Choose IKEv2 and select Always-on VPN (iOS and iPadOS-only) if you want to configure a payload so that devices must have an active VPN connection in order to connect to any network. You can configure Always-on VPN for cellular and Wi-Fi separately, or together. For a more detailed description of these settings, see IKEv2 setup.
The display name of the VPN connection.
The IP address or fully qualified domain name (FQDN) of the VPN server.
This value should usually match the user/device certificate’s identity (Subject Alternative Name or Subject Common Name), since server implementation may require that match to validate the client’s identity.
This value should match the server certificate’s identity (Subject Alternative Name or Subject Common Name).
Note: If this value doesn’t match the server certificate’s identity, ServerCertificateCommonName key can be used to specify the server certificate’s identity.
Enables Always-on VPN, which can tunnel all IP traffic back to your organization. Different configurations can be set up for Cellular and Wi-Fi.
Allow disabling connections
Specifies whether users can disable the Always-on VPN connection.
Use same configuration
Specifies whether to use the same configuration for Wi-Fi and cellular.
The options are:
Enables the Extensible Authentication Protocol (EAP). When enabled, select from the following authentication methods:
Note: Both authentication methods must be used for EAP–PEAP.
Disconnect on idle
The options are:
Offloads sending NAT keepalives to hardware while the device is asleep, which keeps the connection up across device sleep cycles. If NAT keepalive is selected, an interval time value must be set. The minimum is 20 seconds.
Dead peer detection rate
How often to detect unresponsive connections. The options are:
Allows redirection to another VPN server.
Mobility and multihoming
Allows the device to keep the VPN connection active if:
IPv4 and IPv6 internal subnet attributes
Enables both IPv4 and IPv6 tunnels for your VPN connection.
Perfect Forward Secrecy (PFS)
Enables PFS for your VPN connection. Doing so prevents past sessions from being decrypted.
Certificate revocation check
Allows the device to check the certificates it gets from the VPN server against a Certificate Revocation List (CRL).
Dynamic security associations (SA) parameters
Allows for the configuration of both IKE and Child parameters. Both values require the following attributes:
Allows service exceptions for voicemail, AirPrint, MMS messages, and cellular services. Each service can be configured to use one of the following:
Traffic from captive web portals outside the VPN tunnel
Specifies whether traffic is permitted from captive web portals outside of the VPN tunnel.
Traffic from all captive networking apps outside the VPN tunnel
Specifies whether traffic is permitted from apps that connect to remote networks. If enabled, the apps must be listed (below).
Captive network app bundle identifiers
Identifies the networking apps that are permitted outside the VPN tunnel. They are identified by their bundle ID.