GlobalProtect App on Iphone or Ipad unable to connect when using both SAML and certificate authentication.

• GlobalProtect (GP) client App on IOS (iPhone or iPad) throws an error message "The Internet connection appears to be offline".
• This happens when the connect method is set to On-Demand . (Only supported method when using SAML)
• On GP Portal, the authentication is set to "No (User Credentials AND Client Certificate Required)" which means both SAML and Certificate authentication is required.
• The GP app can connect without any issues if one of the auth method (Either only SAML or only Certificate) is used.

• GlobalProtect Client App on IOS (iPhone or iPad)
• Prisma Access for Mobile Users
• GlobalProtect on Strata NGFW.

• This happens when the MDM (Mobile Device Management) for the IOS is configured with an app rule for an identifier.
• The Agent.log file in GP support bundle logs shows following.

onDemandEnabled = YES
    appRules = (
        {
            matchSigningIdentifier = com.paloaltonetworks.globalprotect.vpn
        },
        {
            matchSigningIdentifier = com.esri.fieldmaps
        },

1. Work with the MDM team to remove the identifier configuration.
2. For Microsoft Intune , the vpn setting should be none as shown below. 

 

3. Validate if the GlobalProtect portal configuration is matching following conditions.
4. Default browser for SAML enabled & Connect method = 'On Demand' .
5. GP client app is managed by qualified MDM.