https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-ngfw-the-connection-to-global-protect-on-the-ipads-times/m-p/1243767#M7171 <P>Thank you for sharing&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289674">@DanielS.Romero</a>&nbsp;!&nbsp;</P> Fri, 12 Dec 2025 04:40:51 GMT JayGolf 2025-12-12T04:40:51Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-ngfw-the-connection-to-global-protect-on-the-ipads-times/m-p/1243761#M7169 <P>Hello team,<BR /><BR /></P> <P>I created this post to share my experience resolving recent issues related to GlobalProtect on iPad devices.<BR /><BR /></P> <P>We have some users with iPads who attempted to connect to GlobalProtect using SAML-based authentication; however, after the users logged in with their credentials, the GlobalProtect application displayed the following error "<FONT size="4" color="#FF0000"><STRONG><I>Connection Failed or The Connection TimeOut or Timeout Expired</I></STRONG></FONT>", and the iPad lost its internet connection:</P> <P><BR /><FONT color="#FF0000"><STRONG>GLOBAL PROTECT IPAD CONNECTION TIME OUT</STRONG></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_1-1765512275788.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70103iCA98C95EBAD0C96B/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_1-1765512275788.png" alt="DanielSRomero_1-1765512275788.png" /></span><BR />We found the following cause for this behavior (we were using the user login mode):<BR /><BR /><FONT size="4" color="#FF0000"><STRONG><FONT size="3">CAUSE</FONT></STRONG></FONT><BR />- GlobalProtect iOS application only supports <STRONG>SAML authentication</STRONG> for <STRONG>on-demand connect method</STRONG> (Manual user-initiated connection) due to Apple VPN framework limitation.<BR /><BR />- When <STRONG>Always-on mode</STRONG> is deployed to iOS devices, the Apple device <STRONG>blocks the internet connection</STRONG> and since SAML authentication requires internet, it will not work.<BR /><BR />- When using a VPN profile in conjunction with MDM, the onDemandEnabled option behaves the same as the GP "Always-on" mode. Thus, SAML authentication is not supported on iOS devices when a VPN profile is used with onDemandEnabled = 1. <BR />As a solution we create a agent<BR /><BR /><STRONG><FONT color="#FF0000">RESOLUTION</FONT><BR /></STRONG>To allow&nbsp;iOS iPhone or iPad to work with Global Protect, we need to have <STRONG>On-demand</STRONG> as the connect method over the Portal, after that, the iPads can now connect without any issue, as shown below:<STRONG><BR /></STRONG><BR /><STRONG><FONT color="#FF0000">GLOBAL PROTECT PORTAL CONNECTION METHOD</FONT></STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_2-1765512424721.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70104i92A4AEB2449445EF/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_2-1765512424721.png" alt="DanielSRomero_2-1765512424721.png" /></span><BR /><FONT color="#FF0000"><STRONG>GLOBAL PROTECT CONNECTED</STRONG></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DanielSRomero_0-1765513227125.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/70105i2F495EFEBB94547D/image-size/medium?v=v2&amp;px=400" role="button" title="DanielSRomero_0-1765513227125.png" alt="DanielSRomero_0-1765513227125.png" /></span></P> <P>&nbsp;</P> <P><SPAN>The best way to accomplish the same is to configure a new Agent instance only for IOS devices and move it to the top of the list,&nbsp;</SPAN></P> <P><BR /><SPAN>With the above configuration, the new Agent will take care of iOS iPad and iPhone clients. All other clients will use the second Agent in the list and are not affected.<BR /><BR /><BR /></SPAN></P> <P>Thank you for your time, and I hope this information is helpful in your daily cybersecurity work. I would greatly appreciate your support by liking or accepting this answer as the solution; it would help me a lot in becoming a CyberElite!</P> <P><SPAN><BR />Best Regards,</SPAN><BR /><BR /><SPAN>Daniel Romero</SPAN><BR /><SPAN>Senior Network/Security Engineer</SPAN><BR /><SPAN>PANW Partner<BR /><LI-PRODUCT title="GlobalProtect" id="GlobalProtect"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="VM-Series" id="VM-Series"></LI-PRODUCT>&nbsp;</SPAN></P> Fri, 12 Dec 2025 05:19:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-ngfw-the-connection-to-global-protect-on-the-ipads-times/m-p/1243761#M7169 DanielS.Romero 2025-12-12T05:19:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-ngfw-the-connection-to-global-protect-on-the-ipads-times/m-p/1243767#M7171 <P>Thank you for sharing&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289674">@DanielS.Romero</a>&nbsp;!&nbsp;</P> Fri, 12 Dec 2025 04:40:51 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/solved-ngfw-the-connection-to-global-protect-on-the-ipads-times/m-p/1243767#M7171 JayGolf 2025-12-12T04:40:51Z