VPN overview for Apple device deployment
Secure access to private corporate networks is available in iOS, iPadOS, and macOS using established industry-standard virtual private network (VPN) protocols.
Supported protocols
The iOS, iPadOS, and macOS operating systems support the following protocols and authentication methods:
IKEv2: Support for both IPv4 and IPv6 and the following:
Authentication methods: Shared secret, certificates, EAP-TLS and EAP-MSCHAPv2
Suite B cryptography: ECDSA certificates, ESP encryption with GCM, and ECP Groups for the Diffie-Hellman Group
Additional features: MOBIKE, IKE fragmentation, server redirect, split tunnel
L2TP over IPsec: User authentication by MS-CHAP v2 password, two-factor token, certificate, machine authentication by shared secret or certificate
macOS can also use Kerberos machine authentication by shared secret or certificate with L2TP over IPsec.
SSL VPN: User authentication by password, two-factor token, and certificates using the provider’s companion app
Cisco IPsec: User authentication by password, two-factor token, and machine authentication by shared secret and certificates
If your organization supports IKEv, L2TP over IPsec, or Cisco IPsec, no additional network configuration or third-party apps are required in order to connect Apple devices to your virtual private network.
iOS, iPadOS, and macOS also support technologies such as IPv6, proxy servers, and split tunneling. Split tunneling provides a flexible VPN experience when connecting to an organization’s networks.
VPN On Demand
In iOS, iPadOS, and macOS, VPN On Demand lets Apple devices automatically establish a connection on an as-needed basis. It requires an authentication method that doesn’t involve user interaction—for example, certificate-based authentication. VPN On Demand is configured using the OnDemandRules key in a VPN payload of a configuration profile. Rules are applied in two stages:
Network detection stage: Defines VPN requirements that are applied when the device’s primary network connection changes.
Connection evaluation stage: Defines VPN requirements for connection requests to domain names on an as-needed basis.
Rules can be used to do things like:
Recognize when an Apple device is connected to an internal network and VPN isn’t necessary
Recognize when an unknown Wi-Fi network is being used and require VPN for all network activity
Require VPN when a DNS request for a specified domain name fails
Per App VPN
In iOS, iPadOS, and macOS, VPN connections can be established on a per-app basis, which provides more granular control over which data goes through VPN. This ability to segregate traffic at the app level allows the separation of personal data from organizational data—resulting in secure networking for internal-use apps, while at the same time preserving the privacy of personal device activity.
Per App VPN lets each app that’s managed by a mobile device management (MDM) solution communicate with the private network using a secure tunnel, while excluding unmanaged apps from using the private network. Managed Apps can be configured with different VPN connections to further safeguard data. For example, a sales quote app might use an entirely different data center than an accounts payable app.
After enabling Per App VPN for any VPN connection, you need to associate that connection with the apps using it to secure the network traffic for those apps. You do this with the Per App VPN mapping payload (macOS) or by specifying the VPN connection within the app installation command (iOS and iPadOS).
Per App VPN can be configured to work with the built-in VPN client in iOS and iPadOS, which support IKEv2 VPN clients.
IKEv2 is supported by the IPsec client. For information about Per App VPN support, contact third-party SSL or VPN vendors.
Note: To use Per App VPN in iOS and iPadOS, an app must be managed by MDM and use standard networking APIs.
Always On VPN
Always On VPN gives your organization full control over iOS and iPadOS traffic by tunneling all IP traffic back to the organization. The default tunneling protocol, IKEv2, secures traffic transmission with data encryption. Your organization can now monitor and filter traffic to and from devices, secure data within your network, and restrict device access to the internet.
Always On VPN activation requires device supervision. After the Always On VPN profile is installed on a device, Always On VPN automatically activates with no user interaction, and it stays activated (including across restarts) until the Always On VPN profile is uninstalled.
With Always On VPN activated on the device, the VPN tunnel bring-up and teardown is tied to the interface IP state. When the interface gains IP network reachability, it attempts to establish a tunnel. When the interface IP state goes down, the tunnel is torn down.
Always On VPN also supports per-interface tunnels. For devices with cellular connections, there’s one tunnel for each active IP interface (one tunnel for the cellular interface and one tunnel for the Wi-Fi interface). As long as the VPN tunnels are up, all IP traffic is tunneled. Traffic includes all IP-routed traffic and all IP-scoped traffic (traffic from first-party apps such as FaceTime and Messages). If the tunnels aren’t up, all IP traffic is dropped.
All traffic tunneled from a device reaches a VPN server. You can apply optional filtering and monitoring treatments before forwarding the traffic to its destination within your organization’s network or to the internet. Similarly, traffic to the device is routed to your organization’s VPN server, where filtering and monitoring processes may be applied before being forwarded to the device.