Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Declarative status reports
- Declarative app configuration
- Authentication credentials and identity asset declaration
- Background task management declarative
- Calendar declarative configuration
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Math and Calculator app declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Safari browsing management declarative configuration
- Safari extensions management declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Software Update settings declarative configuration
- Storage management declarative configuration
- Subscribed Calendars declarative configuration
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Cellular payload settings
- Cellular Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Dock payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload settings
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- Xsan payload settings
-
- Glossary
- Document revision history
- Copyright and trademarks

Cisco IPsec VPN setup for Apple devices
Use this section to configure your Cisco VPN server for use with iOS, iPadOS, and macOS, all of which support the Cisco network firewalls Adaptive Security Appliance 5500 Series and Private Internet Exchange. They also support Cisco IOS VPN routers with IOS version 12.4(15)T or later. VPN 3000 Series Concentrators don’t support VPN capabilities.
Authentication methods
iOS, iPadOS, and macOS support the following authentication methods:
Preshared key IPsec authentication with user authentication using the
xauth
command.Client and server certificates for IPsec authentication, with optional user authentication using
xauth
.Hybrid authentication, where the server provides a certificate and the client provides a preshared key for IPsec authentication. User authentication is required and provided using
xauth
, which includes the authentication method’s user name with password, and RSA SecurID.
Authentication groups
The Cisco Unity protocol uses authentication groups to group users based on a common set of parameters. You should create an authentication group for users. For preshared key and hybrid authentication, the group name needs to be configured on the device with the group’s shared secret (preshared key) as the group password.
When using certificate authentication, there’s no shared secret. A user’s group is determined from fields in the certificate. The Cisco server settings can be used to map fields in a certificate to user groups.
RSA-Sig needs to be the highest priority on the ISAKMP (Internet Security Association and Key Management Protocol) priority list.
IPsec settings and descriptions
You can specify these settings to define how IPsec is implemented:
Mode: Tunnel mode.
IKE exchange modes: Aggressive mode for preshared key and hybrid authentication, or Main mode for certificate authentication.
Encryption algorithms: 3DES, AES-128, or AES256.
Authentication algorithms: HMAC-MD5 or HMAC-SHA1.
Diffie-Hellman Groups: Group 2 is required for preshared key and hybrid authentication, group 2 with 3DES and AES-128 for certificate authentication, and group 2 or 5 with AES-256.
Perfect Forward Secrecy (PFS): For IKE phase 2, if PFS is used, the Diffie-Hellman Group needs to be the same as was used for IKE phase 1.
Mode configuration: Needs to be enabled.
Dead peer detection: Recommended.
Standard NAT traversal: Supported and can be enabled (IPsec over TCP isn’t supported).
Load balancing: Supported and can be enabled.
Rekeying of phase 1: Not currently supported. It’s recommend that rekeying times on the server be set to one hour.
ASA address mask: Make sure all device address pool masks are either not set, or set to 255.255.255.255. For example:
asa(config-webvpn)# ip local pool vpn_users 10.0.0.1-10.0.0.254 mask 255.255.255.255
.If you use the recommended address mask, some routes assumed by the VPN configuration might be ignored. To avoid this, make sure your routing table contains all necessary routes, and make sure the subnet addresses are accessible before deployment.
Application version: The client software version is sent to the server, letting the server accept or reject connections based on the device’s software version.
Banner: The banner (if configured on the server) is displayed on the device, and the user needs to accept it or disconnect.
Split tunnel: Supported.
Split DNS: Supported.
Default domain: Supported.