Configuring advanced settings for Mobile Enterprise Gateway (MEG) support for Apple WKWebView
Mobile Enterprise Gateway (MEG) support for Apple WKWebView requires the following settings to tunnel intranet traffic that is accessed from the IBM® MaaS360® Browser. Most of these settings are automatically detected by Mobile Enterprise Gateway (MEG), but you can edit these settings in the Cloud Extender® Configuration Tool.
DNS servers and search domains
Use a DNS server to resolve hostnames for any corporate intranet sites that are accessed in the IBM MaaS360 Browser. You can configure this value in the Advanced section for the Mobile Enterprise Gateway (MEG) module in the Cloud Extender Configuration Tool.
These values are automatically detected by the Mobile Enterprise Gateway (MEG) module in Cloud Extender depending on the machine that these settings were run from.
Device tunnel proxy settings
- The HTTPS setting routes allowed HTTP/HTTPS sites (sites that are listed in the WorkPlace Persona policy allowlist) through the Mobile Enterprise Gateway (MEG) module.
- The HTTP setting uses the HTTP protocol to route allowed sites only through the Mobile Enterprise Gateway (MEG) module.
Access list and exception list
Mobile Enterprise Gateway (MEG) uses access patterns that are specified in the WorkPlace Persona policy to filter traffic that is allowed to pass through the gateway. These settings are configured in the WorkPlace Persona policy at .
The following access patterns allow traffic through the gateway. When you upgrade to the latest version of Mobile Enterprise Gateway (MEG), all existing patterns are supported but some access patterns require extra processing on the device. Update the access list in the WorkPlace Persona policy to use the patterns that are supported in the following table. For the updated access lists, use wildcard domain expressions and IP subnets that are routed through the gateway.
| Pattern | Supported by MEG | Recommended configuration for MEG | Comments |
|---|---|---|---|
| *.* | ✓ | ✓ | Tunnels all IBM MaaS360 browser traffic through the IBM MaaS360 gateway. |
| *.testhost.com | ✓ | ✓ | Tunnels all traffic that matches the testhost.com domain through the IBM MaaS360 gateway. |
| testhost, testhost. *, *testhost | ✓ | X | Tunnels all traffic that matches the specified testhost regular expression through the IBM MaaS360 gateway. |
| 1.*, 1.*.*.* , 1… | ✓ | ✓ | Tunnels all traffic that matches the 1.0.0.0/255.0.0.0 IP
subnet. |
Example configuration
The administrator uses 1.2.3.4 as a DNS server and wants to route the test-domain1, test-domain2 intranet domains, and domains that are deployed under the 10.0.0.0/255.0.0.0 subnet.
- DNS server: 1.2.3.4
- DNS search domains: test-domain1.com, test-domain2.com, …
- Access list: 0.*.*. *
Impact of using *.* in the access filter list
If you use the *.* filter in the access filter list, a rule is added on the device that enables the IBM MaaS360 gateway to receive all traffic originating from the device while the IBM MaaS360 Browser is active. This traffic includes all user traffic that originates from the IBM MaaS360 Browser and network traffic that originates from any apps that are running in the background. Allowing all user traffic might be blocked by the corporate firewall or create unnecessary load on outgoing network data from the corporate network. Specify the exact domains and IP subnets that you want to route through the corporate network.
Impact of using regular expressions with incomplete domains in the access filter list
The testhost, testhost. *, and *testhost access patterns require the IBM MaaS360 gateway client on iOS devices to process all DNS traffic and to apply the specified regular expressions. The IBM MaaS360 gateway client intercepts all DNS traffic on the device when the IBM MaaS360 Browser is running. Any DNS query that matches the expression uses the DNS server that is specified in the Mobile Enterprise Gateway (MEG) module. For all other traffic, the IBM MaaS360 Browser uses the public DNS server that is provided by Quad9 to resolve domains. You can access the Quad9 DNS services from the following IPv4 addresses: 9.9.9.9, 149.112.112.112. Use this approach to intercept all DNS traffic if the matching patterns such as testhost, testhost. *, and *testhost are specified in the WorkPlace Persona policy access list.
Configuring the proxy server with the Proxy Auto-Configuration (PAC) URL or Auto Proxy settings
The IBM MaaS360 gateway allows only those domains that match the specified regular expressions that are listed in the WorkPlace Persona policy and the specified DNS servers and DNS domains that are listed in the Cloud Extender Configuration Tool. All traffic that passes through the gateway is directed to the destination server. If you want to send the gateway traffic through the gateway, configure the proxy in the Cloud Extender Configuration Tool.
You can also list all the proxy server IP addresses or hostnames in the WorkPlace Persona policy access list to access traffic to the proxy servers. Auto detection of the proxy configuration is not supported by the new Mobile Enterprise Gateway (MEG) protocol. Since proxy settings are configured on a device, the device requires a PAC URL or a manual proxy server address to resolve proxy settings. If you are using the Auto Proxy setting, select the Proxy PAC URL setting or Manually configure proxy settings for proxy configuration.
Kerberos authentication
Mobile Enterprise Gateway (MEG) supports Kerberos authentication by using native iOS capabilities. In the MaaS360 iOS MDM policies, you can configure Kerberos authentication by using the MDM single sign-on payload. Kerberos authentication is not supported for non-MDM customers on iOS devices. Use the following parameters in the iOS MDM policy to configure Kerberos on iOS devices.
| iOS MDM policy setting | Description | Supported devices |
|---|---|---|
| Account name | The account name for the Kerberos single sign-on (SSO) account. | iOS 7.0+ |
| Principal name | The unique name that allows Kerberos to identify a user. If a name is not provided, the user is prompted to provide a name during profile installation. Use %domain% as a wildcard. | iOS 7.0+ |
| Realm | The character string that contains a user account location and a user account name. This value must be in uppercase. Use %domain% as a wildcard. | iOS 7.0+ |
| URL prefixes | The list of URLs prefixes that must match to use this account for Kerberos authentication
over HTTP. Note: URL postfixes must also match.
|
iOS 7.0+ |
| Identity certificates | The certificate that is used to authenticate with the device. This field can be blank and if not selected will use username/password for authentication | iOS 8.0+ |
| Allowed app ranges | The list or range of apps that are acceptable on the device. | iOS 8.0+ |
Regional gateways
The regional gateways feature is not supported by Mobile Enterprise Gateway (MEG). Support for regional gateways will be added for Mobile Enterprise Gateway (MEG) agents in a future release. If you configured a regional gateway in the WorkPlace Persona policy and use Mobile Enterprise Gateway (MEG), the IBM MaaS360 Browser iOS app traffic passes through the default gateway that is configured in the policy, but does not use the gateways that are configured in the regional gateway setting.