Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright
Use a VPN proxy and certificate configuration in Apple devices
For all configurations, you can specify a VPN proxy by configuring a single proxy for all connections or providing the device with an auto proxy configuration file.
Proxy setup
Configure a single proxy for all connections: Use the manual setting and provide the address, port, and authentication if necessary.
Provide the device with an auto proxy configuration file using either the PAC file format or the Web Proxy Auto-Discovery (WPAD) Protocol method: Use the auto setting. For PAC over HTTPS, specify the URL of the PAC over HTTPS or JavaScript file. For WPAD, iOS, iPadOS, and macOS, ask DHCP and DNS for the appropriate settings.
The VPN proxy configuration is used when the VPN is providing the following:
The default resolver and the default route: The VPN proxy is used for all web requests on the system.
A split tunnel: Only connections to hosts that match the VPN’s DNS search domains use the VPN proxy.
Certificate setup
When you set up and install certificates:
The server identity certificate must contain the server’s DNS name or IP address in the
SubjectAltNamefield. The device uses this information to verify that the certificate belongs to the server. For more flexibility, you can specify theSubjectAltNameusing wildcard characters for per-segment matching, such as vpn.*.mycompany.com. If noSubjectAltNameis specified, you can put the DNS name in theCommonNamefield.The certificate of the certification authority (CA) that signed the server’s certificate needs to be installed on the device. If it isn’t a root certificate, install the rest of the trust chain so that the certificate is trusted. If you use client certificates, make sure the trusted CA certificate that signed the client’s certificate is installed on the VPN server. When using certificate-based authentication, make sure the server is set up to identify the user’s group, based on fields in the client certificate.
Important: The certificates and CAs must be valid (for example, trusted, and not expired). Sending the entire certificate trust chain by the server isn’t supported.