Enabling Mobile Enterprise Gateway (MEG) support for Apple WKWebView
Follow these steps to enable Mobile Enterprise Gateway (MEG) support for Apple WKWebView.
Prerequisites
- If you are using Mobile Enterprise Gateway (MEG) in standalone
mode, you must install Mobile Enterprise Gateway (MEG) module v2.105.200
or later before you can enable Mobile Enterprise Gateway (MEG) support for Apple
WKWebView. If you need to upgrade your Mobile Enterprise Gateway (MEG) module, complete the following steps:
- In the Cloud Extender® Configuration Tool, go to the Enterprise Gateway tile.
- Enable auto update, and then click the Upgrade Flag icon.
- If you are using Mobile Enterprise Gateway (MEG) in high availability (HA) mode, you must subscribe to MEG v2.102 or later modules.
Procedure: Configuring Mobile Enterprise Gateway (MEG) support for Apple WKWebView
- From the IBM® MaaS360® Portal Home page, select , and then enable the Enterprise Gateway setting.
- Launch the new Cloud Extender
Configuration Tool from
C:\Program Files (x86)\MaaS360\Cloud Extender\ConfigTool.exe, and then enable
the Enterprise Gateway tile.
The following image shows the new Cloud Extender Configuration Tool that you must use to configure the latest version of Mobile Enterprise Gateway (MEG) for Apple WKWebView:
For older versions of the Cloud Extender Configuration Tool: Launch the new Cloud Extender Configuration Tool from C:\Program Files (x86)\MaaS360\Cloud Extender\ConfigTool.exe.
If this file path is not found on your system, you must upgrade to the latest version of Cloud Extender. For a procedure on how to upgrade to the latest version of Cloud Extender, see Upgrading the Cloud Extender core and modules.
- Configure one of the following Mobile Enterprise Gateway (MEG) gateway modes
(relay access or direct) from the Cloud Extender
Configuration Tool:
- Relay access mode
For relay access mode, the gateway establishes outbound access through port 443 to the MaaS360 relay server. Devices talk only to the relay server and not directly to the gateway.
- From the Cloud Extender Configuration Tool, select the Relay mode.
- Add one of the following Mobile Enterprise Gateway (MEG) relays to the
firewall:
Relays Connection information US relay - us03-gw.meg.maas360.com:443
- 169.62.254.222:443
EU relay - eu03-gw.meg.maas360.com:443
- 158.176.161.155:443
APAC-SGP relay - ap03-gw.meg.maas360.com:443
- 161.202.111.232:443
Tokyo relay - ap03-gw.meg.maas360.com:443
- 161.202.111.232:443
Quad9 DNS server address 9.9.9.9:53, 149.112.112.112:53 Note: This address only applies if you are using regular expressions with incomplete domains in the access filter list for the WorkPlace Persona policy. For more information, see the section Impact of using regular expressions with incomplete domains in the access filter list at Configuring advanced settings for Mobile Enterprise Gateway (MEG) support for Apple WKWebView.
- Direct mode
For direct mode, devices talk directly to the Mobile Enterprise Gateway (MEG) for direct resource access and bypass the MaaS360 hosted relay servers. You can also install the gateway as a standalone gateway for smaller deployments or as a clustered gateway for High Availability (HA).
- From the Cloud Extender Configuration Tool, select the Direct mode.
- In the Connection Properties section, add information for the gateway
connection. In the VPN Gateway Configuration section, use the same port for
the Gateway Server and the Gateway Local Port:
- In the Security Properties section, provide the SSL certificate and the
SSL certificate private key:
- Relay access mode
- Complete the configuration.
Procedure: Configuring Mobile Enterprise Gateway (MEG) support for Apple WKWebView in HA mode with a load balancer and TLS (example)
- From the Cloud Extender Configuration Tool, select the Direct mode.
- In the Connection Properties section, add information for the gateway connection:
- In the Security Properties section, select No in
the SSL Configuration setting because the load balancer TLS termination is
used in the SSL Certificate Chain field. Import certificates so devices can
use those certificates to handshake with the load balancer:
- Complete the configuration.
Example: NGINX load balancer (or alternatives)
In this example, the NGINX load balancer runs on
https://gateway3-load-balancer.local.
- Edit the
/etc/nginx/nginx.conffile. (These steps are based on Ubuntu.) - Modify the backend to match your gateway IP and port:
# user www-data; worker_processes auto; # pid /run/nginx.pid; # include /etc/nginx/modules-enabled/*.conf; events { worker_connections 6000; multi_accept on; } stream { upstream backend { server 192.1.1.2:8081; # gateway 3 instance 1 IP and port server 192.1.1.3:8081; # gateway 3 instance 2 IP and port } server { listen 443 ssl; proxy_pass backend; ssl_certificate vpn_server.crt; # Device need to trust this cert ssl_certificate_key vpn_server.key; ssl_session_cache shared:SSL_TCP:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; } } - Reload the NGINX configuration. Note: Load balancers such as F5 provide similar options to configure TCP/UDP load balancing.
Procedure: Enabling Mobile Enterprise Gateway (MEG) support for Apple WKWebView on devices
- Find the MaaS360 iOS Core app in the App Store, and upgrade the app on the device to v4.40.x and later.
- Find the MaaS360 iOS Secure Browser app in the App Store, and upgrade the app on the device to v3.40.x and later.
- Accept the gateway prompts to open the MaaS360 iOS Core app to finish configuring gateway settings on the device. You are prompted to allow the configuration of MaaS360 as a VPN.
- Open the MaaS360 iOS Secure Browser app to browse corporate intranet websites. A VPN icon is displayed on the device when the MaaS360 gateway is active. The icon stays active if the MaaS360 Secure Browser is active, but the browser disconnects from the VPN when the MaaS360 iOS Secure Browser app is sent to the background.