Hardware reference guide
GlobalProtect Administrator’s Guide 95
Set Up the GlobalProtect Mobile Security Manager Define Deployment Policies
Step 3 Specify how to populate the VPN
account username and password settings.
1. Specify where to get the VPN username by selecting a value
from the
Account drop-down. By default, the GlobalProtect
VPN configuration is set to
Use Saved, allowing it to use the
user name the device user provided during enrollment. You can
also specify a
Fixed user name to use for all devices using this
configuration, or allow the device user to define the account
user name by selecting
Set on Device.
2. By default, the VPN
Password will be Set On Device by the
device user. However, if you want to use the password that the
device user supplied when authenticating during enrollment,
select
Use Saved, or set a Fixed password to be used by all
devices using this configuration.
3. (Optional) By default, when an Mobile Security Manager policy
gets pushed to a mobile device, all profiles that were previously
pushed by Mobile Security Manager that are not attached to the
matching policy rule are automatically removed from the device.
However, the Mobile Security Manager does not remove VPN
profiles pushed to the device by the GlobalProtect portal,
allowing the user to manually switch profiles. To enable Mobile
Security Manager to remove any existing GlobalProtect VPN
profiles, clear the
Allow Portal Profile check box.
Step 4 (Optional) Specify a client certificate for
the mobile devices to use to authenticate
to the GlobalProtect gateway(s) during
establishment of the VPN tunnel. If you
want to push a client certificate to the
devices from the portal client
configuration instead or if you are not
using certificate authentication on your
gateways, you can skip this step.
This feature is useful for preventing
devices that are not managed by the
Mobile Security Manager from
connecting to the GlobalProtect VPN.
However, by rejecting connections from
non-managed devices you lose visibility
into that traffic. As a best practice for
controlling traffic from non-managed
mobile devices, create a HIP profile that
matches based on whether or not the
device is managed and attach it to your
security policies. See Use Host
Information in Policy Enforcement for
more details on creating HIP-enabled
security policies.
To use the identity certificate issued to the mobile device
during enrollment:
a. Select
None in the Credential field.
To use client certificates issued by your enterprise SCEP
server:
a. Select
SCEP from the Credential field.
b. Set Up a SCEP Configuration.
To use a client certificate issued by the Mobile Security
Manager:
a. Import a client certificate to push to the mobile devices onto
the Mobile Security Manager or generate a self-signed
certificate on the Mobile Security Manager. This option is
similar to the option to deploy client certificates from the
GlobalProtect portal. In this configuration, you specify a
single client certificate to use for all mobile devices using this
iOS configuration profile.
b. Select
Certificate and then select the client certificate to use
from the drop-down.
If you specify a
Credential in this configuration, make
sure that the client configuration that the portal will
deploy to the corresponding mobile devices does not also
contain a client certificate or the certificate in the portal
configuration will override the certificate specified here.
Create a GlobalProtect VPN Configuration (Continued)