iOS and macOS: VPN profile settings Skip Navigation

iOS
and
macOS
: VPN profile settings

Settings for
iOS
also apply to
iPadOS
devices.
macOS
applies profiles to either user accounts or devices. You can configure a VPN profile to apply to one or the other.
iOS
and
macOS
: VPN profile setting
Description
Apply profile to
This setting specifies whether the VPN profile on a
macOS
device is applied to the user account or the device.
Possible values:
  • User
  • Device
This setting is valid only for
macOS
devices.
Connection type
This setting specifies the connection type that a device uses for a VPN gateway. Some connection types also require users to install the appropriate VPN app on the device.
Possible values:
  • L2TP
  • PPTP
  • IPsec
  • Cisco AnyConnect
  • Juniper
  • Pulse Secure
  • F5
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Check Point Mobile
  • OpenVPN
  • Custom
  • IKEv2
  • IKEv2 Always On
The default value is "L2TP."
If you select "IKEv2 Always On," many settings have separate values for cellular and
Wi-Fi
connections.
Some values are not valid for
macOS
devices.
VPN bundle ID
This setting specifies the bundle ID of the VPN app for a custom SSL VPN. The bundle ID is in reverse-DNS format (for example, com.example.VPNapp).
This setting is valid only if the "Connection type" setting is set to "Custom."
Server
This setting specifies the FQDN or IP address of a VPN server.
Username
This setting specifies the username that a device uses to authenticate with the VPN gateway. If the profile is for multiple users, you can specify the %UserName% variable.
Custom key-value pairs
This setting specifies the keys and associated values for the custom SSL VPN. The configuration information is specific to the vendor's VPN app.
This setting is valid only if the "Connection type" setting is set to "Custom."
Login group or Domain
This setting specifies the login group or domain that the VPN gateway uses to authenticate a device.
This setting is valid only if the "Connection type" setting is set to "
SonicWALL Mobile Connect
."
Realm
This setting specifies the name of the authentication realm that the VPN gateway uses to authenticate a device.
This setting is valid only if the "Connection type" setting is set to "
Juniper
" or "
Pulse Secure
."
Role
This setting specifies the name of the user role that the VPN gateway uses to verify the network resources that a device can access.
This setting is valid only if the "Connection type" setting is set to "
Juniper
" or
Pulse Secure
."
Authentication type
This setting specifies the authentication type for the VPN gateway.
The "Connection type" setting determines which authentication types are supported and the default value for this setting.
Possible values:
  • Password
  • RSA SecurID
  • Shared secret
  • Shared secret/Group name
  • Shared certificate
  • SCEP
  • User credential
EAP plug-ins
This setting specifies authentication plugins for the VPN.
This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP" and the "Authentication type" setting is set to "
RSA SecurID
."
Authentication protocol
This setting specifies authentication protocols for the VPN.
This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP" and the "Authentication type" setting is set to "
RSA SecurID
."
Password
This setting specifies the password that a device uses to authenticate with the VPN gateway.
This setting is valid only if the "Authentication type" setting is set to "Password."
Group name
This setting specifies the group name for the VPN gateway.
This setting is valid only in the following conditions:
  • The "Connection type" setting is set to "
    Cisco AnyConnect
    ."
  • The "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared secret/Group name."
Shared secret
This setting specifies the shared secret to use for VPN authentication.
This setting is valid only in the following conditions:
  • The "Connection type" setting is set to "L2TP."
  • The "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared secret/Group name."
  • The "Connection type" setting is set to "IKEv2" or "IKEv2 Always On" and the "Authentication type" setting is set to "Shared secret."
Shared certificate profile
This setting specifies the shared certificate profile with the client certificate that a device uses to authenticate with the VPN gateway.
This setting is valid only if the "Authentication type" setting is set to "Shared certificate."
Associated SCEP profile
This setting specifies the associated SCEP profile that a device uses to obtain a client certificate to authenticate with the VPN.
This setting is valid only if the "Authentication type" setting is set to "SCEP."
Associated user credential profile
This setting specifies the associated user credential profile that a device uses to obtain a client certificate to authenticate with the VPN.
This setting is valid only if the "Authentication type" setting is set to "User credential."
Encryption level
This setting specifies the level of data encryption for the VPN connection. If this setting is set to "Automatic," all available encryption strengths are allowed. If this setting is set to "Maximum," only the maximum encryption strength is allowed.
This setting is valid only if the "Connection type" setting is set to "PPTP."
Possible values:
  • None
  • Automatic
  • Maximum
The default value is "None."
Route network traffic through VPN
This setting specifies whether to send all network traffic through the VPN connection.
This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP."
Use hybrid authentication
This setting specifies whether to use a server-side certificate for authentication.
This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name"
Prompt for password
This setting specifies whether a device prompts the user for a password.
This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name"
Prompt for user PIN
This setting specifies whether the device prompts the user for a PIN.
This setting is valid only if the "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared Certificate," "SCEP," or "User credential."
Remote address
This setting specifies the IP address or hostname of the VPN server.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Local ID
This setting specifies the identity of the IKEv2 client in one of the following formats: FQDN, UserFQDN, Address, and ASN1DN.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Remote ID
This setting specifies the remote identifier of the IKEv2 client using one of the following formats: FQDN, user FQND, Address, or ASN1DN.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Enable VPN on demand
This setting specifies whether a device can start a VPN connection automatically when it accesses certain domains.
For
iOS
and
iPadOS
devices, this setting applies to work apps.
This setting is valid only in the following conditions:
  • The "Connection type" setting is set to "IPsec," "
    Cisco AnyConnect
    ," "
    Juniper
    ," "
    Pulse Secure
    ," "
    F5
    ," "
    SonicWALL Mobile Connect
    ," "
    Aruba VIA
    ," "
    Check Point Mobile
    ," "
    OpenVPN
    ," or "Custom" and the "Authentication type" is set to "Shared certificate," "SCEP," or "User credential."
  • The "Connection type" setting is set to "IKEv2" and the "Authentication type" is set to "Shared certificate."
Domain or host names that can use VPN on demand
This setting specifies the domains and the associated actions for VPN on demand.
This setting is valid only if the "Enable VPN on demand" setting is selected.
Possible values for "On demand action":
  • Always establish
  • Establish if needed
  • Never establish
VPN on demand rules for
iOS
7.0 and later
This setting specifies the connection requirements for VPN on demand. You must use one or more keys from the payload format example.
This setting overrides the "Domain or host names that can use VPN on demand" setting.
This setting is valid only if the "Enable VPN on demand" setting is selected.
Disconnect on idle
This setting specifies whether the VPN connection disconnect when it idle for a specified period of time.
This setting is valid only if the "Enable VPN on demand" setting is selected.
Disconnect on idle timer
This setting specifies the idle time in seconds after which the VPN disconnects.
The default value is "120"
This setting is valid only if the "Disconnect on idle" setting is selected.
Do not allow user to disable VPN on demand
This setting specifies whether the user can disable VPN on demand.
This setting is valid only if the "Connection type" setting is set to "IPsec," "
Cisco AnyConnect
," "
Juniper
," "
Pulse Secure
," "
F5
," "
SonicWALL Mobile Connect
," "
Aruba VIA
," "
Check Point Mobile
," "
OpenVPN
," or "Custom."
This setting applies only to devices running
iOS
and
iPadOS
14 and later.
Exclude local network
This setting specifies whether to exclude local network traffic from using the VPN connection. If the “Include all networks” setting is also selected, no local network traffic is routed through the VPN. This setting applies only to devices running
iOS
and
iPadOS
13 and later.
All non-default routes take precedence over any locally defined routes
This setting specifies whether the non-default routes for the VPN take precedence over any locally defined routes. If the “Include all networks” setting is also selected, this setting is ignored.
This setting is valid only if the "Connection type" setting is set to "
Cisco AnyConnect
," "
Juniper
," "
Pulse Secure
," "
F5
," "
SonicWALL Mobile Connect
," "
Aruba VIA
," "
Check Point Mobile
," "
OpenVPN
," or "Custom."
This setting applies only to devices running
iOS
and
iPadOS
14.2 and later.
Include all networks
This setting specifies whether to route all traffic through the VPN. If "Exclude local network" is also selected, local network traffic in not routed through the VPN. This setting applies only to devices running
iOS
and
iPadOS
13 and later.
Provider designated requirement
This setting specifies a designated VPN provider. If the VPN provider is implemented as a system extension, this setting is required.
This setting is valid only if the "Connection type" setting is set to "IPsec," "
Cisco AnyConnect
," "
Juniper
," "
Pulse Secure
," "
F5
," "
SonicWALL Mobile Connect
," "
Aruba VIA
," "
Check Point Mobile
," "
OpenVPN
," or "Custom."
Allow user to disable automatic connection
This setting specifies whether users can disable the VPN connection.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On."
Use same tunnel configuration for cellular and
Wi-Fi
This setting specifies whether you want to set separate VPN settings for the device depending on whether the device is sending data over a cellular network or a
Wi-Fi
network. If this setting is not selected, you can set different cellular and Wi-Fi settings in the same profile.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On."
Enable xAuth
This setting specifies whether the VPN supports extended authentication.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Minimum TLS version
This setting specifies the minimum TLS version that devices use for EAP-TLS authentication.
This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.”
Possible values:
  • 1.0
  • 1.1
  • 1.2
The default setting is “1.0.”
Maximum TLS version
This setting specifies the maximum TLS version that devices use for EAP-TLS authentication.
This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.”
Possible values:
  • 1.0
  • 1.1
  • 1.2
The default setting is “1.2.”
Certificate type
This setting specifies the type of certificate used for IKEv2 machine authentication.
This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.”
Common name of the server certificate issuer
This setting specifies the common name of the CA that issued the server certificate that the IKE server sends to the device. If you enable xAuth using a certificate, this setting is required.
This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.”
Common name of the server certificate
This setting specifies the common name of the server certificate that the IKE server sends to the device.
This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.”
Keepalive interval
This setting specifies how often a device sends a keepalive packet.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Possible values:
  • Disabled
  • 30 minutes
  • 10 minutes
  • 1 minute
The default setting is "10 minutes."
Disable MOBIKE
This setting specifies whether MOBIKE is disabled.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Disable IKEv2 redirect
This setting specifies whether IKEv2 redirect is disabled. If this setting is not selected, the IKEv2 connection is redirected if a redirect request is received from the server.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Enable perfect forward secrecy
This setting specifies whether the VPN supports PFS.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Enable NAT keepalive
This setting specifies whether the VPN supports NAT keepalive packets. Keepalive packets are used to maintain NAT mappings for IKEv2 connections.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
NAT keepalive interval
This setting specifies how often a device sends a NAT keepalive packet (in seconds).
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On" and the "Enable NAT keepalive" setting is selected.
The minimum value and the default value is 20.
Use IPv4 and IPv6 IKEv2 internal subnets
This setting specifies whether the VPN can use the IKEv2 configuration attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Common name of the server certificate
This setting specifies the common name in the certificate that the IKE server sends to the device.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Common name of the server certificate issuer
This setting specifies the common name of the certificate issuer in the certificate that the IKE server sends to the device.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Enable certificate revocation check
This setting specifies whether a certificate revocation check is attempted for the server certificate. The check does not fail if there is no response.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Enable fallback
This setting specifies whether the device can establish a VPN tunnel over the mobile network when
Wi-Fi
Assist is enabled. This setting applies only to devices running
iOS
and
iPadOS
13 and later and requires that the server support multiple tunnels for individual users.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Apply Child Security Association parameters
This setting specifies whether to apply child security association parameters.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Apply IKE Security Association parameters
This setting specifies whether to apply IKE security association parameters.
This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
MTU
This setting specifies the Maximum Transmission Unit in bytes. This setting applies only to devices running
iOS
and
iPadOS
14 and later.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On."
VoiceMail
This setting specifies whether connections to the voice mail service are sent through the VPN tunnel, sent outside of the VPN tunnel, or are blocked. This setting applies only to devices running
iOS
and
iPadOS
13.4 and later.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
AirPrint
This setting specifies whether
AirPrint
connections
AirPrint
are sent through the VPN tunnel, sent outside of the VPN tunnel, or are blocked. This setting applies only to devices running
iOS
and
iPadOS
13.4 and later.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
Allow traffic from captive web sheet outside the VPN tunnel
This setting specifies whether traffic from captive web sheets can be sent outside of the VPN tunnel.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
Allow traffic from all captive networking apps outside VPN tunnel
This setting specifies whether traffic from all captive networking apps can be sent outside of the VPN tunnel. If this setting is not selected, you can specify individual apps for which traffic can be sent outside the tunnel.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
Traffic from these apps is allowed outside VPN tunnel
This setting specifies individual captive networking apps for which traffic can be sent outside the tunnel.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
Allow app traffic outside the VPN tunnel
This setting specifies apps whose traffic can be sent outside the tunnel.
This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to
Wi-Fi
connections.
DH group
This setting specifies the DH group that a device uses to generate key material.
This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected.
Possible values:
  • 0
  • 1
  • 2
  • 5
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 31
The default setting is "2."
Encryption algorithm
This setting specifies the IKE encryption algorithm.
This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected.
Possible values:
  • DES
  • 3DES
  • AES 128
  • AES 256
  • AES 128 GCM
  • AES 256 GCM
  • ChaCha20Poly1305
The default setting is "3DES."
Integrity algorithm
This setting specifies the IKE integrity algorithm.
This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected.
Possible values:
  • SHA1 96
  • SHA1 160
  • SHA1 256
  • SHA2 384
  • SHA2 512
The default value is "SHA1-96."
Rekey interval
This setting specifies the lifetime of the IKE connection.
This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected.
The possible values are from 10 to 1440 minutes.
The default value is 1440.
Enable per-app VPN
This setting specifies whether the VPN gateway supports per-app VPN. This feature helps decrease the load on an organization’s VPN. For example, you can enable only certain work traffic to use the VPN, such as accessing application servers or webpages behind the firewall.
This setting is valid only if the "Connection type" setting is set to "
Cisco AnyConnect
," "
Juniper
," "
Pulse Secure
," "
F5
," "
SonicWALL Mobile Connect
," "
Aruba VIA
," "
Check Point Mobile
," "
OpenVPN
," "Custom," "IKEv2," or "IKEv2 Always On."
Allow apps to connect automatically
This setting whether apps associated with per-app VPN can start the VPN connection automatically.
This setting is valid only if the "Enable per-app VPN" setting is selected.
Safari
domains
This setting specifies the domains that can start the VPN connection in
Safari
.
This setting is valid only if the "Enable per-app VPN" setting is selected.
Calendar domains
This setting specifies the domains that can start the VPN connection in Calendar.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
13.0 and later devices.
Contacts domains
This setting specifies the domains that can start the VPN connection in Contacts.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
13.0 and later devices.
Mail domains
This setting specifies the domains that can start the VPN connection in Mail.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
13.0 and later devices.
Associated domains
This setting specifies domains that can start the VPN connection on the device. The domains must also be included in the apple-app-site-association file.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
14.0 and later devices.
Excluded domains
This setting specifies domains that are blocked from starting the VPN connection on the device.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
14.0 and later devices.
Traffic tunneling
This setting specifies whether the VPN tunnels traffic at the application layer or the IP layer.
This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to
iOS
and
iPadOS
13.0 and later devices.
Possible values:
  • Application layer
  • IP layer
The default setting is "Application layer."
Associated proxy profile
This setting specifies the associated proxy profile that a device uses to connect to a proxy server when the device is connected to the VPN.