11-03-2023 08:41 AM
We have been trying to migrate a client from Airwatch to Intune for MDM management. Part of this deployment was implementing certificate-based authentication for their Global Protect VPN client. We have been successful with Windows, and Android. However, we have not been able to get MacOS, iPadOs, or IOS to work successfully. all the Error logs indicate that the Global Protect application does not know how to identify the certificate that is being deployed via Intune. We have validated that Root and Intermediate certificates are on the devices. I am all ears as to any help anyone can provide on this.
04-21-2024 08:37 AM
Hi Ben,
I also work on the same setup with intune and ios.
It seems that we run into the same issue.
Did you find a solution for that?
In the PANGPS log I found the errors:
"Couldn't find any matching identities. Trying to continue without client cert
Client cert error detail is Client cert usage check failed
error detail is Client cert usage check failed"
Any Idea? Is it a problem with the certificate store lookup?
kind regards
Torsten
04-23-2024 04:06 PM
We ended up scaping the project , and going back to Airwatch. if you ever figure it out, i would be interested to know how to get around those errors.
04-25-2024 11:55 PM - edited 04-25-2024 11:56 PM
Yes, we found a solution right know.
The Problem was that the intune vpn profile wasn't pushed to the device. My Collegues analyzed it and changed something. Now, everything is working fine with a split vpn setup. Certificate autheneticaten and user authentication is working fine.
Also the tag detection on the device.
The only problem we found is that intune doesn't remove the app again. Only installation is working fine
05-02-2024 09:13 AM
There was a wrong userrole mapping. With the right mapping, also the VPN config will be pushed to the client. Without, only the VPN client will be pushed to the client.
Its not easy to see this misconfiguration inside intune logs.
09-04-2024 10:38 AM
For GlobalProtect on iOS iPhone or iPad to be managed by Microsoft Intune for user certificate authentication, Intune must contain an iOS device VPN policy with:
Connection Type: Palo Alto Networks GlobalProtect
Connection Name: <variable free form>
VPN server Address: <GlobalProtect Portal FQDN or IP>
Authentication method: Derived credential
09-05-2024 07:43 AM
Hcornwell, are you talking about the pre-canned VPN policy that MS offers in intune?
09-06-2024 09:58 AM
So the Policy has to be deployed prior to the Install being pushed?
09-06-2024 10:02 AM
That is only in my environment due to app controls in Intune. It is entirely dependent on your Intune MDM controls and deployment. This is not a GP consideration.
09-06-2024 10:08 AM
Got it, so you are deploying the app , not through intune . only the policy? correct.
09-06-2024 10:28 AM
We are deploying the app via Intune also, but the way Intune works, if it's all part of the push, but the GP agent exists, then the whole policy script fails.
I had an issue where a user could install GP from the MDM app store of approved apps. If a user installed GP before Intune ran the MDM script for VPN, the whole VPN policy script would fail and the VPN profile never got installed.
I believe that this is due to an Intune issue where the push script fails if the app already exists.
09-06-2024 01:56 PM
Ok, this makes sense. Did you have a way of logging those policy's not working, I mean did you see them in the intune logs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
