Skip to content

Use Sophos Network Agent for iOS 13 devices

Sophos Network Agent enables Sophos Firewall to authenticate local network users using mobile devices running iOS 13 and later.

Warning

Sophos Network Agent reached End of Life (EOL) on September 1, 2023.

To set up strict authentication for unauthenticated users, select Use web authentication for unknown users in the firewall rule.

Additionally, go to Authentication > Web authentication. Under Authorize unauthenticated users for web access, select Show captive portal link. The captive portal page requires unauthenticated users to sign in.

Introduction

Sophos Network Agent is an authentication client. When users sign in to it, they are signed directly into the network. The client must establish two TLS connections with Sophos Firewall. So, it needs the following CA certificates:

  • Authentication server CA for user authentication: To enable Sophos Firewall to authenticate users, the client needs the authentication server CA installed. For iOS 13 and later devices, Sophos Network Agent directly imports this CA certificate through the user portal.

  • Signing CA to import the authentication server CA: To import the authentication server CA certificate for user authentication, Sophos Network Agent establishes a TLS connection with Sophos Firewall. To establish this connection, the client needs the signing CA certificate installed on the mobile device. If you're using a public CA for Sophos Firewall, you can skip this step.

In this example, we use a locally signed certificate rather than a public CA. You must do as follows:

  1. On Sophos Firewall, generate a locally signed certificate and set it as the certificate for the firewall.
  2. The default CA on Sophos Firewall signs the locally signed certificates. Share the default CA, which is the signing CA, with users of mobile devices running on iOS 13 and later.

Apple recommends using Mobile Device Management (MDM) solutions, such as Sophos Mobile, to install the CA certificate directly on users' devices. iOS devices automatically trust these certificates, and users don't need to install the CA and trust it on the mobile device. See Use Sophos Mobile to install the root CA on mobile devices.

Users must do as follows:

  1. If your administrator has shared a CA (Default CA) certificate, install it and trust it on the mobile device.
  2. Download Sophos Network Agent from the App Store.
  3. Import the authentication server CA certificate into Sophos Network Agent through the user portal.

Generate a locally signed certificate (by administrators)

Set a locally signed certificate for Sophos Firewall, and share the default CA with users who have mobile devices running iOS 13 and later.

  1. Generate a locally signed certificate as follows:

    1. On Sophos Firewall, go to Certificates > Generate locally-signed certificate.
    2. Set the validity period to two years to meet the requirements for iOS devices.

      TLS server certificates must have a validity period of 825 days or fewer for these devices. To learn more, see https://support.apple.com/en-us/HT210176.

    3. Click Advanced settings.

    4. Set Certificate ID to IP address, and enter the IP address of Sophos Firewall.

      The certificate ID allows Sophos Network Agent to identify the IP address of the firewall with which it establishes the TLS connection.

    5. Enter the other values and generate the certificate.

  2. Set the certificate you've generated as the certificate for the web admin console. Do as follows:

    1. Go to Administration > Admin settings > Admin console and end-user interaction.
    2. Set Certificate to the locally signed certificate you've generated.
  3. Share the default CA with users as follows:

    1. Go to Certificates > Certificate authorities and click download Download the certificate. for the Default CA certificate.
    2. Share the CA certificate with users. When users click Install client certificate in iOS 13 on the user portal, they prompt Sophos Network Agent to import the authentication server CA from Sophos Firewall. To get this CA certificate, the client tries to establish a TLS connection with Sophos Firewall. Installing and trusting the default CA certificate on users' iOS devices establishes the TLS connection.

Install CA certificates for iOS 13 devices (by users)

Users must install the default CA certificate. They must then sign in to the user portal and click the authentication server CA link for mobile devices running iOS 13 and later.

  1. If your administrator has shared a CA certificate, install and add the certificate to the trusted certificate profiles on your iOS device. Do as follows:

    1. On your iOS device, download the CA certificate.

      Here's an example:

      Download the CA to an iOS device.

    2. Go to Settings > General > Profile and install the certificate.

      Install the CA on the iOS device.

    3. Go to Settings > General > About > Certificate Trust Settings.

    4. Under Enable full trust for root certificates, turn on trust for the certificate. To learn more, see Trust manually installed certificate profiles in iOS and iPadOS.

      Trust the CA certificate.

  2. Download and install the Sophos Network Agent from Sophos Network Agent for iOS.

  3. Install the authentication server CA certificate to enable user authentication:

    1. On your mobile device, browse to the user portal and sign in.
    2. Go to Download client > Authentication clients.
    3. Click Install client certificate in iOS 13 and later to install the authentication server CA certificate.

      Here's an example:

      Download client certificate for iOS 13 mobile devices.

      Sophos Network Agent establishes a TLS connection using the default CA certificate you've installed in step 1 and imports the authentication server CA certificate.

    4. Sign in to Sophos Network Agent.

      Sign in to Sophos Network Agent.

      Sophos Firewall now signs you into the network.

      Tip

      When your iOS device is locked or loses internet connectivity, you may be signed out of Sophos Network Agent. Open the client and sign in again.