How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

L1 Bithead

Hey Guys,

 

i'm currently testing the GlobalProtect App 5 with iOS Deviecs and Airwatch MDM. Everything works great, but it seems like that it isn't important which setting i've selected in the Portal > Agent > App (Settings). I've tried to enforce GlobalProtect for Network Access on iPhone but i can still deselect "connect on demand", so it is possible to access the Internet without GP.

 

Any Ideas? Does the Agent Settings effect? Anything else to configure espacially in AirWatch?

 

Thanks and best regards,

 

Jochen

22 REPLIES 22

@Mick_Ball Very cool resolution to this problem.

@Mick_Ball 

 

I have to ask, if the file doesn't exist on the internet, how is the IPAD  reading that file?  Is it locally pushed down somewhere?

Hi @Sec101 .

for ios it needs to be on interweb.

 

http:\\yourserver.com\nameofpacfile.pac

 

on windoze you can use local file location, but that may have recently changed but you would be better using file on web as any change will be picked up by all clients immediately.

 

hth.

 

mick.

@Mick_Ball

 

When your ipads are internal, are you tunneling those devices?   I'm having some issues getting user-id to populate usernames if the ipad is internal only without a tunnel.   The tunnel works as expected though... 

@Sec101 . Hi.

they are never internal.   Our office based users (ipad) just connect to our public wifi service.

 

The outgoing wifi palo has a link to GP palo save hairpin/trombone across isp.  Sorry not much help for you. 

 

There are some options for ios to auth on a domain for file share but was not for us.

@Mick_Ball 

 

Not a problem.  As Always, your replies are very helpful!   So yours, if turned on, are always VPN'd in.   I'm starting to wonder if you don't use the tunnel, if user-id actually works on an iOS device.

I tried to do this without an internal gateway and we ran into problems with "enforce global protect for network access" and the tunnel not being established.  We ended up doing an internal gateway and you're right, it doesn't identify the users.  iPads are kinda terrible at being identified.  We are doing the identification over radius through our NAC.  We are sending the user info along after a successful authentication.  

@brianjreed 

 

Just so I can confirm,

 

So you did try this internal only, without a tunnel, using Global protect on Ipads, manually signed into the GP agent, and it didn't identify the user that was signed in like you would expect it to?

  • 26638 Views
  • 22 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!