Meraki

Community

Using Meraki System Manager to deploy GlobalProtect Certificate Credentialed VPN to iOS?

starbuck
Here to help
Friday
Friday

Using Meraki System Manager to deploy GlobalProtect Certificate Credentialed VPN to iOS?

From iOS 12, users can no longer install certificates for VPN connections like GlobalProtect from Palo Alto.  Instead the certificates must be installed by Apple Configurator or using an MDM Server like Meraki.

 

I have been reading numerous articles and posts across the web and I can't find a good example of actually making this work step-by-step.

 

Does anyone here have experience using Palo Alto Networks Global Protect VPN with Meraki, certificates and iOS and can help out?

Labels:
0 Kudos
2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

The most common approach would be to use a protocol called SCEP to deploy certificates onto the mobile devices.  However, I don't believe Meraki Systems Manager supports SCEP integration with third-party CAs.

 

Meraki can deploy its own certificates for WiFi authentication.  But I don't know if you could get PA to use these.

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Certificate-based_Wi-...

 

Personally, this is going to be really difficult to resolve.  I would change over to using SAML based authentication.  Then have your SAML provider verify if the device is authorised.

 

For example, if you use Cisco Duo you can use the "Trusted Endpoints" feature.

https://duo.com/docs/trusted-endpoints

 

0 Kudos
starbuck
Here to help
8 hours ago
8 hours ago

Thanks - I'm not quite sure I can make sense of your reply as it applies to VPN profiles.  However, strangely enough, I seemed to have stumbled across a way to 'glitch' Meraki and iOS into working with Global Protect.

I already had the Certificate added and GP would never see it and try to use that to auth and would always default to request user/pass credentials.

 

So, I tried playing around with the Per App VPN configuration. 

 

I set it up using the VPN server name, then Cisco AnyConnect as the Connection Type.  Account was the username for the .p12 certificate and then I added the GlobalProtect App. Saved it and pushed it to the device. 

 

When I tried to connect via the iOS GP app, it would not ask for user/pass, but would almost immediately throw a failed to connect to server error.  After that, I simply removed the Per App VPN setting on that Profile on Meraki, pushed it again to the device, and then next time I tried to connect, GP it didn't ask for creds and used the certificate and connected just fine.

Very strange and will be interesting to see if this persists.  It's very buggy behavior and doesn't even feel like a real 'workaround'.  However, I have been able to remove the profile, get forced back into GP iOS asking for credentials, then did the above workaround and got it connecting via certificate on the GP iOS client...so it's repeatable.  Ugly ugly ugly workaround though and I think it was just dumb luck I stumbled onto it....

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.