Troubleshooting issues with Mobile Enterprise Gateway (MEG) and the Apple WKWebView implementation

The common issues that you might encounter with the implementation of WKWebView.

  • What is UIWebView and what framework is replacing UIWebView?

    UIWebView is a user interface control that is used in iOS applications, which allows a developer to add web content to apps. Apple is replacing UIWebView with a new framework called WKWebView.

  • How does this impact current IBM® MaaS360® products?

    The current App Catalog version of IBM MaaS360 Secure Browser relies on UIWebView for rendering web content. IBM MaaS360 Secure Browser is switching to WKWebView. To support intranet access, IBM MaaS360 Secure Browser version 3.0 and later uses the new Mobile Enterprise Gateway (MEG) protocol. The new Mobile Enterprise Gateway (MEG) protocol functions as a personal VPN on mobile devices and can be started on-demand from the IBM MaaS360 Secure Browser for intranet access.

  • How to resolve common issues by using WKWebView with this version of Mobile Enterprise Gateway (MEG)?
    Issue Resolution
    Upgrade IBM MaaS360 app warning message is displayed This error occurs if the user upgraded the IBM MaaS360 iOS Secure Browser app to v3.40.17, but has not upgraded the IBM MaaS360 iOS Core app to v3.99.597 or later.

    To remedy this issue, upgrade the IBM MaaS360 iOS Core app (v3.99.597 or later) manually from the App Store.

    Hostname not found error is displayed when the user browses intranet sites, the site fails to load in the browser, or the site loads as a blank page Make sure that the VPN icon is active and is displayed on the device screen.
    • If the VPN icon is not displayed on the device screen, the IBM MaaS360 gateway is not active. The VPN icon should appear next to the Signal strength icon on the device screen. The icon might not display if the device user accessed an intranet site that is not configured in the WorkPlace Persona policy.
      • Make sure that the user allows permission to create the VPN configuration on the device.
        1. Go to Settings > VPN & Device Management and check whether the MaaS360Gateway VPN profile is created.
        2. If the profile is missing, the user should open the IBM MaaS360 app and allow the VPN profile configuration. Press Allow to install the VPN profile.
      • If the user accessed an intranet site that is not configured in the WorkPlace Persona policy, the administrator must update the WorkPlace Persona policy access list at Browser > Enterprise Gateway > Access List with an expression that matches the URL that is failing to load on the user's device.

        For more information about using access lists, see the Access list and exception list section at Configuring advanced settings for Mobile Enterprise Gateway (MEG) support for Apple WKWebView.

    • If the VPN icon is active and is displayed on the device screen, the IBM MaaS360 gateway is active. Cloud Extender might not be able to detect a corporate DNS server (the server might list an empty value or 127.0.0.1) or Cloud Extender detected an invalid DNS server.
      To remedy this issue, choose one of the following.
      • Use the Cloud Extender Configuration Tool on the machine where the gateway is deployed to check whether the DNS server is valid:
        1. Go to the Cloud Extender Configuration Tool on the Cloud Extender machine where the gateway is deployed.
        2. Open the advanced configuration details and validate that the DNS server is valid.
        3. Wait a few minutes, and then open the IBM MaaS360 Secure Browser to determine whether this issue is resolved.
      • Check the DNS server entries in the WorkPlace Persona policy access list.
        • Make sure that the access list contains complete DNS domain names (for example, testhost, testhost. *, *testhost).
        • Make sure that the Quad9 DNS server addresses are allowed in the access list.

        For more information about using access lists, see the Access list and exception list section at Configuring advanced settings for Mobile Enterprise Gateway (MEG) support for Apple WKWebView.
    Users are receiving a VpnConfigPushError error -996 in the IBM MaaS360 core app This issue is caused by one of the following errors.
    • The WorkPlace Persona policy is not configured correctly.
      1. Open the WorkPlace Persona policy and make sure that the selected gateway in the Secure Browser is configured with the new gateway settings.
      2. If needed, select the correct gateway and republish the policy.
    • The IBM MaaS360 gateway module is not configured correctly on the Cloud Extender.
      1. In the Cloud Extender Configuration Tool, select Enterprise Gateway.
      2. Click Advanced and make sure that DNS servers and search domains are configured correctly.
      3. Perform a test action in the gateway module to make sure that all tests succeed.
      4. Open the IBM MaaS360 app to retrieve the new settings and validate that the profile error message is no longer displayed on the device screen.
    Users cannot access sites from the IBM MaaS360 iOS Secure Browser when the IBM MaaS360 gateway is configured to use a proxy server This issue is caused by one of the following errors.
    • Wrong proxy type: HTTP sites are loading, but not HTTPS sites. Make sure that the proxy type in the Device tunnel proxy settings is set to HTTPS.
    • The proxy server is not included in the policy's allowlist: The MaaS360 gateway might not be able to detect the proxy server accurately due to some Proxy Auto-Configuration (PAC) files. The device is unable to send traffic through the MaaS360 gateway, resulting in users unable to load sites on their devices.

      To remedy this issue, the administrator must update the access list with the list of proxy servers that are deployed in the corporate environment. In the WorkPlace Persona policy, go to Browser > Enterprise Gateway > Access List.
    The IBM MaaS360 gateway is unable to connect to the relay The Cloud Extender logs indicate that the gateway is unable to connect to the relay. Make sure that Mobile Enterprise Gateway (MEG) is accessing the correct relay server URLs. For more information about the relay servers that this version of Mobile Enterprise Gateway (MEG) uses, see Enabling Mobile Enterprise Gateway (MEG) support for Apple WKWebView.
    Partial rollback of Mobile Enterprise Gateway (MEG) if sites are not reachable after Mobile Enterprise Gateway (MEG) v3.0 is enabled In the Cloud Extender Configuration Tool tool, add the blockMEG3ForBrowser string in the DNS search domains.
    This setting disables Mobile Enterprise Gateway (MEG) version 3.0 for all devices and switches back to Mobile Enterprise Gateway (MEG) version 2.0, which helps you to enable Mobile Enterprise Gateway (MEG) version 3.0 on specific devices to troubleshoot issues.
    Note: This flag is available for MaaS360 iOS Core app version 4.10.18 and MaaS360 iOS Secure Browser app version 3.40.17 only.
    To enable Mobile Enterprise Gateway (MEG) version 3.0 on specific devices.
    • Select the Enable MEG 3.0 for Browser option in the iOS Secure Browser Settings. You can also toggle back and forth between the Mobile Enterprise Gateway (MEG) version 2.0 and the Mobile Enterprise Gateway (MEG) version 3.0 service.