Apple iOS

One-to-One Devices

This section covers devices which are always used by the same user, such as devices deployed in a one-to-one arrangement or bring your own device. Scroll down for information regarding shared devices.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM (e.g. in a BYOD setting), this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • If possible, configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • If you are using 802.1x and RADIUS accounting, log the device onto the network with the user's credentials.
  • If you are not using 802.1x and RADIUS accounting, the user must use the captive portal to authenticate. iOS devices can automatically log in to the captive portal using the WISPr protocol.

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate, either through an MDM or:

  • Launch Safari and browse to https://<your Web Gateway / UTM host name>/opendium.crt (this URI is displayed on the Web Proxy page)
  • Tap Install and enter the device's passcode
  • A warning will be shown that the certificate will be added to the list of trusted certificates. Tap Install
  • A confirmation will be shown indicating that the certificate was installed. Tap Done
  • On iOS 10.3 and above, go to Settings > General > About > Certificate Trust Settings and enable full trust for the Opendium certificate. This step is not required for earlier versions of iOS.

Setting the proxy on the device is optional, but can be done by following these steps:

  • Launch the Settings app
  • Tap Wi-Fi
  • Tap the (i) icon next to the network name
  • Under the HTTP PROXY heading, select Manual
  • Set the server address to your proxy's fully qualified host name (e.g. proxy.example.com) and the port to 3128
  • Tap Save

Shared Devices

This section covers devices which are shared between multiple users (one user logged in at a time), such as devices that are free for any student to use.

It is preferable for client devices to be set to use your non-transparent proxy. When provisioning through an MDM system, setting the proxy is advisable. For devices not provisioned through an MDM, this is usually inconvenient and the transparent proxy can be used. Be aware of the transparent proxy's limitations.

  • The network that the device is being connected to should have its user identification profile set to Single User Devices.
  • Configure your wireless network to use 802.1x (WPA2 Enterprise) authentication and to send RADIUS accounting updates to your Web Gateway / UTM.
  • Log the device onto the network with a user name that ends in "$".
  • The user must use the captive portal to authenticate.
  • When the user has finished with the device, they must disconnect from the wifi (i.e. turn wifi off on the device, shut down the device, or place the device in a shielded box/cupboard).

If the network's HTTPS interception mode is set to Active, you must install your unique Opendium interception certificate. This is usually done through your MDM system.

Setting the proxy on the device is optional, but recommended and is usually done through your MDM system.

Authenticated shared devices cannot be supported on networks which do not support 802.1x and RADIUS accounting.