Skip to main content

Skyhigh Security is launching standalone documentation portals to support Japanese, German, and French languages. We are not supporting auto-translation. Stay tuned for further updates. Thanks for your support.

Skyhigh Security

Ivanti Neurons Configuration Flow for iOS


This article assumes your device is already managed with Ivanti Neurons. The enrollment of devices into Ivanti Neurons is not part of the scope for this document.

Configuration Steps

The following 3 configurations will need to be created in Ivanti Neurons cloud console:
1. Configure server root CA certificate
2. Configure Identity Certificate
3. Create VPN Profile and distribute

Configure server root CA certificate

Go to the Configuration tab, search for Certificate configuration, and click on it.



Enter the appropriate name in the Name field.

In the Configuration Setup field, choose the server root CA certificate from the system.


Click on Next → select in which device certificate to be pushed → click on Done.
For more details on distributing the certificate to a device, refer #3 Step.

Configure Ivanti Neurons with SCEP Server

Step1 : Configure Certificate Authority

1. Login to Ivanti Neurons.
2. Navigate to Admin → Certificate Authority ( on the left-hand pane )→ Add.
3. Select Create a Standalone Certificate Authority → Continue and fi ll in the CA Certificate details and Click Generate.


You will now be able to see the generated CA Authority as shown above in the image.

Configure Identity Certificate

Step1: Go to Configurations tab, search for Identity Certificate configuration, and click on it.

Step 2: Configure Identity Certificate Template

  1. Navigate to Configurations → Add → Identity Certificate
  2. From Configuration, Setup chooses Dynamically Generated.
  3. Select Source as the Certificate Authority you created in the previous step, fi ll in details.
  4. Test Configuration and Continue→ Select distribution→Save.



Create VPN Profile and distribute

Go to the Configurations tab, search for VPN configuration, and click on it.


Enter all the required fields in the profile configuration.


For example, the following are the values used in Dev/QA testing:

Fields Values
Get this information from MVision cloud ->certificate page


Connection Type IKEv2
Local Identifier Client_Key1
(This string is SAN -(Subject Alternate Name ) of client certificate)
Remote Identifier
(This string is SAN -(Subject Alternate Name ) of client certificate)
Enable EAP true
TLS Minimum Version N/A
TLS Maximum Version N/A
EAP Authentication Certifi cate
Credential IPsecContainer:ClientCertsIdentityForTest
Dead Peer Detection Rate Medium
Server Certificate Issuer Common Name VPN Server Root CA
(This string is CN-Common Name of server root certifi cate)
Server Certificate Common Name
(This string is CN-Common Name of server root certifi cate)
Use IP4 andIP6 subnetsattributes true
Enable IKEv2Mobility andMultihomingProtocol(MOBIKE) true
Enable PerfectForwardSecrecy (PFS) true
Enable IKEv2redirect true
Enable NATkeepalive true
NAT keepaliveinterval 20 second(s)
IKE SAParams
Child SAParams
Encryption Algorithm: AES-256
Encryption Algorithm: SHA2-256
Diffi e Hellman Group: 2
Lifetime In Minutes: 1440
Proxy Setup None


Distributing/Pushing the profile : Click on Next , click on Custom or All Devices.


If it is Custom , select in which mobile configuration to be pushed.

Click on Done.


For Force Check-in, go to Devices tab → click on Actions → select Force Check-in.


This opens a new window with the " Force Check-in " button. Click on that button, then the configuration will be pushed immediately.


Check the status of the configuration Push

To check the pushed configuration status, Go to Devices tab, click on the registered device, and check the status of configuration.


Verify the VPN profile on your device

Verify the distributed VPN profile in the IOS device (Settings → VPN):






  • Was this article helpful?