There are issues with certificate-based authentication when using the Pulse Secure VPN client for iOS, version 7.0 and Check Point Capsule Connect version 1.600 for iOS. Specifically, both VPN clients may report that the certificate is missing from the device, even when the certificate has been properly delivered. These issues impact Intune in addition to other Enterprise Mobility Management providers. Pulse Secure has posted an article about this that includes some workarounds and is working with Apple to resolve the issues as soon as possible. Check Point documentation also lists these issues.
How does this impact me?
This impacts you if you are deploying Pulse Secure or Check Point Capsule Connect VPN profiles for iOS that use certificate-based authentication. This impacts both Intune on Azure and hybrid mobile device management (MDM) tenants.
When users update to Pulse Secure 7.0.0 for iOS or Check Point Capsule Connect versions 1.600 for iOS, the updated VPN client may not read the authentication certificate and will instead report that the certificate is not found on the device -- even if the certificate already exists.
Also, if you are using the same authentication certificate for Pulse Secure as for other apps, those apps may lose access to the certificate when Pulse Secure is updated to version 7.0.0. This is not seen with Check Point. For issues where the authentication certificate is shared between Pulse Secure and different apps, and the other apps lose access to the certificate, you will need to re-deploy the certificate. This involves removing the assignment (or deployment for hybrid MDM) and then re-assigning (re-deploying) the certificate again to the same groups.
Pulse Secure is working with Apple to resolve these issues; in the meantime, you'll need to apply a workaround if you're using certificate-based authentication for Pulse Secure VPN for iOS.
There are two workarounds to the certificate not being read in Pulse Secure or Check Point Connect:
1. If you have iOS devices that have already upgraded to Pulse Secure 7.0.0 or Check Point Capsule Connect 1.600 and are experiencing this issue, you can force the VPN profile to be updated on the device by changing the Connection name value:
Note: The equivalent setting in the Configuration Manager console is the name of the server in the Server list.
2. If you have iOS devices that are still on Pulse Secure 6.8.0 or earlier, you can prevent the issue by creating a new VPN profile with a Connection type value of Custom VPN and using net.pulsesecure.pulsesecure as the connection type. Note that this option is only available for Intune on Azure. For Check Point Capsule Connect 1.524 or earlier, use com.checkpoint.CheckPoint-VPN.app as the connection type.
Let us know if you have any questions. We'll keep this post updated as we hear more about this from Pulse Secure and Check Point.
9/24/18: Updated to add similar issues with Check Point