Ivanti Neurons Configuration Flow for iOS
Prerequisites
This article assumes your device is already managed with Ivanti Neurons. The enrollment of devices into Ivanti Neurons is not part of the scope for this document.
Configuration Steps
The following 3 configurations will need to be created in Ivanti Neurons cloud console:
1. Configure server root CA certificate
2. Configure Identity Certificate
3. Create VPN Profile and distribute
Configure server root CA certificate
Go to the Configuration tab, search for Certificate configuration, and click on it.
Enter the appropriate name in the Name field.
In the Configuration Setup field, choose the server root CA certificate from the system.
Click on Next → select in which device certificate to be pushed → click on Done.
For more details on distributing the certificate to a device, refer #3 Step.
Configure Ivanti Neurons with SCEP Server
Step1 : Configure Certificate Authority
1. Login to Ivanti Neurons.
2. Navigate to Admin → Certificate Authority ( on the left-hand pane )→ Add.
3. Select Create a Standalone Certificate Authority → Continue and fi ll in the CA Certificate details and Click Generate.
You will now be able to see the generated CA Authority as shown above in the image.
Configure Identity Certificate
Step1: Go to Configurations tab, search for Identity Certificate configuration, and click on it.
Step 2: Configure Identity Certificate Template
- Navigate to Configurations → Add → Identity Certificate
- From Configuration, Setup chooses Dynamically Generated.
- Select Source as the Certificate Authority you created in the previous step, fi ll in details.
- Test Configuration and Continue→ Select distribution→Save.
Create VPN Profile and distribute
Go to the Configurations tab, search for VPN configuration, and click on it.
Enter all the required fields in the profile configuration.
For example, the following are the values used in Dev/QA testing:
| Fields | Values |
| Server |
c49493498.vpn.mcafee-cloud.com
|
| Connection Type | IKEv2 |
| Local Identifier | Client_Key1 (This string is SAN -(Subject Alternate Name ) of client certificate) |
| Remote Identifier | vpn.mcafee-cloud.com (This string is SAN -(Subject Alternate Name ) of client certificate) |
| Enable EAP | true |
| TLS Minimum Version | N/A |
| TLS Maximum Version | N/A |
| EAP Authentication | Certifi cate |
| Credential | IPsecContainer:ClientCertsIdentityForTest |
| Dead Peer Detection Rate | Medium |
| Server Certificate Issuer Common Name | VPN Server Root CA (This string is CN-Common Name of server root certifi cate) |
| Server Certificate Common Name | vpn.mcafee-cloud.com (This string is CN-Common Name of server root certifi cate) |
| Use IP4 andIP6 subnetsattributes | true |
| Enable IKEv2Mobility andMultihomingProtocol(MOBIKE) | true |
| Enable PerfectForwardSecrecy (PFS) | true |
| Enable IKEv2redirect | true |
| Enable NATkeepalive | true |
| NAT keepaliveinterval | 20 second(s) |
| IKE SAParams & Child SAParams |
Encryption Algorithm: AES-256 Encryption Algorithm: SHA2-256 Diffi e Hellman Group: 2 Lifetime In Minutes: 1440 |
| Proxy Setup | None |
Distributing/Pushing the profile : Click on Next , click on Custom or All Devices.
If it is Custom , select in which mobile configuration to be pushed.
Click on Done.
For Force Check-in, go to Devices tab → click on Actions → select Force Check-in.
This opens a new window with the " Force Check-in " button. Click on that button, then the configuration will be pushed immediately.
Check the status of the configuration Push
To check the pushed configuration status, Go to Devices tab, click on the registered device, and check the status of configuration.
Verify the VPN profile on your device
Verify the distributed VPN profile in the IOS device (Settings → VPN):
