Palo Alto GlobalProtect HIP Checks on iOS with JAMF

If, like me, you use Palo Alto GlobalProtect to ensure the safety of your network you may wish to extend that protection to iOS devices like iPhones and iPads. One of the best features of GlobalProtect is HIP checks which can ensure that only devices that meet your management and security standards can connect to your VPN. In order to facilitate HIP checks with iOS devices you must use MDM to push the VPN profile. Manually adding the portal address from the GP app will not allow you to send metadata about your device to the PA.

Palo Alto’s documentation on this subject is far flung and often contradictory particularly if you don’t use AirWatch. For our iOS devices we used JAMF which is the gold standard for Apple MDM. PA reported that this was “not a support issue” even though their documentation, as written, doesn’t work. It was punted to the sales team who was also stumped.

PA offers two hints on connecting a “non-supported MDM” to HIP checks. The first is a sample mobileconfig file that you can edit and distribute to your devices.

The second is this article about the UDID attribute and MDM profiles. That article has some additional information for Airwatch which is useful. If you combine the two articles, however, you will not come up with a working config. The key missing/incorrect items are:

  • The VPNSubType attribute must be set to com.paloaltonetworks.globalprotect.vpn NOT com.paloaltonetworks.GlobalProtect.vpnplugin. This is correct in the the UDID article but not the sample mobileconfig profile
  • The ProviderBundleIdentifier must be set to com.paloaltonetworks.globalprotect.vpn.extension. This is not documented anywhere but until I did this the profile would not “bind” to the app
  • In the VendorKey <dict> section
    • You need a tag that sets the key mobile_id to the $UDID variable (note that that is how JAMF represents the UDID variable. If you are using a different MDM if might be different).
    • You can add additional tags here such as ownership which will appear as a value that can be filtered on in the HIP Objects -> Mobile Device -> Device dialog on your PA

From there the rest of the defaults work for setting the portal address and the email address variable for login name.

3 thoughts on “Palo Alto GlobalProtect HIP Checks on iOS with JAMF”

Leave a Reply

Your email address will not be published. Required fields are marked *