Configure a Per-App VPN Configuration for iOS Endpoints Using Jamf Pro

1. (Optional) Set up smart or static device groups to batch the managed iOS devices that will receive the configuration profile.
2. Create a configuration profile for the per-app VPN configuration and specify General settings.

   1. In Jamf Pro, select DevicesConfiguration ProfilesNew.
   2. Enter a meaningful Display Name for the profile. This profile name will appear on the iOS device.
   3. (Optional) Enter a brief Description of the profile that indicates its purpose.
   4. (Optional) Select a Category to which you want to add the profile.
   5. For the Level at which to apply the configuration profile, select Device Level, which will distribute the profile to a device, either automatically or user-installed from the Jamf Self Service app.
   6. Select a Distribution Method, either Make available in Self Service, which allows the end user to download the app from the Jamf Self Service app, or Install Automatically, which pushes the app to the end user's device automatically.

   7. Save your settings.
3. Configure the Certificate payload. All per-app VPN configurations for GlobalProtect require certificate-based authentication.

   Starting with iOS 12, if you want to use client certificates for GlobalProtect client authentication, you must deploy the client certificates as part of the VPN profile that is pushed from Jamf Pro. If you deploy client certificates from Jamf Pro using any other method, the certificates cannot be used by the GlobalProtect app.

   1. If you saved your profile in the previous step, Edit it.
   2. Select CertificateConfigure.
   3. Enter the Certificate Name.
   4. Select the Upload certificate option.
   5. Click Upload Certificate to locate and select the certificate that you want to upload. If required, enter the Password for the certificate and Verify Password.

   6. Save your settings.
   7. (Optional) Click + to add more certificates.
4. Configure the VPN payload.

   1. If you saved your profile in the previous step, Edit it.
   2. Select VPNConfigure.
   3. Enter a meaningful Connection Name, such as GlobalProtect - Per App VPN.
   4. For VPN Type, select Per-App VPN to route all traffic for managed apps through the GlobalProtect tunnel.
   5. Enable Automatically start Per-App VPN connection to start the connection when apps that are specified for this connection join the network.
   6. Specify the Safari Domains that will start the per-app VPN connection in the Safari browser. When users use the apps related to the domain, a per-app VPN connection is used. You can Add multiple domains. Do not include the http:// or https:// protocol in the domain.

   7. For the Per-App VPN Connection Type, select Custom SSL.
   8. For the Identifier, enter com.paloaltonetworks.globalprotect.vpn.

      If you downloaded the GlobalProtect app directly from the Apple App Store in China, enter the bundle ID (com.paloaltonetworks.globalprotect.vpncn) in the Identifier field.
   9. For the Server, enter the hostname or IP address of the GlobalProtect portal that users will connect to, such as gp.paloaltonetworks.com.
   10. For the Provider Bundle Identifier, enter com.paloaltonetworks.globalprotect.vpn.extension.

   11. (Optional) For Custom Data, Add and Save custom keys and values to define additional GlobalProtect app configurations.

       The following table shows some of the keys and values that you can use:

       Key	Value	Description
       compliance	Compliant	Status that indicates whether the endpoint is compliant with the mobile device management (MDM) compliance policies that you have defined (for example, Compliant). This value is appended to the Tag attribute in the HIP report.
       enable-fips-cc-mode	no | yes	Option that enables the FIPS-CC mode to incorporate requirements from the Common Criteria (CC) and Federal Information Processing Standard (FIPS 140-2).
       managed	yes | no	Value that indicates whether the endpoint is managed.
       ownership	Employee Owned	Ownership category of the endpoint (for example, Employee Owned). This value is appended to the Tag attribute in the HIP report.
       saml-use-default-browser	true | false	Option that enables an endpoint to use the default system browser for SAML authentication. If you configured the GlobalProtect portal to authenticate users through SAML authentication, end users can connect to the app or other SAML-enabled applications without having to reenter their credentials, providing a smooth single sign-on (SSO) experience.
       tag	working	Tags to enable you to match against other MDM-based attributes. This value is appended to the Tag attribute in the HIP report.

   12. For User Authentication, select Certificate. All per-app VPN configurations require certificate-based authentication.
   13. Set the Provider Type to indicate how traffic will be tunneled—either at the application layer or the IP layer. Select Packet-tunnel.
   14. For the Identity Certificate, select the certificate that you set up in the Certificate payload. GlobalProtect will use this certificate to authenticate users.

   15. Save your settings. You can now select this configuration profile from the Per-App VPN drop-down when you add the GlobalProtect app in Jamf Pro.
5. If you use smart or static device groups, set the scope to define the devices that will receive the configuration profile.

   1. Click Edit if you saved your settings in the previous step.
   2. Click Scope and Add a deployment target.

   3. Add individual devices from the table of Mobile Devices, or select Mobile Device Groups and Add the smart or static device groups that you set up previously.

   4. (Optional) If you chose to make the configuration profile available in the Self Service app, select Self Service and specify how you want the configuration profile to appear in the Self Service app, such as uploading an icon for the profile or including the profile in the Featured category in Jamf.

   5. Save your settings.
6. To verify whether Jamf Pro installed the configuration profile on an endpoint:

   1. From Jamf Pro, select Devices.
   2. Search for a mobile device.
   3. Select a mobile device from the list.
   4. Select History and view the Completed Commands, Pending Commands, or Failed Commands. In the Completed Commands, look for the Install Configuration Profile <your_profile> command.

      If you do not see the Install Configuration Profile <your_profile> command in the list, or if the command appears in the Fail Commands list, select ManagementManagement CommandsUpdate Inventory to push the configuration profile to the device.
7. Specify which of your managed apps (such as Google Chrome) can route traffic through the tunnel:

   1. From Jamf Pro, go to DevicesMobile Devices App.
   2. Select the managed app whose traffic you want to send through the tunnel and Edit it.
   3. For Per-App VPN, select the per-app VPN connection that you set up in Step 4.

   4. Save your settings.
   5. Repeat for each managed app whose traffic you want to send through the tunnel.