At Wits End - An Intune/iOS VPN Story

I have Google’d, Reddited, LIVEcommunity’ed this as much as I can. I really didn’t want to create a new post and ask for help. But I have ran out of ideas.

​

Enterprise environment, recently moved to GlobalProtect as our VPN service. We use Windows machines primarily, and have recently added MacOS support as well. All is well.

We were assigned a project to get GP working on a handful of Android and iOS devices, for dev testing. No biggie, but want to get it done.

Our security team dictates that we require user creds and device certificate to authenticate.

For the certificate, we are using Intune to deploy a PKCS to MacOS, Android, and iOS devices. Works perfectly on MacOS and Android devices.

Absolutely does not work on iOS devices. No matter what we do, the iOS error message states that “A valid client certificate is required for authentication…” you know the message.

I don’t want to list all the things we have tried, mainly because I can’t remember them all. But I will list the obvious ones that I can remember.

- Created VPN Profile in Intune using GP option - referencing the PKCS that Intune is creating

- Created VPN profile using custom option (and attempted with both GP’s own browser, and external browser, neither worked)

- Ensured cert is deploying properly, along with SubCA, intermediate, and root cert as well.

- Certs are trusted on the iOS device

- Had a call with Microsoft yesterday and we went through the entire Intune configuration, and the server issuing the certs and verified that everything is good, including the cert template on the Root CA server.

​

I am not on the Networking team at my company, but I do have read access to the firewall, and can look at the configuration. Being a non-networking engineer, I’m not 100% certain that I understand the entire config from beginning to end, but I can surmise most of it, it does appear to be pretty cut and dry.

Are there any logs that can be obtained that can actually show what is happening, other than “client cert not present” when I look at the GlobalProtect portal/gateway logs? Does anyone have any other tips or tricks to try? Again, this same pkcs cert deployment is working with Mac and Android, flawlessly. It is absolutely perplexing and maddening at this point.

Test with the subject of the cert the same as the username?

I don’t know about iOS, but I assume it’s similar, you might be able to send logs from the device itself, and see if it’s trying to use the cert, and failing, or not finding a cert or what.

I’d also recommend getting palo alto TAC involved, they should be able to help narrow down the actual issue better than microsoft might.

lastly, if you haven’t, it might be worth trying manually creating certs on the firewall, and installing those on a device, to see if you can get it working that way, to narrow down what / where / why it’s broke~

You trying to do an anyways on or an app based policy?

This is something that your networking team (Who should know your configuration inside out) should be doing; WITH you. NOT you alone. IF you believe it’s a VPN issue, then work with them, and possibly apple and Microsoft to sort it out.

I’ve dealt with intune on the network side; and it’s a complex, and hard to understand beast.

Either way, Certs should be deployed OUTSIDE of the vpn; and it sounds like it’s not being put into the proper location.

What do you use to manage the iOS devices?

What would the syntax be for that?

We are using a device cert, not a user cert. Will that present a problem?

You can’t deploy certs outside the vpn intune if you want to use it for vpn on iOS. This is why it’s different then all other OS. Apps don’t have rights to read the certificates from the main mdm policy. Intune requires you push a certificate policy with the vpn if you want to use the certificate with the vpn basically giving the app rights to the cert. You will actually see intune issue multiple certs for those.

Could be, I don’t use Intune. First test without Intune, after successful connection, apply Intune.

In context of the deployment point. generally it hast to talk to SCEP to deploy. You have to deploy it from a source outside of a destination that requires the vpn. my statement still stands. Chicken before the egg. A lot of people want to deploy it from an internal server, and not the public facing servers.

Hmm. I know we have had a hard time in general with getting iOS to accept and use certs when pushed via MDM.

Many times, we have made a policy and included the cert with it, particularly wireless, where it then proceeded to not present it. Usually, wiping and reenrolling a few times would fix it. We use Jamf though.

We had tried intune for iOS at one point and it was even more of a problem/less featured.

Oh you are referring to not deploying via global protect. apologies thought you meant deploy two different policies to the device for the cert in intune. One for the vpn and one for the cert.

He does state in his message that he is deploying the policies via intune so it seems as if he is not deploying it via globalprotect so it’s in the correct order.

Plus he used the same portal policies on all his other endpoints so we can assume the cert deployment is fine since it worked on android.