Reset Search



KB43870 - Create VPN profile for Network Extension for Pulse Mobile for iOS 7.0.0

« Go Back


Last Modified Date8/22/2018 9:36 PM
This article provides step-by-step instructions how to create a VPN profile to leverage the Network Extension framework for Pulse Mobile for iOS 7.0.0.
Problem or Goal
There are two scenarios where pushing the network extension profile is recommended:
  1. One certificate is leverage by the VPN profile and other applications/services.  Due to the certificate migration process (as part of Pulse Mobile for iOS 7.0.0 and above to support the Network Extension framework required in iOS 12), this will negatively impact other applications/services.
  2. New devices are provisioned using an MDM vendor where the VPN profile is installed before the Pulse Mobile app and the same certificate is leverage by the VPN profile and other applications/services.  In this case, the user certificate will be installed in the system keychain and certificate migration will occur after the Pulse Mobile app is installed.
In both scenarios, if the network extension profile is pushed to the device via MDM, the certificate migration will not occur by iOS and prevent the certificate permission issue with other applications.
To leverage the network extension framework for Pulse Mobile for iOS 7.0.0 and above, please create a new VPN Profile using the Custom SSL option.  In the following example, two VPN profiles (plugin and network extension) will be pushed to ensure the proper access for the certificate is available for Pulse Mobile for iOS 7.0.0 while leaving the existing certificate in the system keychain for other applications.

The identifier for network extension is net.pulsesecure.pulsesecure


  1. Login to MobileIron console
  2. From the top menu, select Policies & Configs > Configurations
  3. Using the search icon, search for the existing VPN profile
  4. From the list of results, select the checkbox for corresponding configuration
  5. Select Actions > Save As
User-added image
  1. In the Name field, enter a friendly name for the profile
  2. For the connection type, change from Pulse Secure SSL to Custom SSL
User-added image
  1. In the identifier field, enter net.pulsesecure.pulsesecure
User-added image
  1. Click Save
  2. From the list, select the checkbox for the new configuration
  3. Select Actions > Apply To Label
  4. From the list of labels, select the applicable label to assign the configuration to iOS devices
  5. Click Apply
User-added image


  1. Login to Airwatch WorkSpace One UEM console.
  2. From the left pane, click Devices > Profiles & Resources > Profiles
User-added image
  1. From the right pane, select the radio button for the existing profile
  2. Select More Actions > Copy
User-added image
  1. Under General, in the Name field, enter a friendly name to identify the network extension profile
  2. For Assigned Groups, ensure to assign the profile to the applicable group to ensure user get both profiles
  3. From the left pane, select VPN
  4. Under VPN, change Connection Type from Pulse Secure to Custom
  5. In the Identifier field, enter net.pulsesecure.pulsesecure
User-added image
  1. Click Save & Publish

Create a Profile by following below steps as in screenshots with with VPN identifier field as net.pulsesecure.pulsesecure

User-added image

User-added image

To confirm if both profiles are pushed, navigate to Settings > General > Device Management > [Name of MDM profile] > More Details.  Under VPN Settings, there should be two settings.

User-added image

For Pulse Mobile 6.8.0 users and below, the app only supports the plugin identifier and there is no behavior change for these users.

For Pulse Mobile 7.0.0 users and above, the app supports both plugin and network extension identifier.  This will result in two connections appearing for every connection.  

Note : Pulse client UI will show the 2 connections one for Plugin and one for the Network extension,we can delete the Plugin Profile once devices have upgraded to 7.0.0 client, please do not delete the Plugin profile for devices which are still on 6.8.0 manually or from the MDM server.

Also Note: If only the profile with type "Pulse Secure" connection is pushed, then new users, even when their device is running iOS 12.0 or greater, and installing Pulse Client 7.0 or greater, will still not be able to use the certificates.  This becomes important if users encounter the issue after upgrading, and fix it with the workaround of re-naming and re-pushing the VPN Profile.  That workaround alone will fix the issue for existing users who upgrade; but new users registering new devices will still encounter the problem on initial installation unless the profile is also updated to use "custom VPN".
Related Links
Attachment 1 
Created ByK. Kitajima



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255