Junos Pulse for Apple iOS Overview

• Configuring a Role and Realm for Pulse for Apple iOS on page 164

• Allowing iOS Users to Save Webmail Password on page 167

• Host Checker for Pulse iOS Clients on page 167

• Configuring Host Checker for Pulse iOS Clients on page 168

• Implementing Host Checker Policies for Pulse for iOS Devices on page 170

• Installing the Junos Pulse VPN App on page 171

• Using Configuration Profiles on page 172

• Collecting Log Files on page 173

Junos Pulse provides Layer 3 VPN connectivity based on SSL encryption and

authentication between an Apple iOS device (iPhone, iPad, iPod Touch) and Junos Pulse Secure Access Service. Junos Pulse enables secure connectivity to corporate applications and data based on identity, realm, and role. Pulse is designed to provide battery-friendly connectivity by automatically disconnecting from the VPN when the device is inactive while on Wi-Fi, automatically reestablishing VPN connectivity when the device reactivated, and maintaining connectivity when roaming from network to network. Junos Pulse is available for download from the Apple App Store.

NOTE: Mobile client features are updated frequently and each mobile client has a release number that is independent from the other clients and from the Pulse Windows and Mac clients. We recommend that you upgrade your mobile clients to the latest release to ensure that all features described in this guide are supported on your devices.

The Junos Pulse Mobile Supported Platforms Guide, which is available at

http://www.juniper.net/support/products/pulse/mobile/lists the mobile device OS versions supported by Pulse and the security features supported on each mobile device OS.

The Junos Pulse VPN app supports the following features:

• Full Layer 3 tunneling of packets

• UDP/ESP and NCP/SSL modes

• Authentication by all authentication options available on the Pulse Secure Access server

• Certificate authentication followed by any other form of authentication

• Multi-factor authentication (cascading two different types of authentication)

• Host Checker

• Split tunneling modes:

• Split tunneling disabled with access to local subnet

• Split tunneling enabled

• Apple VPN on Demand

A VPN on Demand configuration enables an iOS device to automatically initiate a VPN connection when any application running on the phone initiates a connection to a host in a predefined set of hosts. A VPN on Demand connection uses client certificate-based authentication so the user does not have to provide credentials every time a VPN connection is initiated.

NOTE:

When you configure VPN on Demand, you must create an exception for your Pulse Secure Access server hostname. For example, if the hostname is sslvpn.example.com and you want Pulse clients to automatically establish the VPN whenever requests are made for hosts in the

example.com domain, the VPN on Demand configuration should contain the following rules:

• If domain name = sslvpn.example.com, then never initiate VPN connection

• If domain name = example.com, then always initiate VPN connection

There different methods for creating VPN on Demand connections:

• Use the iPhone Configuration Utility. For complete information about how to create a VPN on Demand configuration using the iPhone Configuration utility, see the iPhone OS Enterprise Deployment Guide , which is available atwww.apple.com.

• Use the mobile device management (MDM) features of the Junos Pulse Mobile Security Suite. Pulse Mobile Security Suite provides device management as well as security. For complete information about MDM, see theJunos Pulse Mobile Security Gateway documentation.

• Create and manage VPN On Demand configurations from within the Junos Pulse for iOS client.

• Monitor and Control features of the Junos Pulse Mobile Security Suite.

• Junos Pulse for iOS also supports the Junos Pulse Mobile Security Suite (MSS) R3.0 and later. Using the Pulse Mobile Security Gateway, the security administrator can define Pulse connections and other profile settings, and then those settings are downloaded to the device when it registers with the gateway and updated periodically.

For more information, see theJunos Pulse Mobile Security Gateway documentation.

Before You Begin

Before you configure support for Apple iOS devices with Junos Pulse Secure Access Service, keep in mind the following client software behaviors:

• With Wi-Fi connectivity, Pulse reconnects the VPN tunnel automatically when the user wakes up the device. With 3G connectivity, the VPN reconnects when the user generates network traffic using an application like Safari or Mail.

• Establishing the VPN tunnel through a proxy is supported (regardless of the split tunnel mode), except for proxies that require authentication credentials.

• A Proxy Automatic Configuration (PAC) script takes effect only when split tunneling mode is disabled with access to local subnet. The PAC script does not work when the role’s split tunnel mode is Enable split tunneling.

• Static host mapping is not created for the Pulse server/proxy hostname.

• DNS considerations:

• When split tunneling is set to Split tunneling disabled with access to local subnet, Pulse uses the DNS servers that are configured the Pulse server.

• When split tunneling is set to Split tunneling enabled, DNS servers that are configured on the Pulse server are used only for hostnames within the Pulse Secure Access Service domains.

• Session scripts are not supported.

• Web-based installation from a Junos Pulse server is not supported.

• Session timeout reminders are not supported.

• When you use client certificate authentication, and the user is enabled to select from among assigned roles, the user is prompted to enter the role name instead of being presented with a list of roles.

• To ensure that users see consistent bookmarks in the Pulse client UI no matter which server they are connected to, you can configure and enable user record synchronization, a feature of the Pulse Secure Access Service platform.