iOS and macOS: VPN profile settings
iOS
and macOS
: VPN profile settingsSettings for
iOS
also apply to iPadOS
devices.macOS
applies profiles to either user accounts or devices. You can configure a VPN profile to apply to one or the other.iOS and : VPN profile settingmacOS | Description |
---|---|
Apply profile to | This setting specifies whether the VPN profile on a macOS device is applied to the user account or the device.Possible values:
This setting is valid only for macOS devices. |
Connection type | This setting specifies the connection type that a device uses for a VPN gateway. Some connection types also require users to install the appropriate VPN app on the device. Possible values:
The default value is "L2TP." If you select "IKEv2 Always On," many settings have separate values for cellular and Wi-Fi connections.Some values are not valid for macOS devices. |
VPN bundle ID | This setting specifies the bundle ID of the VPN app for a custom SSL VPN. The bundle ID is in reverse-DNS format (for example, com.example.VPNapp). This setting is valid only if the "Connection type" setting is set to "Custom." |
Server | This setting specifies the FQDN or IP address of a VPN server. |
Username | This setting specifies the username that a device uses to authenticate with the VPN gateway. If the profile is for multiple users, you can specify the %UserName% variable. |
Custom key-value pairs | This setting specifies the keys and associated values for the custom SSL VPN. The configuration information is specific to the vendor's VPN app. This setting is valid only if the "Connection type" setting is set to "Custom." |
Login group or Domain | This setting specifies the login group or domain that the VPN gateway uses to authenticate a device. This setting is valid only if the "Connection type" setting is set to " SonicWALL Mobile
Connect ." |
Realm | This setting specifies the name of the authentication realm that the VPN gateway uses to authenticate a device. This setting is valid only if the "Connection type" setting is set to " Juniper " or "Pulse Secure ." |
Role | This setting specifies the name of the user role that the VPN gateway uses to verify the network resources that a device can access. This setting is valid only if the "Connection type" setting is set to " Juniper " or Pulse Secure ." |
Authentication type | This setting specifies the authentication type for the VPN gateway. The "Connection type" setting determines which authentication types are supported and the default value for this setting. Possible values:
|
EAP plug-ins | This setting specifies authentication plugins for the VPN. This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP" and the "Authentication type" setting is set to " RSA
SecurID ." |
Authentication protocol | This setting specifies authentication protocols for the VPN. This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP" and the "Authentication type" setting is set to " RSA
SecurID ." |
Password | This setting specifies the password that a device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "Password." |
Group name | This setting specifies the group name for the VPN gateway. This setting is valid only in the following conditions:
|
Shared secret | This setting specifies the shared secret to use for VPN authentication. This setting is valid only in the following conditions:
|
Shared certificate profile | This setting specifies the shared certificate profile with the client certificate that a device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "Shared certificate." |
Associated SCEP profile | This setting specifies the associated SCEP profile that a device uses to obtain a client certificate to authenticate with the VPN. This setting is valid only if the "Authentication type" setting is set to "SCEP." |
Associated user credential profile | This setting specifies the associated user credential profile that a device uses to obtain a client certificate to authenticate with the VPN. This setting is valid only if the "Authentication type" setting is set to "User credential." |
Encryption level | This setting specifies the level of data encryption for the VPN connection. If this setting is set to "Automatic," all available encryption strengths are allowed. If this setting is set to "Maximum," only the maximum encryption strength is allowed. This setting is valid only if the "Connection type" setting is set to "PPTP." Possible values:
The default value is "None." |
Route network traffic through VPN | This setting specifies whether to send all network traffic through the VPN connection. This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP." |
Use hybrid authentication | This setting specifies whether to use a server-side certificate for authentication. This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name" |
Prompt for password | This setting specifies whether a device prompts the user for a password. This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name" |
Prompt for user PIN | This setting specifies whether the device prompts the user for a PIN. This setting is valid only if the "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared Certificate," "SCEP," or "User credential." |
Remote address | This setting specifies the IP address or hostname of the VPN server. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Local ID | This setting specifies the identity of the IKEv2 client in one of the following formats: FQDN, UserFQDN, Address, and ASN1DN. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Remote ID | This setting specifies the remote identifier of the IKEv2 client using one of the following formats: FQDN, user FQND, Address, or ASN1DN. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Enable VPN on demand | This setting specifies whether a device can start a VPN connection automatically when it accesses certain domains. For iOS and iPadOS devices, this setting applies to work apps.This setting is valid only in the following conditions:
|
Domain or host names that can use VPN on demand | This setting specifies the domains and the associated actions for VPN on demand. This setting is valid only if the "Enable VPN on demand" setting is selected. Possible values for "On demand action":
|
VPN on demand rules for iOS 7.0 and later | This setting specifies the connection requirements for VPN on demand. You must use one or more keys from the payload format example. This setting overrides the "Domain or host names that can use VPN on demand" setting. This setting is valid only if the "Enable VPN on demand" setting is selected. |
Disconnect on idle | This setting specifies whether the VPN connection disconnect when it idle for a specified period of time. This setting is valid only if the "Enable VPN on demand" setting is selected. |
Disconnect on idle timer | This setting specifies the idle time in seconds after which the VPN disconnects. The default value is "120" This setting is valid only if the "Disconnect on idle" setting is selected. |
Do not allow user to disable VPN on demand | This setting specifies whether the user can disable VPN on demand. This setting is valid only if the "Connection type" setting is set to "IPsec," " Cisco AnyConnect ," "Juniper ," "Pulse Secure ," "F5 ," "SonicWALL Mobile
Connect ," "Aruba VIA ," "Check Point Mobile ," "OpenVPN ," or "Custom."This setting applies only to devices running iOS and iPadOS 14 and later. |
Exclude local network | This setting specifies whether to exclude local network traffic from using the VPN connection. If the “Include all networks” setting is also selected, no local network traffic is routed through the VPN. This setting applies only to devices running iOS and iPadOS 13 and later. |
All non-default routes take precedence over any locally defined routes | This setting specifies whether the non-default routes for the VPN take precedence over any locally defined routes. If the “Include all networks” setting is also selected, this setting is ignored. This setting is valid only if the "Connection type" setting is set to " Cisco AnyConnect ," "Juniper ," "Pulse Secure ," "F5 ," "SonicWALL Mobile
Connect ," "Aruba VIA ," "Check Point Mobile ," "OpenVPN ," or "Custom."This setting applies only to devices running iOS and iPadOS 14.2 and later. |
Include all networks | This setting specifies whether to route all traffic through the VPN. If "Exclude local network" is also selected, local network traffic in not routed through the VPN. This setting applies only to devices running iOS and iPadOS 13 and later. |
Provider designated requirement | This setting specifies a designated VPN provider. If the VPN provider is implemented as a system extension, this setting is required. This setting is valid only if the "Connection type" setting is set to "IPsec," " Cisco AnyConnect ," "Juniper ," "Pulse Secure ," "F5 ," "SonicWALL Mobile
Connect ," "Aruba VIA ," "Check Point Mobile ," "OpenVPN ," or "Custom." |
Allow user to disable automatic connection | This setting specifies whether users can disable the VPN connection. This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." |
Use same tunnel configuration for cellular and Wi-Fi | This setting specifies whether you want to set separate VPN settings for the device depending on whether the device is sending data over a cellular network or a Wi-Fi network. If this setting is not selected, you can set different cellular and Wi-Fi settings in the same profile.This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." |
Enable xAuth | This setting specifies whether the VPN supports extended authentication. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Minimum TLS version | This setting specifies the minimum TLS version that devices use for EAP-TLS authentication. This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.” Possible values:
The default setting is “1.0.” |
Maximum TLS version | This setting specifies the maximum TLS version that devices use for EAP-TLS authentication. This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.” Possible values:
The default setting is “1.2.” |
Certificate type | This setting specifies the type of certificate used for IKEv2 machine authentication. This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.” |
Common name of the server certificate issuer | This setting specifies the common name of the CA that issued the server certificate that the IKE server sends to the device. If you enable xAuth using a certificate, this setting is required. This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.” |
Common name of the server certificate | This setting specifies the common name of the server certificate that the IKE server sends to the device. This setting is valid only if the "Enable xAuth" setting is selected and the Authentication type is “Certificate.” |
Keepalive interval | This setting specifies how often a device sends a keepalive packet. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." Possible values:
The default setting is "10 minutes." |
Disable MOBIKE | This setting specifies whether MOBIKE is disabled. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Disable IKEv2 redirect | This setting specifies whether IKEv2 redirect is disabled. If this setting is not selected, the IKEv2 connection is redirected if a redirect request is received from the server. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Enable perfect forward secrecy | This setting specifies whether the VPN supports PFS. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Enable NAT keepalive | This setting specifies whether the VPN supports NAT keepalive packets. Keepalive packets are used to maintain NAT mappings for IKEv2 connections. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
NAT keepalive interval | This setting specifies how often a device sends a NAT keepalive packet (in seconds). This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On" and the "Enable NAT keepalive" setting is selected. The minimum value and the default value is 20. |
Use IPv4 and IPv6 IKEv2 internal subnets | This setting specifies whether the VPN can use the IKEv2 configuration attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Common name of the server certificate | This setting specifies the common name in the certificate that the IKE server sends to the device. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Common name of the server certificate issuer | This setting specifies the common name of the certificate issuer in the certificate that the IKE server sends to the device. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Enable certificate revocation check | This setting specifies whether a certificate revocation check is attempted for the server certificate. The check does not fail if there is no response. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Enable fallback | This setting specifies whether the device can establish a VPN tunnel over the mobile network when Wi-Fi Assist is enabled. This setting applies only to devices running iOS and iPadOS 13 and later and requires that the server support multiple tunnels for individual users.This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Apply Child Security Association parameters | This setting specifies whether to apply child security association parameters. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
Apply IKE Security Association parameters | This setting specifies whether to apply IKE security association parameters. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On." |
MTU | This setting specifies the Maximum Transmission Unit in bytes. This setting applies only to devices running iOS and iPadOS 14 and later.This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." |
VoiceMail | This setting specifies whether connections to the voice mail service are sent through the VPN tunnel, sent outside of the VPN tunnel, or are blocked. This setting applies only to devices running iOS and iPadOS 13.4 and later.This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
AirPrint | This setting specifies whether AirPrint connections AirPrint are sent through the VPN tunnel, sent outside of the VPN tunnel, or are blocked. This setting applies only to devices running iOS and iPadOS 13.4 and later.This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
Allow traffic from captive web sheet outside the VPN tunnel | This setting specifies whether traffic from captive web sheets can be sent outside of the VPN tunnel. This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
Allow traffic from all captive networking apps outside VPN tunnel | This setting specifies whether traffic from all captive networking apps can be sent outside of the VPN tunnel. If this setting is not selected, you can specify individual apps for which traffic can be sent outside the tunnel. This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
Traffic from these apps is allowed outside VPN tunnel | This setting specifies individual captive networking apps for which traffic can be sent outside the tunnel. This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
Allow app traffic outside the VPN tunnel | This setting specifies apps whose traffic can be sent outside the tunnel. This setting is valid only if the "Connection type" setting is set to "IKEv2 Always On." It applies only to Wi-Fi connections. |
DH group | This setting specifies the DH group that a device uses to generate key material. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values:
The default setting is "2." |
Encryption algorithm | This setting specifies the IKE encryption algorithm. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values:
The default setting is "3DES." |
Integrity algorithm | This setting specifies the IKE integrity algorithm. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values:
The default value is "SHA1-96." |
Rekey interval | This setting specifies the lifetime of the IKE connection. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. The possible values are from 10 to 1440 minutes. The default value is 1440. |
Enable per-app VPN | This setting specifies whether the VPN gateway supports per-app VPN. This feature helps decrease the load on an organization’s VPN. For example, you can enable only certain work traffic to use the VPN, such as accessing application servers or webpages behind the firewall. This setting is valid only if the "Connection type" setting is set to " Cisco AnyConnect ," "Juniper ," "Pulse Secure ," "F5 ," "SonicWALL Mobile
Connect ," "Aruba VIA ," "Check Point Mobile ," "OpenVPN ," "Custom," "IKEv2," or "IKEv2 Always On." |
Allow apps to connect automatically | This setting whether apps associated with per-app VPN can start the VPN connection automatically. This setting is valid only if the "Enable per-app VPN" setting is selected. |
Safari domains | This setting specifies the domains that can start the VPN connection in Safari .This setting is valid only if the "Enable per-app VPN" setting is selected. |
Calendar domains | This setting specifies the domains that can start the VPN connection in Calendar. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 13.0 and later devices. |
Contacts domains | This setting specifies the domains that can start the VPN connection in Contacts. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 13.0 and later devices. |
Mail domains | This setting specifies the domains that can start the VPN connection in Mail. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 13.0 and later devices. |
Associated domains | This setting specifies domains that can start the VPN connection on the device. The domains must also be included in the apple-app-site-association file. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 14.0 and later devices. |
Excluded domains | This setting specifies domains that are blocked from starting the VPN connection on the device. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 14.0 and later devices. |
Traffic tunneling | This setting specifies whether the VPN tunnels traffic at the application layer or the IP layer. This setting is valid only if the "Enable per-app VPN" setting is selected. This setting applies only to iOS and iPadOS 13.0 and later devices.Possible values:
The default setting is "Application layer." |
Associated proxy profile | This setting specifies the associated proxy profile that a device uses to connect to a proxy server when the device is connected to the VPN. |