Forum Discussion

shiva-SBI's avatar
shiva-SBI
Comet
2 months ago

about Always-on Issue

On iOS devices, client certificate authentication and “Always-on” VPN configuration" is created with one configuration profile and distributed through MDM.

The Cato Client app is also purchased through Volume Purchasing and distributed through MDM.

https://support.catonetworks.com/hc/en-us/articles/360016152418-Distributing-Device-Certificates-to-macOS-and-iOS-Devices-with-Jamf

Our user's Cato Client authenticates using the Registration code.

Although Cato recommends against creating multiple VPN configurations, once the user authenticates with the Registration code, a second configuration profile "Cato Networks VPN" is automatically created by Cato Client.

The problem with this is that users can manually turn off the VPN switch.

I can manually delete the second profile, but it will be re-created after a while.

This issue is fundamental to the Always-on feature and is so serious that organizations are starting to talk about discontinuing their use of Cato.

Does anyone know of a good solution to this problem?

shiva

 

  • shiva-SBI's avatar
    shiva-SBI
    Comet
    2 months ago

    It may be a little confusing to understand, but if the user deletes the second VPN profile that Cato Client automatically created, the Cato Client connection becomes "Disconnected" and the user can continue to use the network without any restrictions unless the user manually puts Cato Client in the "Connected" state again.
    This has become a reliable way to bypass Cato's always-on policy.
    Thanks,
    shiva

    • michaelsaw's avatar
      michaelsaw
      Icon for Cato Employee rankCato Employee
      2 months ago

      Hi shiva-SBI, 

      Can I check if the phone is a personal one or a company issued phone?
      Is there MDM settings on the phone currently?

      Thank you.

  • shiva-SBI's avatar
    shiva-SBI
    Comet
    2 months ago

    Hi michaelsaw ,
    Thank you for your reply.
    Devices (iPhone) are supervised and automatically enrolled in MDM using ABM's Automated Device Enrollment.
    Cato Root certificate, client certificate required for Always-on, and VPN configurations are also distributed by MDM as configuration profiles. Cato Client is also distributed through MDM.

    shiva

  • michaelsaw's avatar
    michaelsaw
    Icon for Cato Employee rankCato Employee
    2 months ago

    Hi Shiva-SBI, 

    Noted that MDM is in place.

    You mentioned: "The problem with this is that users can manually turn off the VPN switch."

    I was reviewing the KB on Always-on with SSO: https://support.catonetworks.com/hc/en-us/articles/4417643184529-Protecting-Users-with-Always-On-Security

    Can we check what is the version of Cato Client installed?
    Is there a support ticket submitted with our Support team to check further? 

    Thank you.

    • shiva-SBI's avatar
      shiva-SBI
      Comet
      2 months ago

      Hi michaelsaw,

      Thank you for your reply.

      Yes, a ticket has been opened with support and it has progressed to Tier 3. I posted here to see if there are any admins or partners experiencing the same issue and if anyone has been able to resolve it.

      Always-on is set correctly according to the procedure in the Learning Center, and the user's Cato Client is 5.4 or 5.5.

      Distributing Device Certificates to macOS and iOS Devices with Jamf

      The point of the problem is that Cato Client adds an on-demand VPN configuration automatically after authentication is complete. (It was not a profile.)
      This results in two VPN configurations, one added from MDM and one added by Cato Client, and by the user switching between them or deleting the on-demand VPN configuration, unmanaged Internet access becomes possible.

      Thank you!!

      shiva-SBI

       

      • shiva-SBI's avatar
        shiva-SBI
        Comet
        2 months ago

        These are the facts that are currently known. Cato is also aware of these issues.

        When using the Cato Client for SDP users on iOS, Always-on does not work as we would like.

        A VPN configuration ”Cato Networks VPN” that the Cato Client creates locally supports all Cato communication, but this can be manually deleted by the user, and is a means to ensure that Always-on is bypassed.

        In addition, in the case of using a client certificate as device authorization for SDP users, there are two profiles: a client certificate and VPN configuration profile distributed by MDM, and a VPN configuration created by Cato Client. Users can simply switch between the two available VPN profiles to disconnect the VPN and bypass Always-on communication.

        This current specification could lead to serious security incidents.

        Based on current knowledge, there is no workaround that can avoid this issue. The current device authorization using client certificates is not practical for implementation. At least for orgs that use MDM, it is best practice to distribute the device compliance key using AppConfig and the on-demand VPN configuration created locally by Cato Client from MDM, but to do this, Cato needs to prepare an MDM client such as Cato Client for EMM.

        I think it would be fine to require MDM for Always-on use with SDP Cato Client.

        I hope this issue can be resolved soon.

        Thank you.
        shiva-SBI

  • CATOM's avatar
    CATOM
    Icon for Cato Employee rankCato Employee
    2 months ago

    shiva-SBI  Thanks for reporting this. In my experience multiple VPN profiles are not supported by iOS. Same issue with other VPN vendors. If you just use the one from the app store and then block access to corporate resources with Cato IP addresses that should work for you I believe.

    Here is the global range for Cato IP addresses https://support.catonetworks.com/hc/en-us/articles/7784334332317-Production-PoP-Guide#h_01JKNFWT1BFH94DFEXSTBMCBK9 

    https://support.catonetworks.com/hc/en-us/articles/7784334332317-Production-PoP-Guide#h_01JKNFWT1BZZ65GRVBGZPV8JTT