First Time Set Up on iOS Devices
You can ensure that the end users have access to the private applications they need from the iOS devices running 13 and later using the Skyhigh Client app. You need to share the certificates downloaded from the Skyhigh Security UI along with your own CA. You can share your CA certificate along with the user identity (.p12)
file through an email message, MDM, or copy it into the shared folder.
Note: Upload the "Certificate Authority (CA)" file to Skyhigh Security UI which is used to sign the .p12
file. For information, see Configuring MCSC.
The end users can download the Skyhigh Client app from the App Store, required certificates, and the .p12
file received from the administrator to the device. The CA certificate should be trusted and ensured that it is available in the device trust store.
Generate Certificate using OpenSSL
You can generate the certificate using the OpenSSL commands. The following is a sample instructions on how to create a CA certificate and identity certificate using OpenSSL:
Note: You can choose your convenient approach to generate a certificate. However, you should include all the parameters shown in the below sample.
- Create CA certificate and key.
openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -sha384 -days 3650 -out root-CA.pem -config ca_ext_file
- Create a config file. Make sure to include all the parameters in the config file as specified in the sample ca_config file.
- Create an extfile. Make sure to include all the parameters in the extfile as specified in the sample client config.
- Generate the client key and certificate signing request (CSR).
openssl genrsa -out ShankKey.pem 4096
openssl req -new -key ShankKey.pem -sha384 -out ShankCert.csr -config client_config
- Generate the client certificate.
openssl x509 -req -days 3650 -sha384 -in ShankCert.csr -CA root-CA.pem -CAkey key.pem -CAcreateserial -out skyhigh_emp_1.pem -extfile client_config -extensions ext
- Generate client identity certificate (.p12 file).
openssl pkcs12 -export -inkey ShankKey.pem -in skyhigh_emp_1.pem -name "skyhigh_emp_1" -certfile root-CA.pem -caname "skyhigh_ca" -out skyhigh_emp_1.p12 -password pass:ztna
Note: make sure CN in p12 should match the name of the p12 file and subjectAltName in client_config file (eg: CN= skyhigh_emp_1, DNS = skyhigh_emp_1 , skyhigh_emp_1.p12)
make sure "-caname "skyhigh_ca" matches the CN = skyhigh_ca in ca_ext_file
The iOS device always sends traffic (both private applications and Internet) traffic to SSE cloud even if you select the Redirect only private access traffic to cloud option. For more information about traffic redirection settings, see Redirect Only Private Access Traffic.
You can create VPN on the iOS devices in the following ways:
- Using MDM solution and push it directly to the iOS devices
- Manually create VPN by uploading user identity(.p12) file to the Skyhigh Client app
Verifying VPN Configuration for MDM Managed Devices
When administrators pushes VPN Configuration and CA certificate using MDM, users should ensure that the configuration exists on the iOS device.
You can use the VMware, Microsoft Intune, or Ivanti Neurons MDM solution to manage your users' iOS devices. For configuring details, see
- Configure VMware MDM for iOS
- Configure Microsoft Intune MDM for iOS
- Configure the Ivanti Neurons MDM for iOS
- Make sure VPN configuration exists in Settings > General > VPN.
- Ensure CA certificate is enabled in Settings > General > About > Certificate Trust settings.
- Download and install Skyhigh Client from the App Store.
- Read the disclaimer and select I agree to use data as specified in Terms.
- Tap Proceed.
- Select Open VPN Settings.
- Go to Settings > General > VPN and enable the VPN config which admin had pushed. Wait until VPN state shows Connected.
- Navigate back to Skyhigh Client app and tap Get Started.
Prompts you to enter login credentials. - Enter your corporate username and password.
After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.
Note: To disable VPN, go to Settings > General > VPN > Disable VPN.
Manually Creating VPN Configurations
Installing CA Certificate
Note: The iOS device should have a passcode to install and trust a CA certificate.
- Download the certificates you have received from your administrators.
- Go to Settings > General > Profiles.
- Tap Install.
An alert message is displayed to inform you that installing this profile will change settings on your device. - Tap Install Now.
- Enter your device passcode.
- Tap Install.
- Tap Done.
- Go to Settings > General > About > Certificate Trust Settings and enable c*.wgcs.mcafee-cloud.com certificate or custom certificate.
Upload User Identity (.p12) File
The .p12
file is a password protected file, so make sure to get the password from your administrator. Long press and save the file on your device.
Note: Make sure to upload the .p12
file to the Skyhigh Client app. Don't install this file directly.
- Download and install Skyhigh Client from the App Store.
- Read the disclaimer and select I agree to use data as specified in Terms.
- Tap Proceed.
- Tap Browse & Upload to upload the
.p12
file.
Search for the.p12
file and select it to complete the upload process. - Enter the password and tap Continue.
The Skyhigh Client app asks for permission to add VPN configuration on your phone. - Tap Allow.
- Enter the iPhone passcode.
- Tap Get Started.
Prompts you to enter login credentials. - Enter your corporate username and password.
After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.
Note: To disable VPN, go to Settings > General > VPN > Disable VPN.