Skyhigh Mobile Client for iOS Devices

Prerequisites 

Generate a self-signed certificate authority(CA) and use this file to generate a user identity(.p12) file. Upload the CA file to the Skyhigh UI. Download the customer Tenant CA certificate from the Skyhigh UI.

• MDM Setup: Create a VPN profile along with a user identity(.p12) file and  Customer tenant CA certificate and push it directly to the iOS devices using MDM. 
• BYOD Setup: Share the Customer tenant CA certificate and upload a user identity (.p12) file to the user. The user has to install the CA certificate and trust in the device settings. The user has to install the app and upload p12 file which creates VPN.

Generate Certificate Authority (CA) and User Identity (.p12) certificates

Create a self-signed CA file and use the same file to generate the User Identity files and sign those. 

NOTE: You can create one user identity file per user or device.

▼ Generate Certificates using XCA tool

You can generate the certificate using the XCA tool. 

1. Download and install the XCA 2.4.0 tool. 
2. Create a New Database, go to File  > New Database, and enter the password to save it.

3. Click the Certificates tab. 

4. Click New Certificate. 

5. Select Create a self signed certificate as the signing option. 

6. Select Signature algorithm as SHA384. 

7. Select Template for the new certificate as [default] CA.

8. Click Apply extensions and Apply subject.

9. Click the Subject tab.

10. Enter Internal Name and commonName.

11. Click Generate a new key.

12. Select keytype as RSA and Keysize as 4096 bit.

13. Click Create.

Key created message window appears. 

14. Go to the Extension tab and retain all the settings as is.

 

15. Go to the Key Usage tab and retain all the settings as is.

16. Go to the Netscape tab and remove any selected options.

17. Go to the Advanced tab and review all the information. 

18. Click OK to create the CA certificate.

19. Click the Certificates tab. 

20. Select the recently created root_CA certificate.

21. Click New Certificate. 

22. Select the previously created CA(root_CA) certificate as the signing option. 

23. Select Signature algorithm as SHA384. 

24. Select the template for the new certificate as [default] TLS_client or [default] HTTPS_client.

25. Click Apply extensions and Apply subject.

26. Click the Subject tab, enter Internal Name and commonName. Make sure the file name is the same as the common Name. 

27. Click Generate a new key.

28. Select keytype as RSA and Keysize as 4096 bit.

29. Click Create.

The key created message window appears. 

30. Go to the Extension tab. Select x509v3 basic Constraints type as Not defined and uncheck the Critical option. 

31. Select Key identifier as x509v3 Authority key Identifier.

32. Click Edit in the Select X509v3 Subject Alternative Name option. 

33. Enable the Copy Common Name setting and click Apply. 

NOTE: If Copy common name is not available, then manually enter the DNS:user1”(user1 as the common name of the client certificate added in step 26) in the X509v3 Subject Alternative Name field.

34. Go to Key Usage tab, select options from the list as per the image below. 

35. Go to the Netscape tab and remove any selected options.

36. Go to the Advanced tab and review all the information. 

37. Click OK to create the CA certificate.

38. Select CA certificate and click Export.

39. Select File Location and Export Format as PEM + Key (*.pem) for CA certificate. Click OK to save the file.

40. Select Client certificate(user1) and click Export.

41. Select File Location and Export Format as PEM + Key (*.pem) for client certificate. Click OK to save the file.

42. Select Client certificate(user1) and click Export.

43. Select File Location and Export Format as PKCS #12 chain (*.pfx) for the client certificate. Click OK to save the file. Make sure the file name is the same as the common Name.

44. Enter the Password and select Ok to save the file.

45. Go to the file location and open CA and Client file in any text editor. Verify only certificate part is available in the file. remove extra information, if any. 

46. Rename Client file (user1) .pfx file as .p12 file.

Upload CA certificate generated to the Skyhigh Security UI

 Upload the CA certificate generated in Step 1 to the Skyhigh Security UI.

NOTE: After this step, wait for 30-40 minutes before connecting VPN

1. Go to Settings > Infrastructure > Web Gateway Setup.

2. Click Configure on the Skyhigh Mobile Cloud Security setting.

3. Click Upload and select the custom CA certificate.

NOTE: supported certificate formats are DER, PEM, CRT, and CER.

4. Specify the User name and an optional User Group in the User Identity certificates and click 

5. Click Save. 

6. Click Upload & Test and upload the User identity file with format as .cer, .crt, .pem or .der to validate the CA and user Identity file.

7. Click Save to save the configuration. 

8. Click Publish to apply the changes. 

Download Tenant Customer CA from Skyhigh UI 

1. Go to Policy > Web Policy > Feature Configuration

2. Select HTTPS connections > Customer CA.

3. Select Customer CA and click Export to download the Customer CA file.

4. Share this Customer CA certificate to the user if selecting Manual VPN config. 

Download Root Certificates and Install

1. Download the certificate using this link. 
2. To install the certificate, navigate to Settings > General > VPN & Device Management.
   
   The downloaded certificate appears on the VPN & Device Management screen. 
   Tap on Sectigo Public Server Authentication CA OV R36 certificate. 
   
   
   
   Tap Install on the Install profile screen. 
   
   
   
   Tap Install on the Installing Profile screen. 
   
   
   
   Tap Done once installation is completed. 
   
   
   
   

NOTE: For iOS 17.4 and iPadOS 17.4, use only the Sectigo Public Server Authentication CA OV R36 certificate. For earlier iOS versions, use two certificates: Sectigo Public Server Authentication Root R46 and Sectigo Public Server Authentication CA OV R36.
 

3. Download the Sectigo Public Server Authentication Root R46 certificate using this link.
4. To install the certificate, navigate to Settings > General > VPN & Device Management.
   
   The downloaded certificate appears on the VPN & Device Management screen. 
   Tap on Sectigo Public Server Authentication Root R46 certificate. 
   
   
   
   Tap Install on the Install profile screen. 
   
   
   
   Tap Install on the Installing Profile screen. 
   
   
   
   The certificate installation is complete. 
   
    
5. Go to Settings > General > About > Certificate Trust Settings > Toggle on ENABLE FULL TRUST FOR ROOT CERTIFICATE. 
   
   

Setup Skyhigh Client App and Certificate Deployment using MDM 

Skyhigh Client App and Certificate Deployment 

▼ MDM Setup 

Prerequisite: iPhone/iPad is already enrolled in the Intune portal. 

Admin has to create VPN profile along with generated user identity file(.p12) and downloaded Tenant customer CA certificate using Apple Configurator and push the VPN profile to the enrolled device. Admin has to create custom Line-of-business app using the IPA file shared and push the app to the enrolled device. Users should ensure that this configuration exists on the iOS device.

a. Create a VPN profile using the Apple configurator:

1. Download Apple Configurator from the Mac Appstore.
2. Click on File > New Profile.
3. Navigate to General and add any name.

4. Navigate to Certificates and click Configure.

5. Select User Identity(.p12) file generated and enter the password.

6. Rename Tenant Customer CA(certificate_authority.pem) downloaded from the Skyhigh tenant to certificate_authority.crt.
7. Click  + icon in Certificates, select the Tenant Customer CA(certificate_authority.crt) file, and the Sertigo Public Server Authenticate CA OV R36 file. To download the Sertigo Public Server Authenticate CA OV R36 certificate file, see Download the Intermediate CA certificate and Install section. 

8. Navigate to VPN settings and click Configure.

9. Enter the values as mentioned below:

• Connection Name: Any random name.
• Connection Type: IKEv2.
  • To enable Always ON VPN, click on the check box. Always-ON VPN works only on the supervised devices.
    
• Server: mobile.skyhigh.cloud
• Remote Identifier: 

  •  mobile.skyhigh.cloud: 

    NOTE: When you create a mobileconfig file, it adds the following key-value pair which causes certificate installation failure. Delete this key pair to make the certificate work.

    Open the .mobileconfig file in any TextEdit and delete the below key and values.

    <key>DNS</key>
<dict>
<key>SupplementalMatchDomainsNoSearch</key>
<integer>0</integer>
</dict>

• Local Identifier:  Copy the common name of the User identity file that appeared in Certificates(Eg: user2)
  

•  Machine Authentication: Select Certificate in the drop-down.

• Identity Certificate: Select the user identity(.p12) file.
  

• Select Enable EAP
  

• EAP Authentication: Select Certificate in the dropdown.

b. Push VPN configuration to the device using MDM:

This provides the configuration flow of pushing VPN profile to mobile device from Intune MDM (Mobile Device Management).

Creation of custom VPN Profile:

1. Login to the Intune MDM account using the link. 

2. Make sure your device appears in the Devices -> iOS/iPadOS when you log in. 

3. Go to Devices > Configuration > Create.
4. Click New Policy to create a new VPN configuration.

5. Select Platform as iOS/iPadOS.
6. Select Profile type as Templates.
7. Select the Template name as Custom.

 

8. Once Profile Type is selected as Custom, a window will be opened to upload the Apple Configurator profile file.
9. Enter Name and Description and click Next.

 

10. Enter the Configuration profile name and upload .mobileconfig file created using Apple Configurator 2 and click Next.

11. Select your devices group in Assignments > Included group and click Next.

 

12. Review the profile and click Create to create the VPN configuration profile.

 

13. Once the profile is assigned to the respective group, MDM takes some time to push the profile to the respective devices.

c. Push Skyhigh Client App ipa to mobile devices:

1. Go to Apps -> iOS/iPadOS and click Create. 

 

2. Select App Type as Line-of-business app.

 

3. In the App information page, click Select app package file.

4. Enter the Publisher name and select Next.

5. Select the required device group in the Assignment section and click Next.

 

6. Review the app information and click Create.
   
   

 

7. Verify the app created.
   
   

 

8. Once the app is created, MDM takes some time to push the app to the respective device. 

NOTE: To make Microsoft Teams calls, add microsoft.com, live.com, skype.com in Policy > Web Policy > Policy > Global Bypass> Domains Bypass. 

For details about Skyhigh Client App installation and troubleshooting, see Skyhigh Client App for iOS Devices.