Access Private Applications from iOS Device

Set Up iOS Device to Access Private Applications

You will need to complete the following steps to set up iOS devices to access private applications:

Step 1: Generate Certificate Authority(CA) and User Identity(.p12) certificates

Create self-signed CA file and use the same file to generate the User Identity files and sign those. Follow any one method given below to generate certificates.

▼ Generate Certificate using OpenSSL

You can generate the certificate using the OpenSSL commands. The following is a sample instructions on how to create a CA certificate and identity certificate using OpenSSL:

Note: You can choose your convenient approach to generate a certificate. However, you should include all the parameters shown in the below sample.

1. Create a config file. Make sure to include all the parameters in the config file as specified in the sample ca_config file. 
2. Create CA certificate and key.

openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -sha384 -days 3650 -out root-CA.pem -config ca_ext_file

3. Create an extfile. Make sure to include all the parameters in the extfile as specified in the sample client config. 
4. Generate the client key and certificate signing request (CSR).

openssl genrsa -out ShankKey.pem 4096
openssl req -new -key ShankKey.pem -sha384 -out ShankCert.csr -config client_config

5. Generate the client certificate.

openssl x509 -req -days 3650 -sha384 -in ShankCert.csr -CA root-CA.pem -CAkey key.pem -CAcreateserial -out skyhigh_emp_1.pem -extfile client_config -extensions ext

6. Generate client identity certificate (.p12 file). 

openssl pkcs12 -export -inkey ShankKey.pem -in skyhigh_emp_1.pem -name "skyhigh_emp_1" -certfile root-CA.pem -caname "skyhigh_ca" -out skyhigh_emp_1.p12 -password pass:ztna

Note: make sure CN in p12 should match the name of the p12 file and subjectAltName in client_config file (eg: CN= skyhigh_emp_1, DNS = skyhigh_emp_1 , skyhigh_emp_1.p12) 
make sure  "-caname "skyhigh_ca"  matches the CN = skyhigh_ca in ca_ext_file

 

▼ Generate Certificates using XCA tool

You can generate the certificate using the XCA tool. 

1. Download and install the XCA 2.4.0 tool. 
2. Create a New Database, go to File  > New Database, and enter the password to save it.

3. Click the Certificates tab. 

4. Click New Certificate. 

5. Select Create a self signed certificate as the signing option. 

6. Select Signature algorithm as SHA384. 

7. Select Template for the new certificate as [default] CA.

8. Click Apply extensions and Apply subject.

9. Click the Subject tab.

10. Enter Internal Name and commonName.

11. Click Generate a new key.

12. Select keytype as RSA and Keysize as 4096 bit.

13. Click Create.

Key created message window appears. 

14. Go to the Extension tab and retain all the settings as is.

 

15. Go to the Key Usage tab and retain all the settings as is.

16. Go to the Netscape tab and remove any selected options.

17. Go to the Advanced tab and review all the information. 

18. Click OK to create the CA certificate.

19. Click the Certificates tab. 

20. Select the recently created root_CA certificate.

21. Click New Certificate. 

22. Select the previously created CA(root_CA) certificate as the signing option. 

23. Select Signature algorithm as SHA384. 

24. Select the template for the new certificate as [default] TLS_client or [default] HTTPS_client.

25. Click Apply extensions and Apply subject.

26. Click the Subject tab, enter Internal Name and commonName.

27. Click Generate a new key.

28. Select keytype as RSA and Keysize as 4096 bit.

29. Click Create.

Key created message window appears. 

30. Go to the Extension tab. Select x509v3 basic Constraints type as Not defined and uncheck the Critical option. 

31. Select Key identifier as x509v3 Authority key Identifier.

32. Click Edit in the Select X509v3 Subject Alternative Name option.

33. Enable the Copy Common Name setting and click Apply. 

NOTE: If Copy common name is not available, then manually enter the DNS:user1”(user1 as the common name of the client certificate added in step 26) in the X509v3 Subject Alternative Name field.

34. Go to Key Usage tab, select options from the list as per below image. 

35. Go to the Netscape tab and remove any selected options.

36. Go to the Advanced tab and review all the information. 

37. Click OK to create the CA certificate.

38. Select CA certificate and click Export.

39. Select File Location and Export Format as PEM + Key (*.pem) for CA certificate. Click OK to save the file.

40. Select Client certificate(user1) and click Export.

41. Select File Location and Export Format as PEM + Key (*.pem) for client certificate. Click OK to save the file.

41. Select Client certificate(user1) and click Export

42. Select File Location and Export Format as PKCS #12 chain (*.pfx) for the client certificate. Click OK to save the file.

 

42. Enter the Password and select Ok to save the file.

43. Go to the file location and open CA and Client file in any text editor. Verify only certificate part is available in the file. remove extra information, if any. 

44. Rename Client file (user1) .pfx file as .p12 file.

 

Step 2 : Upload CA certificate generated in the Step 1 to the Skyhigh Security UI

 Upload CA certificate generated in the Step 1 to the Skyhigh Security UI

Note: After this step, wait for 30-40 mins before connecting VPN

1. Go to Settings > Infrastructure > Web Gateway Setup 

2. Click Configure on the Skyhigh Mobile Cloud Security setting

3. Click Upload and select the custom CA certificate.

Note: supported certificate formats are DER, PEM, CRT, and CER.

4. Specify the User name and an optional User Group in the User Identity certificates and click 

5. Click Save. 

6. Click Upload & Test and upload the User identity file with format as .cer, .crt, .pem or .der to validate the CA and user Identity file.

7. Click Save to save the configuration. 

8. Click Publish to apply the changes. 

Step 3:  Download and install iOS Skyhigh Client app from the Appstore

Download and install iOS Skyhigh Client app from the Appstore.

Step 4:  Download and Install Skyhigh Security Certificate in Mobile

Download the certificate using the link and share this certificate to install in the mobile device. 

1. Download this certifcate in the mobile device
2. Once it is downloaded, it will be available in Settings > Generic > VPN & Device management

3. Select the certificate and click Install.

4. Enter the passcode and click Install to install the certifcate.

5. After install, go to Settings > General > About > Certifcate Trust Settings

6. Ensure that the certificate is installed and switch on the certificate and click continue to enable it.

Step 5:  Download Tenant Customer CA from the Skyhigh UI

1. Go to Policy > Web Policy > Feature Configuration

2. Select HTTPS connections > Customer CA.

3. Select Customer CA and click export to download the Customer CA file.

4. Share this Customer CA certificate to user if selecting Manual VPN config. 

Step 6: Configure VPN profile

Manual Configuration: 

Install the Tenant customer CA in the iOS device

Note: The iOS device should have a passcode to install and trust a CA certificate.

1. Export the Tenant customer CA to device using Airdrop or mail
2. Once Tenant Customer CA is downloaded, it will be available in the device settings
3. Go to device Settings > General > VPN & Device mangement.

4. Click the certificate and tap install.

 

5. Enter the passcode and click install to install the certificate.

6. Profile installed message confirms that certificate is installed correctly.

7. Go to settings > General > About > Certificate Trust settings, verify the Tenant Customer CA and enable the certificate switch. 

8. Click continue to trust the certificate.

Upload User Identity(.p12) file.

The .p12 file is a password protected file, so admin has to share the password to the user. Long press and save the file on your device.

Note: Make sure to upload the .p12 file to the Skyhigh Client app. Don't install this file directly.

1. Open the installed app
2. Read the disclaimer and select I agree to use data as specified in Terms.
3. Tap Proceed.
4. Tap Browse & Upload to upload the .p12 file.

      Search for the .p12 file and select it to complete the upload process.

5. Enter the password and tap Continue.

      The Skyhigh Client app asks for permission to add VPN configuration on your phone.

6. Tap Allow.
7.  Enter the iPhone passcode.
8. Tap Get Started.

Prompts you to enter login credentials.

9.  Enter your corporate username and password.

After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.

Note: To disable VPN, go to Settings > General > VPN > Disable VPN.

MDM configuration: 

Admin pushes VPN Configuration and Tenant Customer CA certificate using MDM, users should ensure that the configuration exists on the iOS device.

You can use the VMware, Microsoft Intune, or Ivanti Neurons MDM solution to manage your users' iOS devices. For configuring details, see

• Configure VMware MDM for iOS
• Configure Microsoft Intune MDM for iOS
• Configure the Ivanti Neurons MDM for iOS

1. Create VPN configuration(.mobileconfig file)

1. Download Apple Configurator from the Mac Appstore
2. Click on File > New Profile
3. Navigate to General and add any name.

4. Navigate to Certificates and click Configure.

5. Select User Identity(.p12) file generated and enter the password.

6. Rename Tenant Customer CA(certificate_authority.pem) downloaded from the Skyhigh tenant to certificate_authority.crt
7. Click  + icon in Certificates and select Tenant Customer CA(certificate_authority.crt) file.

8. Navigate to VPN settings and click Configure.

9. Enter the values as mentioned below

• Connection Name: Any random name
• Connection Type: IKEv2
• Server: pa-vpn.mcafee-cloud.com
• Remote Identifier: vpn.mcafee-cloud.com
• Local Identifier:  Copy the common name of User identity file appeared in Certificates(Eg: “user2”
  

•  Machine Authentication: Select Certificate in the drop down

• Identity Certificate: Select the user identity(.p12) file
  

• Select Enable EAP
  

• EAP Authentication: Select Certificate in drop down

Note: When you create a mobileconfig file, it adds the following key value pair which causes certificate installation failure. Delete this key pair to make the certificate work.

Open the .mobileconfig file in any TextEdit and delete the below key and values.

<key>DNS</key>
<dict>
<key>SupplementalMatchDomainsNoSearch</key>
<integer>0</integer>
</dict>

2. Push this VPN configuration to device using MDM
3. Use Skyhigh Client app
   1. Ensure VPN configuration exists in Settings > General > VPN.
   2. Ensure Tenant Customer CA certificate is enabled in Settings > General > About > Certificate Trust settings.
   3. Open the Skyhigh Client app
   4. Read the disclaimer and select I agree to use data as specified in Terms.
   5. Tap Proceed.
   6. Select Open VPN Settings.
   7. Go to Settings > General > VPN and enable the VPN config which admin had pushed. Wait until VPN state shows Connected.
   8. Navigate back to Skyhigh Client app and tap Get Started
      Prompts you to enter login credentials.
   9. Enter your corporate username and password.
      After successful authentication, you can use the Skyhigh Client or enter the full URL of the private application in an external browser to access private applications.

Note: To disable VPN, go to Settings > General > VPN > Disable VPN.