iOS VPN on-Demand with client certificate - Reboot and no VPN Connection

Showing results for 
Show  only  | Search instead for 
Did you mean: 

iOS VPN on-Demand with client certificate - Reboot and no VPN Connection

L0 Member

Hey community,


we are currently trying to enroll iOS Devices with an always-on VPN Connection and authenticated by client certificate.


A lot people turn their iPhone over night off and start it at the morning, while the iPhone is still locked WiFi is not enabled and I guess the client certificates too. So mobile data is active which is trying to connect to Palo Alto and build the VPN but it cannot reach the certificate. Sometimes if you unlock it immidiately it works and the VPN is established.


Has anyone a similar scenario? We are using Mobile Iron for MDM and Prisma Access and want to tunnel the whole traffic.


Thanks so far.





L0 Member

Hey community, 


we have solved this case together with PA Engineers.


For those who are fighting with the same issues here the problem analysis and solution.



- Starting the iPhone and as long as it belongs in the "locked mode" WiFi is disabled and it has no access to user certificates (this setting has changed with iOS15).

- Mobile Data can already be used for certain processes, so the Global Protect also loads its profile and gets the information to authenticate the user for VPN using the OS Rule iOS with the option "SAML or certificate". And this is the problem, no access to user certificate and it is trying to authenticate with SAML what is not proper possible with the iPhones. So it keeps trying this and run in a timeout.



Delete all iOS and any OS user authentication rules and then there is a fallback rule which is only using certificate. 

And here we go, couple of seconds after you unlock your iPhone VPN is connected. 

Something you have to know.


Here is what the Engineer wrote:


Update from PA :
Below are the steps which can be followed:
1) In the GlobalProtect User Authentication settings, ensure there are entries for each OS that is in your client base with the appropriate authentication.
2) Delete any entry with OS as ANY or iOS.
3) Push the changes to Prisma.
4) Manually open the GP client and connect to GP.
5) Test the GP connectivity on the iOS by rebooting it (both Wifi and Mobile Data).
5) Revert the changes back to the way it was after the test.


Hope this can help some others too.


Can be closed.




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!