How to configure an Always On GlobalProtect VPN for iOS endpoints using Microsoft Intune

• When iOS mobile devices are managed by an MDM, the connect method configured in the portal is ignored.
• This is because the client is unable to override the VPN profile deployed from the MDM.
• There are some settings that can be deployed from the MDM to make the VPN connection through GlobalProtect and behave like an Always On VPN.
• This article explains the configuration needed.
• Note: The information is now documented at Configure Globalprotect Settings On iOS Devices via-Microsoft-Intune.

• GlobalProtect client for iOS
• iOS mobile device managed by an MDM (Microsoft Intune)

After setting the iOS VPN profile connection type to "Palo Alto Networks GlobalProtect" and configuring the base VPN settings, go to the "Automatic VPN" section and:

1. Set the Type of automatic VPN to: On-demand VPN.
2. Add an On-demand rule and configure it to: Connect VPN, to All domains.
3. This is shown in the following example:

4. The GlobalProtect client cannot override the configuration deployed by MDM. Therefore, these settings are necessary to create connect rules that match the portal's configuration. This guarantees that the VPN automatically activates for any network access and will reconnect immediately if the user was idle or previously disconnected.
5. To verify that the configuration is in effect on the GlobalProtect client, the following information can be seen inside the file "Agent.log" that's present on the GlobalProtect client logs bundle:

onDemandEnabled = YES
onDemandRules = (
    {
        action = connect
        interfaceTypeMatch = any
     },
    )

Add VPN settings on iOS and iPadOS devices in Microsoft Intune: