Skip to main content

Welcome to Skyhigh Security!

Skyhigh Security

First Time Set Up on iOS Devices

You can ensure that the end users have access to the private applications they need from the iOS devices running 13 and later using the Skyhigh Client app. You need to share the certificates downloaded from the Skyhigh Security UI along with your own CA. You can share your CA certificate along with the user identity (.p12) file through an email message, MDM, or copy it into the shared folder. 

Note: Upload the "Certificate Authority (CA)" file to Skyhigh Security UI which is used to sign the .p12 file. For information, see Configuring MCSC.

The end users can download the Skyhigh Client app from the App Store, required certificates, and the .p12 file received from the administrator to the device. The CA certificate should be trusted and ensured that it is available in the device trust store.

Generate Certificate using OpenSSL

You can generate the certificate using the OpenSSL commands. The following is a sample instructions on how to create a CA certificate and identity certificate using OpenSSL:

Note: You can choose your convenient approach to generate a certificate. However, you should include all the parameters shown in the below sample.

  1. Create CA certificate and key.

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -sha384 -days 3650 -out root-CA.pem -config ca_ext_file

  1. Create a config file. Make sure to include all the parameters in the config file as specified in the sample ca_config file. 
  2. Create an extfile. Make sure to include all the parameters in the extfile as specified in the sample client config
  3. Generate the client key and certificate signing request (CSR).

openssl genrsa -out ShankKey.pem 4096
openssl req -new -key ShankKey.pem -sha384 -out ShankCert.csr -config client_config

  1. Generate the client certificate.

openssl x509 -req -days 3650 -sha384 -in ShankCert.csr -CA root-CA.pem -CAkey key.pem -CAcreateserial -out skyhigh_emp_1.pem -extfile client_config -extensions ext

  1. Generate client identity certificate (.p12 file). 

openssl pkcs12 -export -inkey ShankKey.pem -in skyhigh_emp_1.pem -name "skyhigh_emp_1" -certfile root-CA.pem -caname "skyhigh_ca" -out skyhigh_emp_1.p12 -password pass:ztna

Note: make sure CN in p12 should match the name of the p12 file and subjectAltName in client_config file (eg: CN= skyhigh_emp_1, DNS = skyhigh_emp_1 , skyhigh_emp_1.p12) 
make sure  "-caname "skyhigh_ca"  matches the CN = skyhigh_ca in ca_ext_file

The iOS device always sends traffic (both private applications and Internet) traffic to SSE cloud even if you select the Redirect only private access traffic to cloud option. For more information about traffic redirection settings, see Redirect Only Private Access Traffic.

You can create VPN on the iOS devices in the following ways: 

  • Using MDM solution and push it directly to the iOS devices
  • Manually create VPN by uploading user identity(.p12) file to the Skyhigh Client app

Verifying VPN Configuration for MDM Managed Devices

When administrators pushes VPN Configuration and CA certificate using MDM, users should ensure that the configuration exists on the iOS device.

You can use the VMware, Microsoft Intune, or Ivanti Neurons MDM solution to manage your users' iOS devices. For configuring details, see

  1. Make sure VPN configuration exists in Settings General VPN.
  2. Ensure CA certificate is enabled in Settings General About Certificate Trust settings.
  3. Download and install Skyhigh Client from the App Store.
  4. Read the disclaimer and select I agree to use data as specified in Terms.
  5. Tap Proceed.
  6. Select Open VPN Settings.
  7. Go to Settings > General > VPN and enable the VPN config which admin had pushed. Wait until VPN state shows Connected.
  8. Navigate back to Skyhigh Client app and tap Get Started.
    Prompts you to enter login credentials.
  9. Enter your corporate username and password.
    After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.

Note: To disable VPN, go to Settings > General > VPN > Disable VPN.

Manually Creating VPN Configurations

Installing CA Certificate

Note: The iOS device should have a passcode to install and trust a CA certificate.

  1. Download the certificates you have received from your administrators.
  2. Go to Settings > General > Profiles
  3. Tap Install.
    An alert message is displayed to inform you that installing this profile will change settings on your device.
  4. Tap Install Now.
  5. Enter your device passcode.
  6. Tap Install.
  7. Tap Done.
  8. Go to Settings > General > About > Certificate Trust Settings and enable c*.wgcs.mcafee-cloud.com certificate or custom certificate.
Upload User Identity (.p12) File

The .p12 file is a password protected file, so make sure to get the password from your administrator. Long press and save the file on your device.

Note: Make sure to upload the .p12 file to the Skyhigh Client app. Don't install this file directly.

  1. Download and install Skyhigh Client from the App Store.
  2. Read the disclaimer and select I agree to use data as specified in Terms.
  3. Tap Proceed.
  4. Tap Browse & Upload to upload the .p12 file.
    Search for the .p12 file and select it to complete the upload process.
  5. Enter the password and tap Continue.
    The Skyhigh Client app asks for permission to add VPN configuration on your phone.
  6. Tap Allow.
  7. Enter the iPhone passcode.
  8. Tap Get Started.
    Prompts you to enter login credentials.
  9. Enter your corporate username and password.
    After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.

Note: To disable VPN, go to Settings > General > VPN > Disable VPN.

  • Was this article helpful?