%3CLINGO-SUB%20id%3D%22lingo-sub-280129%22%20slang%3D%22en-US%22%3ESupport%20Tip%3A%20iOS%2012%20and%20VPN%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-280129%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EFirst%20published%20on%20TechNet%20on%20Jul%2030%2C%202018%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3EBy%20Tyler%20Castaldo%20%7C%20Intune%20PM%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUpdate%205%2F21%2F19%20-%26nbsp%3B%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fintune%2Fwhats-new%23network-access-control-nac-support-for-f5-access-for-ios-devices-%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSTRONG%3ENetwork%20Access%20Control%20(NAC)%20support%20for%20F5%20Access%20for%20iOS%20devices%3C%2FSTRONG%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUpdate%20for%20Network%20Access%20Control%20(NAC)%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CSTRONG%3E%20%3CEM%3E%20We%20have%20released%20a%20new%20setting%20in%20our%20UI%20labeled%20%E2%80%9CEnable%20Network%20Access%20Control%20(NAC)%E2%80%9D%20for%20Citrix%20SSO%2C%20F5%20Access%2C%20and%20Cisco%20AnyConnect%20VPN%20profiles.%20We%20are%20still%20working%20with%20these%20providers%20to%20support%20the%20new%20ID%20and%20at%20this%20time%2C%20this%20new%20NAC%20functionality%20is%20not%20supported%20on%20these%20VPN%20clients.%20You%20should%20leave%20this%20setting%20disabled%20for%20now%2C%20since%20once%20you%20set%20it%20in%20a%20VPN%20profile%2C%20you%20can%E2%80%99t%20disable%20it%20unless%20you%20delete%20and%20recreate%20the%20VPN%20profile.%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EUpdate%2011%2F19%2F18%20-%20This%20setting%20now%20works%20with%20Citrix%20but%20some%20admin%20action%20is%20required%20prior%20configuration%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CEM%3EConfirm%20you're%20using%20Citrix%20Gateway%2012.0.59%20or%20higher.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EConfirm%20your%20users%20have%20Citrix%20SSO%201.1.6%20or%20later%20installed%20on%20their%20devices.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EIntegrate%20Citrix%20Gateway%20with%20Intune%20for%20NAC%2C%20as%20described%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fna01.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fwww.citrix.com%252Fcontent%252Fdam%252Fcitrix%252Fen_us%252Fdocuments%252Fguide%252Fintegrating-microsoft-intune-enterprise-mobility-suite-with-netscaler.pdf%26amp%3Bdata%3D02%257C01%257Ctycast%2540microsoft.com%257C3a4ef8b011234aa6fcf408d64bab83c7%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C1%257C636779597392204911%26amp%3Bsdata%3DOIL8NPoN0%252FpD2q586swqdJF4lKkHDpNaR4PtE1X1VOQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EIntegrating%20Microsoft%20Intune%2FEnterprise%20Mobility%20Suite%20with%20NetScaler%20(LDAP%2BOTP%20Scenario)%3C%2FA%3E%20Citrix%20deployment%20guide.%3C%2FEM%3E%3C%2FLI%3E%0A%3CLI%3E%3CEM%3EEnable%20NAC%20in%20the%20VPN%20profile.%3C%2FEM%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3E%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRIKE%3E%3CEM%3E%20Citrix%20has%20mentioned%20in%20%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX239056%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20this%20blog%20post%20%3C%2FA%3E%20that%20they%20are%20planning%20to%20release%20an%20update%20for%20Citrix%20Gateway%20that%20will%20enable%20this%20feature%20for%20Citrix%20SSO%20on%20November%202.%20%3C%2FEM%3E%3C%2FSTRIKE%3E%3CEM%3EWe%20are%20still%20working%20with%20F5%20and%20Cisco%20and%20have%20no%20timelines%20to%20announce%20at%20this%20time.%20%3C%2FEM%3E%3CSTRIKE%3E%20%3C%2FSTRIKE%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20you%20may%20have%20noticed%20through%20your%20own%20testing%2C%20a%20change%20has%20been%20made%20in%20VPN%20functionality%20in%20iOS%2012%2C%20the%20next%20iOS%20release%20that%20is%20still%20in%20beta.%20As%20such%2C%20several%20companies%20including%20Cisco%2C%20F5%2C%20and%20Palo%20Alto%20have%20announced%20either%20through%20their%20own%20release%20notes%20or%20through%20documentation%20that%20these%20older%20VPN%20client(s)%20for%20iOS%20will%20not%20be%20supported%20in%20iOS%2012%20and%20beyond%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fwww.cisco.com%2Fc%2Fen%2Fus%2Ftd%2Fdocs%2Fsecurity%2Fvpn_client%2Fanyconnect%2Fanyconnect46%2Frelease%2Fnotes%2FRelease_Notes_Apple_iOS_AnyConnect_4-6.html%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Cisco%20Legacy%20AnyConnect%20%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX237486%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Citrix%20VPN%20%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.f5.com%2Fcsp%2Farticle%2FK60813274%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20F5%20Access%20Legacy%2FF5%20Access%202.1%20and%20earlier%20%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3E%3CA%20href%3D%22https%3A%2F%2Flive.paloaltonetworks.com%2Ft5%2FFeatured-Articles%2FGlobalProtect-App-5-0-Beta-for-iOS-12%2Fta-p%2F220459%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20Palo%20Alto%20Networks%20GlobalProtect%204.1%20and%20earlier%20%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CI%3E%20%3CSTRONG%3E%20Note%20that%20we%20will%20not%20be%20adding%20support%20for%20F5%20Access%202018%2FF5%20Access%203.0%20and%20later%20for%20hybrid%20mobile%20device%20management%20(MDM)%20as%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fintunesupport%2F2018%2F08%2F14%2Fmove-from-hybrid-mobile-device-management-to-intune-on-azure%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20hybrid%20MDM%20is%20no%20longer%20supported%20by%20Intune.%20%3C%2FA%3E%20%3C%2FSTRONG%3E%20%3C%2FI%3E%20%3CSTRONG%3E%20%3CEM%3E%20Please%20contact%20Intune%20support%20if%20you%20run%20into%20any%20issues.%20%3C%2FEM%3E%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CBR%20%2F%3EIf%20you%20are%20using%20Cisco%20Legacy%20AnyConnect%2C%20you%20should%20move%20to%20Cisco%20AnyConnect%2C%20which%20is%20supported%20today.%20See%20this%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fintunesupport%2F2018%2F04%2F17%2Fsupport-tip-cisco-anyconnect-client-for-ios-version-4-0-7-and-higher%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20blog%20post%20%3C%2FA%3E%20for%20details.%20With%20the%20August%20service%20update%2C%20Intune%20now%20supports%20three%20new%20VPN%20clients%20to%20allow%20you%20time%20to%20migrate%20before%20iOS%2012%20is%20released%20to%20the%20public.%20These%20VPN%E2%80%99s%20include%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3ECitrix%20SSO%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EF5%20Access%202018%2FF5%20Access%203.0%20and%20later%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CUL%3E%0A%3CLI%3EPalo%20Alto%20Networks%20GlobalProtect%205.0%20and%20later%20%3CI%3E%20%3C%2FI%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3E%3CBR%20%2F%3ETo%20switch%20to%20the%20new%20Cisco%2C%20Citrix%2C%20F5%20and%20Palo%20Alto%20VPN%20clients%2C%20you%20do%20not%20need%20to%20update%20your%20VPN%20server%2Finfrastructure%3B%20however%2C%20you%20will%20need%20to%20do%20the%20following%3A%20%3CBR%20%2F%3E%3CBR%20%2F%3E%C2%B7%20Recreate%20your%20VPN%20profiles.%20These%20new%20VPN%20clients%20are%20separate%20apps%2C%20and%20the%20VPN%20profiles%20you%20created%20for%20the%20legacy%20apps%20are%20not%20compatible%20with%20the%20new%20apps.%20You%20will%20need%20to%20recreate%20your%20VPN%20profiles%2C%20setting%20by%20setting.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%C2%B7%26nbsp%3B%20Deploy%20the%20new%20client.%20If%20you're%20using%20Intune%20to%20push%20VPN%20client%20apps%2C%20you%20will%20need%20to%20add%20the%20new%20VPN%20clients%20as%20mobile%20apps%20in%20Intune%2C%20since%20you%20can't%20upgrade%20directly%20from%20the%20legacy%20apps%20to%20the%20new%20apps.%20The%20new%20apps%20are%20completely%20separate%20apps%20from%20the%20old%20apps.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%C2%B7%26nbsp%3B%20Configure%20per-app%20VPN%20with%20the%20new%20VPN%20profiles.%20If%20you%20are%20using%20per-app%20VPN%2C%20you%20will%20need%20to%20reassign%20associated%20apps%2C%20using%20the%20new%20VPN%20profiles%20instead.%20If%20you%20have%20per-app%20VPN%20configured%20with%20apps%20assigned%20as%20%22Available%20without%20enrollment%22%2C%20end%20users%20will%20need%20to%20re-install%20these%20apps%20so%20the%20per-app%20VPN%20association%20is%20changed%20to%20the%20new%20VPN%20profile%20on%20the%20device.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%C2%B7%26nbsp%3B%20Verify%20VPN%20connections%20are%20still%20working%20with%20the%20new%20apps.%20You%20should%20keep%20your%20existing%20VPN%20profiles%20and%20clients%20in%20place%20until%20you%20have%20verified%20that%20the%20VPN%20connections%20are%20working%20properly%20with%20the%20new%20clients.%20%3CBR%20%2F%3E%3CBR%20%2F%3E%C2%B7%26nbsp%3B%20Clean%20up.%20Once%20you've%20verified%20everything%20is%20working%20properly%2C%20you%20should%20assign%20the%20legacy%20VPN%20clients%20as%20%3CSTRONG%3E%20uninstall%20%3C%2FSTRONG%3E%20%2C%20un-assigning%20and%20deleting%20the%20old%20VPN%20profiles.%20%3CBR%20%2F%3E%3CBR%20%2F%3ENote%20that%20Network%20Access%20Control%20(NAC)%20is%20not%20yet%20supported%20on%20these%20new%20VPN%20clients%20in%20this%20initial%20release.%20%3CBR%20%2F%3E%3CBR%20%2F%3ESupport%20for%20per-app%20VPN%20will%20be%20included%20when%20we%20add%20support%20for%20the%20new%20Citrix%2C%20F5%20and%20Palo%20Alto%20clients.%20NAC%20support%20will%20be%20dependent%20on%20our%20NAC%20partners'%20timelines%20to%20make%20the%20necessary%20updates%20for%20integration%20with%20Intune.%20%3CBR%20%2F%3E%3CBR%20%2F%3EIntune%20will%20continue%20to%20support%20the%20existing%20VPN%20options%20and%20functionality%20for%20devices%20on%20older%20supported%20versions%20of%20iOS.%20As%20a%20reminder%2C%20we%20announced%20deprecation%20of%20iOS%209%20a%20few%20months%20back%20and%20will%20move%20to%20support%20iOS%2010%2B%20when%20iOS%2012%20is%20released.%20Please%20keep%20this%20in%20mind%20in%20your%20own%20testing.%20%3CBR%20%2F%3E%3CBR%20%2F%3EPost%20updates%20%3CBR%20%2F%3E%3CBR%20%2F%3E10%2F25%2F18%3A%20Updated%20with%20NAC%20ID%20announcement%20%3CBR%20%2F%3E%3CBR%20%2F%3E8%2F17%2F18%3A%20Updated%20with%20Citrix%20announcement%20%3CBR%20%2F%3E%3CBR%20%2F%3E8%2F22%2F18%3A%20Updated%20with%20note%20for%20F5%20Access%202018%2F%20F5%20Access%203.0%20%3CBR%20%2F%3E%3CBR%20%2F%3E8%2F31%2F18%3A%20Updated%20with%20addition%20of%20new%20VPN%20and%20directions%20for%20switching%20to%20these%20new%20clients%20%3CBR%20%2F%3E%3CBR%20%2F%3E10%2F17%2F18%3A%20Updated%20with%20additional%20clarification%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-280129%22%20slang%3D%22en-US%22%3E%3CP%3EFirst%20published%20on%20TechNet%20on%20Jul%2030%2C%202018%20By%20Tyler%20Castaldo%20%7C%20Intune%20PMUpdate%20for%20Network%20Access%20Control%20(NAC)We%20have%20released%20a%20new%20setting%20in%20our%20UI%20labeled%20%E2%80%9CEnable%20Network%20Access%20Control%20(NAC)%E2%80%9D%20for%20Citrix%20SSO%2C%20F5%20Access%2C%20and%20Cisco%20AnyConnect%20VPN%20profiles.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-280129%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eios%2012%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Evpn%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

First published on TechNet on Jul 30, 2018
By Tyler Castaldo | Intune PM

 

Update 5/21/19 - Network Access Control (NAC) support for F5 Access for iOS devices

 

Update for Network Access Control (NAC)
We have released a new setting in our UI labeled “Enable Network Access Control (NAC)” for Citrix SSO, F5 Access, and Cisco AnyConnect VPN profiles. We are still working with these providers to support the new ID and at this time, this new NAC functionality is not supported on these VPN clients. You should leave this setting disabled for now, since once you set it in a VPN profile, you can’t disable it unless you delete and recreate the VPN profile.

 

Update 11/19/18 - This setting now works with Citrix but some admin action is required prior configuration:

 

Citrix has mentioned in this blog post that they are planning to release an update for Citrix Gateway that will enable this feature for Citrix SSO on November 2. We are still working with F5 and Cisco and have no timelines to announce at this time.

As you may have noticed through your own testing, a change has been made in VPN functionality in iOS 12, the next iOS release that is still in beta. As such, several companies including Cisco, F5, and Palo Alto have announced either through their own release notes or through documentation that these older VPN client(s) for iOS will not be supported in iOS 12 and beyond:

 

 

 



Note that we will not be adding support for F5 Access 2018/F5 Access 3.0 and later for hybrid mobile device management (MDM) as hybrid MDM is no longer supported by Intune. Please contact Intune support if you run into any issues.

If you are using Cisco Legacy AnyConnect, you should move to Cisco AnyConnect, which is supported today. See this blog post for details. With the August service update, Intune now supports three new VPN clients to allow you time to migrate before iOS 12 is released to the public. These VPN’s include:

    • Citrix SSO

 

    • F5 Access 2018/F5 Access 3.0 and later

 

    • Palo Alto Networks GlobalProtect 5.0 and later



To switch to the new Cisco, Citrix, F5 and Palo Alto VPN clients, you do not need to update your VPN server/infrastructure; however, you will need to do the following:

· Recreate your VPN profiles. These new VPN clients are separate apps, and the VPN profiles you created for the legacy apps are not compatible with the new apps. You will need to recreate your VPN profiles, setting by setting.

·  Deploy the new client. If you're using Intune to push VPN client apps, you will need to add the new VPN clients as mobile apps in Intune, since you can't upgrade directly from the legacy apps to the new apps. The new apps are completely separate apps from the old apps.

·  Configure per-app VPN with the new VPN profiles. If you are using per-app VPN, you will need to reassign associated apps, using the new VPN profiles instead. If you have per-app VPN configured with apps assigned as "Available without enrollment", end users will need to re-install these apps so the per-app VPN association is changed to the new VPN profile on the device.

·  Verify VPN connections are still working with the new apps. You should keep your existing VPN profiles and clients in place until you have verified that the VPN connections are working properly with the new clients.

·  Clean up. Once you've verified everything is working properly, you should assign the legacy VPN clients as uninstall , un-assigning and deleting the old VPN profiles.

Note that Network Access Control (NAC) is not yet supported on these new VPN clients in this initial release.

Support for per-app VPN will be included when we add support for the new Citrix, F5 and Palo Alto clients. NAC support will be dependent on our NAC partners' timelines to make the necessary updates for integration with Intune.

Intune will continue to support the existing VPN options and functionality for devices on older supported versions of iOS. As a reminder, we announced deprecation of iOS 9 a few months back and will move to support iOS 10+ when iOS 12 is released. Please keep this in mind in your own testing.

Post updates

10/25/18: Updated with NAC ID announcement

8/17/18: Updated with Citrix announcement

8/22/18: Updated with note for F5 Access 2018/ F5 Access 3.0

8/31/18: Updated with addition of new VPN and directions for switching to these new clients

10/17/18: Updated with additional clarification