The iOS profile policy controls the functions, apps, and media content that a device can access and controls how the device forwards traffic to the Zscaler service.
The policy is installed as a profile on a mobile device when the Secure Agent app is installed. If your organization has configured Airwatch to communicate with Zscaler, the Zscaler service can automatically push the profile containing the iOS policy you configured in the Zscaler App Portal to the Airwatch service. You can then use the Airwatch console to push the VPN profile to iOS devices in your organization, ensuring enforcement of the iOS policy from the Zscaler App Portal.
The iOS policy specifies the following:
- The user group to which the policy applies
- The PAC file URL
Mobile devices use a PAC file to forward traffic to the service. The service provides a default PAC file that sends all browser traffic to port 8080 of the nearest Zscaler Enforcement node (ZEN).
- The traffic forwarding mechanism
- Apps and content users can access
The service provides a default policy that specifies the default PAC file hosted on the Zscaler cloud for mobile devices. This default policy applies to all groups and cannot be changed or deleted.
To add a new policy for iOS devices:
- Go to Policy > Zscaler App Portal.
- From the Zscaler App Portal, go to the App Profiles tab.
- Click on iOS from the menu on the left and click Add iOS Policy.
- Complete the following in the General tab:
- Name: Enter a name for the policy.
- Enable: Select to enable the rule.
- Rule Order: The service automatically sets the rule order, which you can change, as necessary.
- Groups: Select the group(s) to apply the policy.
- Profile Passcode: Enter a passcode that users need to enter before they can remove the profile from their device.
- Custom PAC URL: Enter the URL from which the device fetches the PAC file.
- Description: (Optional) Enter a description.
- In the Traffic Forwarding tab, do the following:
- Enable Traffic Forwarding: Enable traffic forwarding.
- Mechanism: Choose a traffic forwarding mechanism.
- URL String Probe: Enter a URL from your internal network. If the device tries to access this URL, then the mobile device won't send the traffic through the VPN.
- SSID Match: Enter the SSID of your internal wireless local-area network (WLAN). When the device uses this SSID, then it will not send the traffic through the VPN.
- By default, users are allowed to access all available apps, functionality, and media content. To restrict access, go to the Restrictions tab, click Enable Restrictions, and select the items you want to block.
- If the Apple devices are supervised, select any additional restrictions you want to place.
- Additionally, you can restrict the content that your users can access. For example, you can allow them to view only PG-rated movies and TV shows and to install a specific number of apps.
- Click Save.