Skip to main content
Skyhigh Security

Configuration Steps for an On-Demand VPN for iOS

Configuration of on-demand VPN profile

Login to AirWatch MDM portal

Login to the admin portal of AirWatch MDM to push the vpn profile to your iPhone profile.

You will be logged in to the admin portal of AirWatch.

clipboard_ecebede0de7cc1816e67a06a3c61a7fd6.png

**Before you proceed further, please make sure to integrate your respective PKI infrastructure with AirWatch for managing your device certificate(s).
Adding a Device Certificate and server certificate in the device through MDM.

Go to Devices → Profiles → Add → Add Profile → Apple iOS 

clipboard_e9cfd0e059eb3c726f367ee6e1aa60181.png

Give a name to 'General' and fi ll up respective fields.
Select 'Deployment' type

  • Managed: To automatically download those profiles in the device.
  • Manual: To manually download this profile in the device. To download manually , user will get a notification in the 'Hub' app and clicking on this notification will redirect to messages screen of the app. From that screen user can select any of the messages and download the profiles which are available.

Now select a profile, 'Credentials' to add device certificate and server certificate to your device.You can add multiple certificates in a single profile. Click on the (+) button to add or (-) to delete.

clipboard_eab2fcb2bb609201c1f30be00cc85ddba.png

Add a VPN profile to the device. 

Go to Devices → Profiles → Add → Add Profile → Apple iOS

Give a name to 'General' and fill up respective fields.

clipboard_e0c550abb21970dab480dcbcdff1348b2.png

Select a profile of ' VPN' and click on 'Configure '. These are the configurations need to setup for VPN profile

Connection Info

 

Fields Values
Always On False
(Make it false, otherwise device will be in supervised mode)
Connect Automatically True
Connection Name* VPN Configuration
Connection Type* IKEv2
Credential

Certificate #1

(if there is no certificate, please follow #3.1 Step )

Credential

Certificate #1

(Select the same 'Certificate' which added in 'Credentials)

Dead Peer Detection Interval Every 10 minutes
EAP Authentication

Certificate

(select 'certificate' here)

Enable EAP True
Enable PFS True
Local Identifier*

XXXXXX

(This string is CN(Common Name) and SAN-(Subject Alternate Name) of client certificate 

Machine Authentication
 

Certificate

(select 'certificate' here)

Per-App VPN Rules

True

(This field is mandatory, in order to activate On-Demand)

Remote Identifier*

vpn.mcafee-cloud.com

(This string is CN(Common Name) and SAN-(Subject Alternate Name) of server certificate 

SA Parameters
IKE2 & Child
Encryption Algorithm AES-256
Integrity Algorithm SHA2-256
Diffie Hellman Group 2
Lifetime in minutes 1440
Safari Domains *.box.com
(add the domain names, for which VPN will be on)
Server Certificate Common Name

vpn.mcafee-cloud.com

(This string is CN-Common Name of server root certificate)

Server Certificate Issuer Common Name

VPN Server Root CA

(This string is CN-Common Name of server root certificate)

Server*

c49493498.
vpn.mcafee-cloud.com
Get this information from Mvision cloud ->certificate page

clipboard_ef2ea2aff6c943d3d394aebacf93b368a.png

TLS Minimum Version iOS 11 OS Default
TLS Maximum Version iOS 11 OS Default

After browsing *.box.com from the managed iOS device, VPN On-demand profile will be enabled.

clipboard_ea6b315a84e60faca6a4b270bbeec0a3a.png

Add your credentials 

Select 'Credentials' from the same profile. (you may have to scroll down the menu on the right)

Click on 'Configure' to add new credentials.

Add your p12 file here.

clipboard_ebe585bc37d686c0208c9dc5dbd671da1.png

Save and Publish

Click on 'Save and Publish' to save the profile.
Now click on 'Publish' to publish the profile.

Respective devices will get updated with the published profi le.

  • Was this article helpful?