Mobile-Id for IOS device under Hip report sent by GlobalProtect Application is not matching with device UDID under Hip report compiled by User-ID agent MDM Integration Service
9387
Created On 11/22/21 18:54 PM - Last Modified 04/23/24 03:28 AM
Symptom
- We will see different Mobile-ID/UDID for the device under the Hip report sent by GlobalProtect application and the Hip report compiled by User-ID agent MDM Integration Service:
- Hip report for the device sent by GlobalProtect application:
<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<md5-sum>da1c6e36681f44de9b5b494af7355eb2:d588b64ba276cb6eeeec6c06c659d04b</md5-sum>
<user-name>testuser1</user-name>
<domain>(empty_domain)</domain>
<host-name>iPhone</host-name>
<host-id>ACF1C6EBEE4A406BBE81F9E844A53559</host-id>
<mobile-id>ACF1C6EBEE4A406BBE81F9E844A53559</mobile-id>
<ip-address>192.168.20.11</ip-address>
<ipv6-address></ipv6-address>
<generate-time>11/12/2021 15:22:03</generate-time>
<hip-report-version>4</hip-report-version>
<categories>
<entry name="host-info">
<managed>yes</managed>
<serial-number></serial-number>
<client-version>5.2.9-8</client-version>
<os>Apple iOS 12.5.5</os>
<os-vendor>Apple</os-vendor>
<domain></domain>
<host-id>ACF1C6EBEE4A406BBE81F9E844A53559</host-id>
<host-name>iPhone</host-name>
- Hip report for the device from Airwatch MDM in User-ID agent:
<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
<categories>
<entry name="host-info">
<network-info/>
<network>
<wifi-mac>9060F1BB96FD</wifi-mac>
</network>
</entry>
<entry name="mobile-device">
<serial-number>F9CRH1WRG5QH</serial-number>
<wifimac>9060F1BB96FD</wifimac>
<IMEI>354453068581845</IMEI>
<version>12.5.5</version>
<model>iPhone 6 Plus</model>
<devname>iPhone</devname>
<supervised>false</supervised>
<udid>8f5b9b8f093b351d9f713d2372c5a2bb50bd150d</udid>
<user>spokhrel</user>
<enroll-time>2021-11-11T21:29:31.66</enroll-time>
<os>Apple</os>
<managed-by-mdm>yes</managed-by-mdm>
<last-checkin-time>2021-11-12T17:52:07.987</last-checkin-time>
<DeviceId>34347</DeviceId>
<ComplianceStatus>Compliant</ComplianceStatus>
<Ownership>E</Ownership>
<tag>
<member>Compliant</member>
<member>Corporate-Dedicated</member>
<member>Enterprise App Catalog</member>
<member>All Devices</member>
<member>All Employee Owned Devices</member>
</tag>
</entry>
</categories>
</hip-report>
Environment
- Existing GlobalProtect infrastructure
- IOS devices managed by Airwatch MDM
- HIP integration with Airwatch MDM using User-ID agent MDM Integration Service, document
Cause
- If the unique device identifier(UUID) attribute is not configured under the VPN profile in Airwatch MDM, the GlobalProtect application will generate a unique ID and use that as UDID which will not match with the actual UDID for the device.
Resolution
- Configure the UDID attribute under the VPN profile to fix the Mobile-ID mismatch issue
Note: UDID is used as a key to merge the Hip report on the Gateway firewall
- If you are using the Palo Alto Networks Global protect networks connection type, go to the VPN settings and enable Vendor Keys in the vendor configuration area. Set the "Key" to mobile_id and the "Value" to {DeviceUid}
- If you are using the Custom network connection type, go to the VPN setting and ADD custom Data in the connection info area. Set the "Key" to mobile_id and the "Value" to {DeviceUid}
- Save and push the VPN configuration to the iOS device
Additional Information
- Note: If GlobalProtect deployment requires HIP integration with AirWatch MDM specify the unique device identifier(UUID) attribute under VPN profile configuration in AirWatch MDM. In order for the MDM HIP integration to work, the GlobalProtect application must present the UDID of the endpoint to the GlobalProtect gateway which should match with the UDID for the same device in the User-ID agent MDM Integration Service
- Configure an Always On VPN Configuration for iOS Endpoints Using AirWatch
- Configure GlobalProtect to Retrieve Host Information