't pushed to the device. My Collegues analyzed it and changed something. Now, everything is working fine with a split vpn setup. Certificate autheneticaten and user authentication is working fine.

Also the tag detection on the device.

The only problem we found is that intune doesn't remove the app again. Only installation is working fine

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Fri, 26 Apr 2024 14:55:35 GMT

If you could find out what your colleagues did to get it to work, you would be a life saver.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

TorstenForster — Thu, 02 May 2024 16:13:54 GMT

There was a wrong userrole mapping. With the right mapping, also the VPN config will be pushed to the client. Without, only the VPN client will be pushed to the client.

Its not easy to see this misconfiguration inside intune logs.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

HCornwell — Wed, 04 Sep 2024 17:38:50 GMT

For GlobalProtect on iOS iPhone or iPad to be managed by Microsoft Intune for user certificate authentication, Intune must contain an iOS device VPN policy with:

Connection Type: Palo Alto Networks GlobalProtect
Connection Name: <variable free form>

VPN server Address: <GlobalProtect Portal FQDN or IP>

Authentication method: Derived credential

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Thu, 05 Sep 2024 14:43:48 GMT

Hcornwell, are you talking about the pre-canned VPN policy that MS offers in intune?

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

HCornwell — Fri, 06 Sep 2024 16:39:43 GMT

Here is the Intune SS for my reference.

There must also be an install of GP, be it pushed via MDM or user download. Once the Intune policy exists on the iPhone, then the GP client can be installed.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Fri, 06 Sep 2024 16:58:45 GMT

So the Policy has to be deployed prior to the Install being pushed?

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

HCornwell — Fri, 06 Sep 2024 17:02:04 GMT

That is only in my environment due to app controls in Intune. It is entirely dependent on your Intune MDM controls and deployment. This is not a GP consideration.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Fri, 06 Sep 2024 17:08:06 GMT

Got it, so you are deploying the app , not through intune . only the policy? correct.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

HCornwell — Fri, 06 Sep 2024 17:28:12 GMT

We are deploying the app via Intune also, but the way Intune works, if it's all part of the push, but the GP agent exists, then the whole policy script fails.

I had an issue where a user could install GP from the MDM app store of approved apps. If a user installed GP before Intune ran the MDM script for VPN, the whole VPN policy script would fail and the VPN profile never got installed.

I believe that this is due to an Intune issue where the push script fails if the app already exists.

Re: Intune with IOS and Global Protect, utilizing certificate-based authentication troubles.

Ben_Laney — Fri, 06 Sep 2024 20:56:37 GMT

Ok, this makes sense. Did you have a way of logging those policy's not working, I mean did you see them in the intune logs?