Virtual private network (VPN) security
Secure network services like virtual private networking typically require minimal setup and configuration to work with iOS, iPadOS, and macOS devices.
These devices work with VPN servers that support the following protocols and authentication methods:
IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS
SSL-VPN using the appropriate client app from the App Store
L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)
Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)
VPN deployments supported
iOS, iPadOS, and macOS support the following:
VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.
Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network—and that a user’s personal data doesn’t.
iOS and iPadOS support the following:
Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager, or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to cellular and Wi-Fi networks. It also gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organization can monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the internet.