Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Microsoft Entra ID to Retrieve Device ID of Skyhigh Mobile Client (iOS) Devices

  1. Last updated
  2. Save as PDF

You must configure Microsoft Entra ID to retrieve the device ID of Skyhigh Mobile Client (iOS) devices. When end users install the Skyhigh Mobile Client on Intune-managed iOS devices and access internal applications through Skyhigh SSE, Microsoft Entra ID (Azure AD) does not receive the device ID. As a result, Entra ID treats these devices as unmanaged and blocks access to applications that require managed device compliance.

Strong authentication requires Entra ID to validate both user credentials and device identity. When traffic flows through the Skyhigh SSE VPN tunnel, the device ID is not forwarded by default, which prevents compliance evaluation.

To restore device-based access control, configure Microsoft Entra ID to trust Skyhigh SSE so that device ID information is accepted for compliant iOS devices using the Skyhigh Mobile Client.

Before You Begin

Make sure you have the following prerequisites in place: 

  • A valid user certificate from Active Directory for VPN authentication.
  • Administrator access to the Microsoft Entra ID portal and Skyhigh Security tenant.
  • Target iOS devices must be enrolled in Microsoft Intune and marked as supervised.
Configure Microsoft Entra ID  

Follow the configuration steps below to retrieve the device ID for Skyhigh Mobile Client (iOS) devices:

Create an Enterprise Application in Microsoft Entra ID
  1. Sign in to the Microsoft Entra ID portal.
  2. Click Enterprise apps.
  3. Click New application.
  4. Click Create your own application.
  5. Enter a name for the application.
  6. Select Integrate any other application you don’t find in the gallery (Non-gallery).
  7. Click Create.

    1-7.png
     
  8. In the Manage section, select Single sign-on.
  9. Click SAML to open the SAML-based Sign-on page.
  10. Click Edit clipboard_ec8aff215d335e51ddc685488e0f3384c.png) in the Basic SAML Configuration section and configure the following values:
    • Identifier (Entity ID).https://saml.wgcs.skyhigh.cloud
    • Reply URL (Assertion Consumer Service URL). https://saml.wgcs.skyhigh.cloud/saml
  11. Click Save.
  12. Click Download to download the Federation Metadata XML file.

    2026-01-21_22-58-04.png
Import Federation Metadata XML into Skyhigh SSE UI
  1. Sign in to the Skyhigh SSE UI. 
  2. Go to Infrastructure > Web Gateway Setup > Setup SAML.
  3. Click New SAML.

    Screenshot (115)_1.png
     

  4. Go to Actions > Import IdP Metadata.

    Screenshot (116)_1.png

  5. Upload the metadata file downloaded from the Entra ID portal (Step 12).
  6. Enter the required fields that remain blank after uploading the metadata file from the Entra ID portal.
  7. Click Save.
Verify Device Supervision

Ensure that the target iOS devices are enrolled in Microsoft Intune and marked as supervised to enable Device ID forwarding. 

Create a VPN Profile for Skyhigh Mobile Client

NOTE: Ensure you have the certificate downloaded from the AD server before proceeding.  

Create a VPN profile in your Microsoft Intune with the following values:

  • Connection type. IKEv2
  • VPN server address. mobile.skyhigh.cloud
  • Always-on VPN. Enable
  • Remote identifier. mobile.skyhigh.cloud
  • Local identifier. Subject Common Name
  • Client Authentication type. User authentication
  • Authentication method. Certificates (use the certificate issued from AD)
  • TLS minimum version. 1.1
  • TLS maximum version. 1.2

    2026-01-22_11-38-10.png

    2026-01-22_11-42-48.png
Assign the VPN Profile

Assign the VPN profile to the required users or groups in Microsoft Intune.

Deploy the Skyhigh Mobile Client Application

Deploy the Skyhigh Mobile Client app to the same users or groups.

Authenticate using SAML
  1. On the device, open the Skyhigh Mobile Client.
  2. Use SAML authentication to sign in through Entra ID.
Verify Device ID in Entra ID
  1. Sign in to the Microsoft Entra ID portal.
  2. Go to Sign-in logs.
  3. On the Activity Details: Sign-ins panel, under the Device info tab, verify that:
  • Device ID displays the unique identifier of the device.
  • Managed displays Yes​​​​​​.

2026-01-27_23-19-36.png

You can now restore device-based access control because Microsoft Entra ID accepts device ID information from compliant iOS devices using the Skyhigh Mobile Client. 

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    This page has no tags.