Configure Skyhigh Mobile Client for iOS Device

Prerequisites 

Generate a self-signed certificate authority(CA) and use this file to generate a user identity(.p12) file. Upload the CA file to the Skyhigh UI. Download the customer Tenant CA certificate from the Skyhigh UI.

• MDM Setup: Create a VPN profile along with a user identity(.p12) file and  Customer tenant CA certificate and push it directly to the iOS devices using MDM. Supports two configurations:
  • mobile.skyhigh.cloud: This redirects all traffic (Internet traffic and Private traffic) from the device to the cloud. 
  • pa-mobile.skyhigh.cloud: This redirects only Private app traffic to the cloud. The isolate feature is not supported with this config.
• BYOD Setup: Share the Customer tenant CA certificate and upload a user identity (.p12) file to the user. The user has to install the CA certificate and trust in the device settings. The user has to install the app and upload p12 file which creates VPN.

Set Up iOS Device to Access Private Applications 

To enable secure access to private applications, you must configure your iOS device with the required certificates and VPN profile. The setup ensures traffic from your device is authenticated and securely tunneled through the Skyhigh Security Service.

Follow the steps below to generate and install certificates, upload them to the Skyhigh Security UI, and configure the VPN profile for seamless connectivity:

Generate Certificate Authority (CA) and User Identity (.p12) certificates

Create a self-signed CA file and use the same file to generate the User Identity files and sign those. 

NOTE: You can create one user identity file per user or device.

▼ Generate Certificates using XCA tool

You can generate the certificate using the XCA tool. 

1. Download and install the XCA 2.4.0 tool. 
2. Create a New Database, go to File  > New Database, and enter the password to save it.

3. Click the Certificates tab. 

4. Click New Certificate. 

5. Select Create a self signed certificate as the signing option. 
   
   

 

6. Select Signature algorithm as SHA384. 

7. Select Template for the new certificate as [default] CA.

8. Click Apply extensions and Apply subject.

9. Click the Subject tab.

10. Enter Internal Name and commonName.

11. Click Generate a new key.

12. Select keytype as RSA and Keysize as 4096 bit.

13. Click Create.

Key created message window appears. 

14. Go to the Extension tab and retain all the settings as is.

 

15. Go to the Key Usage tab and retain all the settings as is.

16. Go to the Netscape tab and remove any selected options.

17. Go to the Advanced tab and review all the information. 

18. Click OK to create the CA certificate.

19. Click the Certificates tab. 

20. Select the recently created root_CA certificate.

21. Click New Certificate. 

22. Select the previously created CA(root_CA) certificate as the signing option. 

23. Select Signature algorithm as SHA384. 

24. Select the template for the new certificate as [default] TLS_client or [default] HTTPS_client.

25. Click Apply extensions and Apply subject.

26. Click the Subject tab, enter Internal Name and commonName. Make sure the file name is the same as the common Name. 

27. Click Generate a new key.

28. Select keytype as RSA and Keysize as 4096 bit.

29. Click Create.

The key created message window appears. 

30. Go to the Extension tab. Select x509v3 basic Constraints type as Not defined and uncheck the Critical option. 

31. Select Key identifier as x509v3 Authority key Identifier.

32. Click Edit in the Select X509v3 Subject Alternative Name option. 

33. Enable the Copy Common Name setting and click Apply. 

NOTE: If Copy common name is not available, then manually enter the DNS:user1”(user1 as the common name of the client certificate added in step 26) in the X509v3 Subject Alternative Name field.

34. Go to Key Usage tab, select options from the list as per the image below. 

35. Go to the Netscape tab and remove any selected options.

36. Go to the Advanced tab and review all the information. 

37. Click OK to create the CA certificate.

38. Select CA certificate and click Export.

39. Select File Location and Export Format as PEM + Key (*.pem) for CA certificate. Click OK to save the file.

40. Select Client certificate(user1) and click Export.

41. Select File Location and Export Format as PEM + Key (*.pem) for client certificate. Click OK to save the file.

42. Select Client certificate(user1) and click Export.

43. Select File Location and Export Format as PKCS #12 chain (*.pfx) for the client certificate. Click OK to save the file. Make sure the file name is the same as the common Name.

44. Enter the Password and select Ok to save the file.

45. Go to the file location and open CA and Client file in any text editor. Verify only certificate part is available in the file. remove extra information, if any. 

46. Rename Client file (user1) .pfx file as .p12 file.

Upload CA certificate generated to the Skyhigh Security UI

 Upload the CA certificate generated in Step 1 to the Skyhigh Security UI.

NOTE: After this step, wait for 30-40 minutes before connecting VPN

1. Go to Settings > Infrastructure > Web Gateway Setup.
   
   
    
2. Click Configure on the Skyhigh Mobile Cloud Security setting.
   
   
    
3. Click Upload and select the custom CA certificate.

NOTE: supported certificate formats are DER, PEM, CRT, and CER.

4. Specify the User name and an optional User Group in the User Identity certificates. 
   
   
    

5. Click Save. 
   
   
    

6. Click Upload & Test and upload the User identity file with format as .cer, .crt, .pem or .der to validate the CA and user Identity file.
   
   
    

7. Click Save to save the configuration. 
   
   
    

8. Click Publish to apply the changes. 

Download Tenant Customer CA from Skyhigh UI 

1. Go to Policy > Web Policy > Feature Configuration
   
   
    

2. Select HTTPS connections > Customer CA.
   
   
    

3. Select Customer CA and click Export to download the Customer CA file.
   
   
4. Share this Customer CA certificate with the user if selecting Manual VPN config. 

Download and Install Skyhigh Security Certificate in Mobile

Download the certificate using the link and share this certificate to install on the mobile device. 

1. Download this certificate on your mobile device.
2. Once it is downloaded, it will be available in Settings > Generic > VPN & Device management

3. Select the certificate and tap Install.

4. Enter the passcode and tap Install.

5. After install, go to Settings > General > About > Certifcate Trust Settings

6. Ensure that the certificate is installed and switch on the certificate, and tap continue to enable it.

Download Root Certificates and Install

1. Download the certificate using this link. 
2. To install the certificate, navigate to Settings > General > VPN & Device Management.
   
   The downloaded certificate appears on the VPN & Device Management screen. 
   Tap on Sectigo Public Server Authentication CA OV R36 certificate. 
   
   
   
   Tap Install on the Install profile screen. 
   
   
   
   Tap Install on the Installing Profile screen. 
   
   
   
   Tap Done once installation is completed. 
   
   
   
   

NOTE: For iOS 17.4 and iPadOS 17.4 or later, use only the Sectigo Public Server Authentication CA OV R36 certificate. For earlier iOS versions, use both the Sectigo Public Server Authentication Root R46 and Sectigo Public Server Authentication CA OV R36 certificates.

3. Download the Sectigo Public Server Authentication Root R46 certificate using this link.
4. To install the certificate, navigate to Settings > General > VPN & Device Management.
   
   The downloaded certificate appears on the VPN & Device Management screen. 
   Tap on Sectigo Public Server Authentication Root R46 certificate. 
   
   
   
   Tap Install on the Install profile screen. 
   
   
   
   Tap Install on the Installing Profile screen. 
   
   
   
   The certificate installation is complete. 
   
    
5. Go to Settings > General > About > Certificate Trust Settings > Toggle on ENABLE FULL TRUST FOR ROOT CERTIFICATE. 
   
   

Configure VPN profile

▼ MDM Configuration

Prerequisite: iPhone/iPad is already enrolled in the Intune portal. 

Admin has to create VPN profile along with generated user identity file(.p12) and downloaded Tenant customer CA certificate using Apple Configurator and push the VPN profile to the enrolled device. Admin has to create custom Line-of-business app using the IPA file shared and push the app to the enrolled device. Users should ensure that this configuration exists on the iOS device.

a. Create a VPN profile using the Apple configurator:

1. Download Apple Configurator from the Mac Appstore.
2. Click on File > New Profile.
3. Go to General and enter a Name.
   
   
    
4. Go to Certificates and click Configure.
   
   
    

5. Select User Identity(.p12) file generated and enter the password.
   
   
    
6. Rename Tenant Customer CA(certificate_authority.pem) downloaded from the Skyhigh tenant to certificate_authority.crt.
7. Click  the icon in Certificates, select the Tenant Customer CA(certificate_authority.crt) file, and the Sertigo Public Server Authenticate CA OV R36 file. To download the Sertigo Public Server Authenticate CA OV R36 certificate file, see Download the Intermediate CA certificate and Install section. 
   
   
    

8. Go to the VPN settings and click Configure.
   
   
    

9. Enter the values as mentioned below:

• Connection Name. Enter a name.
• Connection Type. IKEv2.
  • To enable Always ON VPN, click on the check box. Always-ON VPN works only on the supervised devices.
    
• Server. mobile.skyhigh.cloud
• Remote Identifier. 

  •  mobile.skyhigh.cloud or pa-mobile.skyhigh.cloud: 

    NOTE: When you create a mobileconfig file, it adds the following key-value pair which causes certificate installation failure. Delete this key pair to make the certificate work.

    Open the .mobileconfig file in any TextEdit and delete the below key and values.

    <key>DNS</key>
<dict>
<key>SupplementalMatchDomainsNoSearch</key>
<integer>0</integer>
</dict>

• Local Identifier.  Copy the common name of the User identity file that appeared in Certificates(Eg: user2)
  
  

•  Machine Authentication. Select Certificate in the drop-down.

• Identity Certificate. Select the user identity(.p12) file.
  
  

• Select Enable EAP
  
  

• EAP Authentication. Select Certificate in the dropdown.

b. Push VPN configuration to the device using MDM:

This provides the configuration flow of pushing VPN profile to mobile device from Intune MDM (Mobile Device Management).

Creation of custom VPN Profile:

1. Login to the Intune MDM account using the link. 

2. Make sure your device appears in the Devices -> iOS/iPadOS when you log in. 
   
   
    
3. Go to Devices > Configuration > Create.
4. Click New Policy to create a new VPN configuration.
   
   
    
5. Select Platform as iOS/iPadOS.
6. Select Profile type as Templates.
7. Select the Template name as Custom.
   
   
   Once Profile Type is selected as Custom, a window appears to upload the Apple Configurator profile file.
    
8. Click Create. 
   
   
    
9. Under the Basics tab, enter Name and Description.
   
   
    
10. Click Next.
    
    
     
11. Under the Configuration settings tab, enter the Configuration profile name and upload .mobileconfig file created using Apple Configurator 2. 
    
    
     
12. Click Next. 
    
    
     
13. Under the Assignments tab, select your device group and click Next.
    
    
     
14. Under the Review + create tab, review the profile and click Create to create the VPN configuration profile.
    
    
    
    Once the profile is assigned to the respective group, MDM takes some time to push the profile to the respective devices. 

c. Push Skyhigh Mobile Client App ipa to mobile devices:

1. Go to Apps > iOS/iPadOS > click Create. 
   
   
2. Select App type as iOS store app.
   
   
3. Under the App information tab, click Select app.
   In the search bar, enter and select Skyhigh Client. 
   
   
    
4. Under the App information tab, enter the Publisher name and click Next.
   
   
    
5. Under the Assignments tab, select the required device group and click Next.
   
   
    
6. Under the Review + create tab, review the app information and click Create.
   
   
    
7. Verify the app created.
   
   
   
   Once the app is created, MDM takes some time to push the app to the respective device. 

NOTE: To enable the factory reset option using Intune, see Enable Factory Reset for Skyhigh Mobile Client App. 

NOTE: To make Microsoft Teams calls, add microsoft.com, live.com, skype.com in Policy > Web Policy > Policy > Global Bypass> Domains Bypass. 

TIP: For details about Skyhigh Mobile Client App installation and troubleshooting, see Skyhigh Mobile Client App for iOS Devices.

 

 

▼ Manual Configuration

Install the Tenant customer CA in the iOS device

Note: The iOS device should have a passcode to install and trust a CA certificate.

1. Export the Tenant customer CA to device using Airdrop or mail

Once Tenant Customer CA is downloaded, it will be available in the device settings

2. Go to device Settings > General > VPN & Device mangement.
   
   
3. Tap the certificate and tap Install.
   
   
    
4. Enter the passcode and tap Install.
   
   
    
5. Profile installed message confirms that certificate is installed correctly.
   
   
    
6. Go to settings > General > About > Certificate Trust settings, verify the Tenant Customer CA and enable the certificate switch. 
   
   
    
7. Click Continue to trust the certificate.