Table of Contents:
- The new Capsule Connect version (1.600.xx) has moved to a new iOS framework supporting iOS 12 and available from iOS 10.
- The previous Capsule Connect version (1.524.9) is not supported on iOS 12 but can still be used on devices with older iOS versions if it was already installed in the past.
- On iOS 12, previous Capsule Connect version (1.524.9) alerts the user to upgrade to the latest Capsule Connect version (currently 1.600.31); the alert is prompted by the OS when the application is first launched.
- Capsule Cloud (not customer owned VPN Gateway) is not supported in the new Capsule Connect version.
This full feature set is supported on the new version, as well:
- MDM Support: App and VPN Profile deployment
- QR Registration
- Per-App VPN: supports both TCP and UDP connections. (Per-App can only be configured through MDM. No GW TTM support.)
- Automatic reconnect
- VPN on demand
- Route all traffic through GW
- SSL/IPSEC switching
- IPv6 Support
- Personal Hotspot
- New Feature: Setting the internal DNS as the default resolver instead of as a configured set of suffixes (with the special 'suffix': CPiOSDefaultDNS).
- Multi-Realm is not supported yet, but the client is still able to connect to Gateways that enabled Multi-Realm through the legacy profile.
The most common deployment method for Enterprises is through the MDM (Mobile Device Management) suite, e.g., Microsoft Intune, BlackBerry (MobileIron), VMware AirWatch, Citrix XenMobile, IBM MaaS360, and many more.
In the context of Capsule Connect, the MDM can push these profiles to its managed devices:
- Application installation
- VPN Profile: Set and configure the functionality of the VPN connection (Gateway address, authentication method, connectivity mode, etc.). Using the VPN Profile, Capsule Connect can be automatically provisioned, saving the user the hassle of an initial configuration.
- User Certificate: If the Certificate is chosen as the authentication method (solely or together with a different authentication method), Enterprises are responsible for generating and deploying the certificate to the MDM using different kinds of methods. Enterprises could use an internal or external CA, a Simple Certificate Enrollment Protocol (SCEP), or other certificate deployment methods.
Older Capsule Connect versions (<= 1.524.9) work with Apple's legacy VPN Profile, called "VPN Plugin." It is configured on the MDM's VPN Profile with the "com.checkpoint.CheckPoint-VPN.vpnplugin" identifier (or by choosing the Check Point template).
On this new iOS 12 compatible version (>= 1.600.19), Capsule Connect works with Apple's new VPN Profile method, which uses Network Extension (NE). It is configured on the MDM's VPN Profile with the "com.checkpoint.CheckPoint-VPN.app" identifier.
This new identifier is recognized only by the new Capsule Connect version.
To simplify the deployment and to achieve a seamless transition, the new client also supports the legacy profiles ('.vpnplugin') with the use of a special conversion process that is done by the OS on the client side upon installation of the Capsule Connect application (for profiles already on the device) and upon each push from MDM (for new profiles).
So, ideally, no change is needed by Capsule Connect customers. The user will only need to update Capsule Connect if the device is not configured to "Auto Update."
However, there are issues with this conversion and the preferred method, especially when problems arise, is to change the identifier to "com.checkpoint.CheckPoint-VPN.app" but only if all users have already upgraded their client to the 1.600.xx version (otherwise, they will not see the new profile with the older 1.524.9 client).
If Per-App VPN is not working, make sure the "Provider Type" on the MDM profile is set as Packet-Tunnel and not AppProxy, the latter of which is not supported by Capsule Connect.
Missing Certificates - multiple usage on a legacy profile
Due to an open Apple bug, in some configurations using certificate authentication deployed by SCEP, this conversion can lose the certificate referenced from the VPN profile.
The symptoms on the device are:
- The user cannot connect.
- On the authentication screen the certificate field is shown as "Certificate: (null)" and the certificate cannot be found on the certificates page when trying to manually set the proper certificate.
- On the device Settings -> Management Profile -> Certificates the user certificate is found but shows "Certificate details are password protected until installed":
The solution for this issue is simple: simply re-push the MDM profile. In most cases, this will complete the conversion process correctly.
If re-pushing the MDM profile does not work, there is always the option to avoid the whole conversion process by setting a separate VPN profile with the '.app' identifier to be used by the new Capsule Connect version (while '.vpnplugin' profiles will still be used by the older versions).
Missing Certificates - external certificates
With the legacy app we had access to the system's keychain but this was considered a security issue by Apple and is no longer available.
We can only access certificates that were installed together with the VPN profile.
It can either be a configuration profile, including both the certificate and a Capsule Connect VPN profile that uses this certificate, which is then sent to the device and installed locally, or be pushed from MDM with a Capsule Connect VPN profile referencing the certificate. This way, the certificate is stored in a special keychain that we can access.
If the Capsule Connect application seems to have no connectivity:
- Check the connectivity from the device to the Gateway address, both FQDN and IP address, to eliminate outer connectivity/configuration problems.
- If Per-App VPN is used, check on the MDM dashboard (looks different on each vendor) that Capsule Connect itself is not set as one of the Per-App applications. On the legacy mode, such a configuration would be automatically dropped by Apple on the device. In the new mode, it simply puts the Capsule Connect in a connectivity dead lock.
- Make sure Wi-Fi and cellular data are allowed for the Capsule Connect application.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.