Global Protect disconnection after iOS upgrade to 16 in iPhone / iPad

Global Protect disconnection after iOS upgrade to 16 in iPhone / iPad

7055
Created On 12/29/22 03:34 AM - Last Modified 04/22/24 07:11 AM


Symptom


Global protect disconnection after upgrade of iOS version to 16.
 

Environment


  • Affected Product:- iPhone / iPad
  • Affected OS:- From iOS 16

Cause


  • Privacy update from the apple cause the device name become alias for the model name of the device.
  • Until iOS 15, HIP Host Name is an user-assigned device name, which can set Settings app > General > About > Name.
  • From iOS 16, HIP Host Name is below.
    • GlobalProtect App 6.0.4 or earlier : Generic device name "iPhone", "iPad"
    • GlobalProtect App 6.0.5 or later : Generic device name "iPhone", "iPad" + identifierForVendor (32-digit string) 
      • Example: iPhone-FB3A97A3C8CF405B9DA7A9078925FC16
  • This behavior causes HIP mismatch after upgrade to iOS 16.
  • Logs below to demonstrate the issue: (Check pan_gp_hrpt.xml from iOS 15 and 16.)
IOS 15: 
<md5-sum>57f15314cb7f71a571ec6c247b424d5c</md5-sum>
	<user-name>User1-PA</user-name>
	<domain></domain>
	<host-name>User1</host-name>					<<<<<
	<host-id>xxxxxxxxxxxxxxxxxxxxxxxxxxx</host-id>
	<mobile-id>xxxxxxxxxxxxxxxxxxxxxxxxxxx</mobile-id>
	<ip-address>172.16.0.51</ip-address>
	<ipv6-address></ipv6-address>
	<generate-time>11/22/2022 23:41:02</generate-time>
	<hip-report-version>4</hip-report-version>
	<categories>
		<entry name="host-info">
			<client-version>6.0.4-8</client-version>
			<os>Apple iOS 15.7</os>
			<os-vendor>Apple</os-vendor>

IOS 16:
 

   <md5-sum>288cac13eaa6ee5fc835c2d96b64c18</md5-sum>
	<user-name>User1-PA</user-name>
	<domain></domain>
	<host-name>iPad</host-name>					<<<<<
	<host-id>xxxxxxxxxxxxxxxxxxxxxxxxxxx</host-id>
	<mobile-id>xxxxxxxxxxxxxxxxxxxxxxxxxxx</mobile-id>
	<ip-address>172.16.0.51</ip-address>
	<ipv6-address></ipv6-address>
	<generate-time>11/23/2022 00:20:58</generate-time>
	<hip-report-version>4</hip-report-version>
	<categories>
		<entry name="host-info">
			<client-version>6.0.4-8</client-version>
			<os>Apple iOS 16.1.1</os>
			<os-vendor>Apple</os-vendor>

 

 

Resolution


  • This is an expected behavior. From iOS 16, we will not be able to collect the device name and our customers will not be able to use them in HIP objects due to Apple's privacy policies. 
  • The device name is not a secure, nor unique device identifier. Instead, we recommend pushing a custom MDM tag to the devices that used to be identified by device name. 
    You can create a HIP object to identify which devices have the MDM tag and enforce the same security policies they already use with device name.
    For more information, refer to Mobile Device Management Overview .

Additional Information


  • In iOS, the user-assigned device name is available in the Settings app under General > About > Name.
  • In iOS 15 and earlier, the name property returns this name. In iOS 16 and later, the name property returns a generic device name by default.


    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saG3CAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language