This is a quick blog about Palo Alto Global Protect VPN via Microsoft Intune with the Microsoft Edge browser.
A customer wants to connect IOS devices with Palo Alto Global Protect VPN with certificated-based authentication and username/password + MFA. As a result, only devices that have a certain configuration can access the VPN.
So, I said no problem we will do so. We configured the Global Protect VPN and Microsoft Entra to set everything up. The authentication worked but there was one problem. The authentication device info stated that Safari was used as the web browser and that the device is not managed:
The customer only wants to allow a compliant device with a certificate and proper authentication. So, the Global Protect application must use the Microsoft Edge browser and not Safari. If the device uses the Safari browser, it isn’t able to communicate the compliance state.
Firstly, we set Microsoft Edge as the default browser for the IOS devices. This didn’t work. Safari kept getting used when initiating the VPN. After that, we search for another option. We figured that we needed the SSO App Extension from Microsoft.
So, you need a device feature policy. Go to Microsoft Intune -> Devices -> iOS/iPadOS -> Configuration -> New Policy.
Choose Templates -> Device Features -> Click Create
Give the policy a Name and Configure this setting:
After that, you sign in with Palo Alto Global Protect VPN and the result is that the app uses the Microsoft Edge browser to sign in. It also communicates the managed, compliance, and join type: