Virtual private network (VPN) security
Secure network services like virtual private networking typically require minimal set-up and configuration to work with iOS, iPadOS and macOS devices.
These devices work with VPN servers that support the following protocols and authentication methods:
IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2 or EAP-TLS
SSL-VPN using the appropriate client app from the App Store
L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS and macOS) and RSA SecurID or CRYPTOCard (macOS only)
Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard and machine authentication by shared secret and certificates (macOS only)
VPN deployments supported
iOS, iPadOS and macOS support the following:
VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.
Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network — and that a user’s personal data doesn’t.
iOS and iPadOS support the following:
Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to mobile and Wi-Fi networks. It also gives an organisation full control over device traffic by tunnelling all IP traffic back to the organisation. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organisation can monitor and filter traffic to and from its devices, secure data within its network and restrict device access to the internet.