This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to enforce GlobalProtect Connection for Network Access on iPhone with GP 5.0 App

Go to solution
Jochen.Reinecke
L1 Bithead

‎10-18-2018 11:46 PM

Hey Guys,

 

i'm currently testing the GlobalProtect App 5 with iOS Deviecs and Airwatch MDM. Everything works great, but it seems like that it isn't important which setting i've selected in the Portal > Agent > App (Settings). I've tried to enforce GlobalProtect for Network Access on iPhone but i can still deselect "connect on demand", so it is possible to access the Internet without GP.

 

Any Ideas? Does the Agent Settings effect? Anything else to configure espacially in AirWatch?

 

Thanks and best regards,

 

Jochen

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MickBall
L7 Applicator
In response to OtakarKlier

‎10-20-2018 02:46 AM

Of course Mr Klier.
In brief...
we have just under 2k users with ipads. These are managed via mdm.
The global proxy is set via mdm so users cannot change or remove it
It points to a proxy.pac file on tinternet.
The proxy server is 1.2.3.4, this obviously does not exist so any web browsing fails with proxy error...
However....
There are exceptions in the pac file that allows direct access (no proxy) to our portals and gateways.

This allows GlobalProtect to bypass global proxy settings and connect as normal..

There is another statement within the pac file that says “ if connected to corporate network then go direct” (no proxy) so users browse as normal when connected via our internal to external firewalls.

This for some reason also works with captive portal wifi connections... it does something clever to allow captive portal auth prior to applying global proxy. Nothing to do with the pac file, its just an ios thing...

Not everyones cup of tea but has proved a winner for us over many years....

Happy to provide an example pac file if needs be...

We also use similar for windoze devices as the force global protect option just does not play with our users and crams helpdesk with calls regarding the captive portal timeout thingy...



View solution in original post

2 people found this solution to be helpful.
22 REPLIES 22

Go to solution
MickBall
L7 Applicator

‎10-19-2018 02:55 AM

since day one of GP on IOS  it has not been possible to force GP...

the user always has the option to disable VPN in the settings menu regardless of app settings.

 

I use a global proxy to prevent internet browsing when not connected via GP as never found any other way of enforcing this. 

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to MickBall

‎10-19-2018 11:40 AM

Hello Mick,

Would be able to get into a bit more detail on the global proxy and how you force mobile devices to use it? I would like to hear how others are solving this solution.

 

Regards,

0 Likes Likes

Go to solution
MickBall
L7 Applicator
In response to OtakarKlier

‎10-20-2018 02:46 AM

Of course Mr Klier.
In brief...
we have just under 2k users with ipads. These are managed via mdm.
The global proxy is set via mdm so users cannot change or remove it
It points to a proxy.pac file on tinternet.
The proxy server is 1.2.3.4, this obviously does not exist so any web browsing fails with proxy error...
However....
There are exceptions in the pac file that allows direct access (no proxy) to our portals and gateways.

This allows GlobalProtect to bypass global proxy settings and connect as normal..

There is another statement within the pac file that says “ if connected to corporate network then go direct” (no proxy) so users browse as normal when connected via our internal to external firewalls.

This for some reason also works with captive portal wifi connections... it does something clever to allow captive portal auth prior to applying global proxy. Nothing to do with the pac file, its just an ios thing...

Not everyones cup of tea but has proved a winner for us over many years....

Happy to provide an example pac file if needs be...

We also use similar for windoze devices as the force global protect option just does not play with our users and crams helpdesk with calls regarding the captive portal timeout thingy...



2 people found this solution to be helpful.

Go to solution
vsys_remo
Cyber Elite
Cyber Elite
In response to MickBall

‎10-20-2018 06:00 AM

@MickBall

Nice solution for the iOS devices. Need to keep that in mind 😉

 

I am also interested in the way you solved the problem on windows. The way I used here is set the captive portal timeout to 1 hour and use simple http websites as default websites in the users browsers. The notifications of global protect are not very useful (not to say useless), but this way the user only has to open the browser to be redirected to whatever captive portal there is. This http website does nothing else than redirecting to the https company website, but as it is http it does not break the captive portal redirect.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks