How do I configure an iOS profile policy?


How do I configure an iOS profile policy?

The iOS profile policy controls the functions, apps, and media content that a device can access and controls how the device forwards traffic to the Zscaler service.

The policy is installed as a profile on a mobile device when the Secure Agent app is installed. If your organization has configured Airwatch to communicate with Zscaler, the Zscaler service can automatically push the profile containing the iOS policy you configured in the Zscaler App Portal to the Airwatch service. You can then use the Airwatch console to push the VPN profile to iOS devices in your organization, ensuring enforcement of the iOS policy from the Zscaler App Portal.

The iOS policy specifies the following:

  • The user group to which the policy applies
  • The PAC file URL
    Mobile devices use a PAC file to forward traffic to the service. The service provides a default PAC file that sends all browser traffic to port 8080 of the nearest Zscaler Enforcement node (ZEN).
  • The traffic forwarding mechanism
  • Apps and content users can access

The service provides a default policy that specifies the default PAC file hosted on the Zscaler cloud for mobile devices. This default policy applies to all groups and cannot be changed or deleted.

To add a new policy for iOS devices:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to the App Profiles tab.
  3. Click on iOS from the menu on the left and click Add iOS Policy.
  4. Complete the following in the General tab:
    • Name: Enter a name for the policy.
    • Enable: Select to enable the rule.
    • Rule Order: The service automatically sets the rule order, which you can change, as necessary.
    • Groups: Select the group(s) to apply the policy.
    • Profile Passcode: Enter a passcode that users need to enter before they can remove the profile from their device.
    • Custom PAC URL: Enter the URL from which the device fetches the PAC file.
    • Description: (Optional) Enter a description.
      See image.
  5. In the Traffic Forwarding tab, do the following:
  • Enable Traffic Forwarding: Enable traffic forwarding.
  • Mechanism: Choose a traffic forwarding mechanism.
  • URL String Probe: Enter a URL from your internal network. If the device tries to access this URL, then the mobile device won't send the traffic through the VPN.
  • SSID Match: Enter the SSID of your internal wireless local-area network (WLAN). When the device uses this SSID, then it will not send the traffic through the VPN.
    See image.
  1. By default, users are allowed to access all available apps, functionality, and media content. To restrict access, go to the Restrictions tab, click Enable Restrictions, and select the items you want to block.
    See image.
  2. If the Apple devices are supervised, select any additional restrictions you want to place.
    See image.
  3. Additionally, you can restrict the content that your users can access. For example, you can allow them to view only PG-rated movies and TV shows and to install a specific number of apps.
    See image.
  4. Click Save.

Sample configuration screenshot of the General tab in the Add iOS Policy window 

Sample configuration screenshot of the Traffic Forwarding tab in the Add iOS Policy window 

Sample configuration screenshot of the Restrictions tab in the Add iOS Policy window 

Sample configuration screenshot of additional restrictions for supervised iOS devices in the Restrictions tab 

Sample configuration screenshot of the Content Restrictions section in the Restrictions Tab