By Tyler Castaldo | Intune PM
As you may have noticed through your own testing, a change has been made in VPN functionality in iOS 12, the next iOS release that is still in beta. As such, several companies including Cisco, F5, and Palo Alto have announced either through their own release notes or through documentation that these older VPN client(s) for iOS will not be supported in iOS 12 and beyond:
- Cisco Legacy AnyConnect
- Citrix VPN
- F5 Access Legacy/F5 Access 2.1 and earlier
- Palo Alto Networks GlobalProtect 4.1 and earlier
Note that we will not be adding support for F5 Access 2018/F5 Access 3.0 and later for hybrid mobile device management (MDM) as hybrid MDM is no longer supported by Intune. Please contact Intune support if you run into any issues.
If you are using Cisco Legacy AnyConnect, you should move to Cisco AnyConnect, which is supported today. See this blog post for details. With the August service update, Intune now supports three new VPN clients to allow you time to migrate before iOS 12 is released to the public. These VPN’s include:
- Citrix SSO
- F5 Access 2018/F5 Access 3.0 and later
- Palo Alto Networks GlobalProtect 5.0 and later
To switch to the new Cisco, Citrix, F5 and Palo Alto VPN clients, you do not need to update your VPN server/infrastructure; however, you will need to do the following:
· Recreate your VPN profiles. These new VPN clients are separate apps, and the VPN profiles you created for the legacy apps are not compatible with the new apps. You will need to recreate your VPN profiles, setting by setting.
· Deploy the new client. If you're using Intune to push VPN client apps, you will need to add the new VPN clients as mobile apps in Intune, since you can't upgrade directly from the legacy apps to the new apps. The new apps are completely separate apps from the old apps.
· Configure per-app VPN with the new VPN profiles. If you are using per-app VPN, you will need to reassign associated apps, using the new VPN profiles instead.
· Verify VPN connections are still working with the new apps. You should keep your existing VPN profiles and clients in place until you have verified that the VPN connections are working properly with the new clients.
· Clean up. Once you've verified everything is working properly, you should assign the legacy VPN clients as uninstall, un-assigning and deleting the old VPN profiles.
Note that Network Access Control (NAC) will not work with these new clients in this initial release.
Support for per-app VPN will be included when we add support for the new Citrix, F5 and Palo Alto clients. NAC support will be dependent on our NAC partners' timelines to make the necessary updates for integration with Intune.
Intune will continue to support the existing VPN options and functionality for devices on older supported versions of iOS. As a reminder, we announced deprecation of iOS 9 a few months back and will move to support iOS 10+ when iOS 12 is released. Please keep this in mind in your own testing.
8/17/18: Updated with Citrix announcement
8/22/18: Updated with note for F5 Access 2018/ F5 Access 3.0
8/31/18: Updated with addition of new VPN and directions for switching to these new clients