Hello there,
we will be experiencing a huge problem soon, if there isn't any option to directly embed a certificate to the VPN Settings of iOS Device in Meraki. We are using iOS all over the company and manage them with the Meraki Systems Manager. iOS 12 is out there and it won't work with the new version of Global Protect 5.0 ( our VPN Client) if we cannot deploy the client certificates as part of the VPN profile:
"If you manage iOS endpoints using an MDM system and want to use client certificates for GlobalProtect client authentication, you must now deploy the client certificates as part of the VPN profile that is pushed from the MDM server." --> https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...
We have the legacy version of Meraki.
Thanks for your answers in advanced.
Are you sure it doesn't support SCEP? If so, you know need to deploy the certificates via Systems Manager.
Next thought, Systems Manager can create and deploy a certificate (that Meraki creates) for WiFi authentication. Perhaps you could use the same certificate.
Well i tried IPSec and IKEv2 connection types but still no success. The problem is that iOS 12 doesn't allow anymore direct access to the phone certificates from another apps ( like Global Protect in my case ). Is there any update for Meraki Systems Manager planned to fix this issue ?
If that is the case then the Meraki Systems Manager may also face the same restriction.
It sounds like you need a new solution from Global Protect given the new iOS restrictions.
Perhaps use an MFA like Duo instead?
Global Protect has already have new solution -> read the article carefully https://www.paloaltonetworks.com/documentation/50/globalprotect/globalprotect-app-new-features/new-f...
I think the problem in Meraki is the third step from the article
I do not have any Identifier field within the IPSec connection type. So i guess the VPN Config can not locate the GP App. Another thing: i get a second VPN Config from VPN on the iOS Device, so i can either use the GP or the one from Meraki, but both do not work.
That does not look good - it looks like these changes to IOS 12 are going to require a bunch of new development effort, on multiple fronts. This iOS 12 change is going to break a lot of things.
I would not personally expect support for these new restrictions any time soon. I think you would be better off not allowing the upgrade to IOS 12. The loss of security capability is probably worse than any other new functionality.