Skip to main content
Skyhigh Security

Configure an On-Demand VPN for iOS

Log in to the AirWatch MDM Portal

  1. To push the VPN profile to your iPhone profile, log in to the AirWatch MDM admin portal.

clipboard_ecebede0de7cc1816e67a06a3c61a7fd6.png

**Before you proceed, integrate your PKI infrastructure with AirWatch to manage your device certificate(s).

Add a Device Certificate and server certificate in the device through MDM.

  1. Go to Devices > Profiles > Add > Add Profile > Apple iOS 
  2. Enter a name for General and fill up the respective fields.
  3. Select Deployment type:
    • Managed: To automatically download the profiles in the device.
    • Manual: To manually download the profile in the device. To download manually, the user will be notified in the Hub app. Click this notification to redirect to the Messages screen. From that screen, the user can select any of the messages and download the profiles that are available.
  4. Now select a profile. Click Credentials to add a device certificate and server certificate to your device. You can add multiple certificates in a single profile. Click on the (+) button to add or (-) to delete.

clipboard_eab2fcb2bb609201c1f30be00cc85ddba.png

Add a VPN Profile to the Device

  1. Go to Devices > Profiles > Add > Add Profile > Apple iOS
  2. Give a name to General and fill up respective fields.
  3. Select a profile of VPN and click Configure. These are the configurations you need to setup for the VPN profile.

Connection Info

Fields Values
Always On False
(Make it false, otherwise the device will be in supervised mode)
Connect Automatically True
Connection Name* VPN Configuration
Connection Type* IKEv2
Credential

Certificate #1

(If there is no certificate, please follow #3.1 Step.)

Credential

Certificate #1

(Select the same certificate that was added in Credentials.)

Dead Peer Detection Interval Every 10 minutes
EAP Authentication

Certificate

(Select certificate.)

Enable EAP True
Enable PFS True
Local Identifier*

XXXXXX

(This string is CN (Common Name) and SAN-(Subject Alternate Name) of the client certificate.)

Machine Authentication
 

Certificate

(Select certificate.)

Per-App VPN Rules

True

(This field is mandatory, in order to activate On-Demand.)

Remote Identifier*

vpn.skyhigh.cloud

(This string is CN (Common Name) and SAN-(Subject Alternate Name) of the server certificate.)

SA Parameters
IKE2 & Child
Encryption Algorithm AES-256
Integrity Algorithm SHA2-256
Diffie Hellman Group 2
Lifetime in minutes 1440
Safari Domains *.box.com
(add the domain names, for which VPN will be on)
Server Certificate Common Name

vpn.skyhigh.cloud

(This string is CN-Common Name of server root certificate)

Server Certificate Issuer Common Name

VPN Server Root CA

(This string is CN-Common Name of server root certificate)

Server*

c<customer ID>.mcs.skyhigh.cloud
You can get this information from the certificate page.

The following information is required to configure an MCS app in the MDM of your choice.

VPN gateway address: c<customer iD>.mcs.skyhigh.cloud

TLS Minimum Version iOS 11 OS Default
TLS Maximum Version iOS 11 OS Default

 

  1. After browsing *.box.com from the managed iOS device, the VPN On-demand profile is enabled.

clipboard_ea6b315a84e60faca6a4b270bbeec0a3a.png

Add Your Credentials 

  1. Select Credentials from the same profile. (You may have to scroll down the menu on the right.)
  2. Click Configure to add new credentials.
  3. Add your p12 file here.

clipboard_ebe585bc37d686c0208c9dc5dbd671da1.png

Save and Publish

  1. Click Save and Publish to save the profile.
  2. Now click Publish to publish the profile.

Devices are updated with the published profile.

  • Was this article helpful?