112 views October 19, 2018 0

Create VPN profile for iOS

Create a VPN profile to allow users to access the firm’s network, without having to make their own settings.

  • Select VPN as the profile that you want to add. The following dialog will open.
Configure VPN profile

Configure VPN profile

Make the following settings:

  • Profile name: Enter a name for the profile here.
  • Connection name: Enter a name for the connection here.
  • VPN server: Enter the address of a VPN server here.
  • Connection type: You can select the VPN protocol here. Dependant on the VPN protocol, a number of further options are available. If required, consult your VPN server documentation for this.
  • Use as per-app VPN: This checkbox is available on the Apple side, only for some (add-on) VPN protocols (e.g. Cisco or Juniper). Activate Use as per-app VPN, if you want to use this profile later in a Managed App. As soon as the users open the respective app, they will be connected automatically to your VPN. Note that the VPN can only be accessed by the configured app, not by the users themselves.
  • Use for Safari Domains: If you enable this option, the VPN connection is set up automatically when you open a stored web page. This VPN profile can be used for Managed Domains. This option is dependent on the Connection Type.
  • Account: Enter an account here, or enable Autofill to read the data automatically (see section Using variables).
  • Password: You can enter the user’s password here.
  • Shared secret: Enter the connection key of the selected protocol here.
  • Send all traffic: Enable this checkbox, if you want all data traffic to be sent over the VPN.
  • Proxy: You can make settings for a proxy server for iOS devices here. Select None, if you want to do the configuration without a proxy server. Otherwise, select Manual or Automatic.
  • Proxy server URL: If your VPN server can only be reached via a proxy server, enter the URL of your proxy server here.

Note! If you use Open VPN the Connection type Custom SSL must be selec­ted. Futher details about configuration of this profile can be found under https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/ in the section: Can I import an OpenVPN profile via an iOS .mobileconfig file?

You’ll find out here how to distribute the new profile (see section Assigning profiles).

Always-on VPN

With Always-on VPN users’ iOS devices are always securely connected to the cor­porate network. Permanent VPN provides complete control over device data traffic, as all IP traffic is carried to and from the organization via tunnels.

Encryption is carried out using the IKEv2 tunnel protocol standard. This allows you to monitor and filter traffic to and from the devices, protect data within your network and restrict the devices’ access to the Internet.

A prerequisite for the use of Always-on VPN is that iOS devices are used in Supervised Mode. Once the Always-on VPN profile has been distributed to the users’ devices, permanent VPN is activated automatically (with no input from the user).

For iOS devices, a separate tunnel is used for each active IP interface (i.e. one tun­nel for the Cellular interface and one for the Wi-Fi interface). Alternatively, a sin­gle tunnel can be configured for both connections. Further information on implemen­tation scenarios can be found on the Apple website.

Configure the Always-on VPN profile as follows:

VPN profile: configuring Always-on VPN

VPN profile: configuring Always-on VPN

  • Profile name: You can enter any chosen name for the profile here.
  • Connection name: Enter the name of the connection here.
  • Connection type: Enter the name of the connection here (upper arrow in illus.).
  • Always-on (supervised devices only): Enable this checkbox (lower arrow in illus.).
  • Use same configuration for Wi-Fi and Cellular: Only enable this checkbox if you want to use the same configuration for both VPN tunnels (see above). Oth­erwise, configure one tunnel for Wi-Fi and another for Cellular.
VPN profil: configure Always-on VPN

VPN profil: configure Always-on VPN

  • Remote address: Enter the IP address or the hostname of the VPN server (e.g. vpn.example.org).
  • Remote identifier: For the Remote identifier, use the FQDN, the UserFQDN or an IP address (e.g. vpn.example.org).
  • Local identifier: Enter the local identifier for the IKEv2 client here. Again, use the FQDN, the UserFQDN or an IP address.
  • Machine authentication: Select Certificate if you want to use SSL encryption. Select Shared Secret for password entry. In this case you enter the password in the Shared Secret field.
  • Server-certificate issuer Common Name: Enter the common name (CN) of the root certificate (Root CA) here.
  • Server-certificate Common Name: Enter the common name (CN) of the server certificate here. If this field is left empty, the Remote identifier will be used.
  • Identity certificate: Select a SCEP profile or a certificate profile that you have created previously.
  • Enable EAP: Check this box if you want to use the Extended Authentication Pro­tocol.
  • Dead peer detection interval: Here you can set how often to check whether a connection is present.
  • Edit security parameters: If you have defined further security options on your VPN server, select them here.
  • Allow user to disable VPN: Check this box if you want to give the users the ability to shut down the VPN tunnel.
  • Allow traffic from Captive Web Sheet: Set this checkbox, to allow traffic from Captive Web Sheet outside the VPN tunnel.
  • Allow all Captive Networking apps: Set this checkbox, to allow traffic from all Captive Networking apps outside the VPN tunnel to perform Captive network handling.
  • VoiceMail: Select one of the predefined options from the drop-down menu.
  • Bundle Identifier: Enter connections (e.g. apps) here that can be used outside of the VPN tunnel.

You can find further information about permanent VPN on the Apple website.

You’ll find out here how to distribute the new profile (see section Assigning profiles).

VPN on demand

If you have specified a certificate-based authentication (e.g. Cisco AnyConnect or F5 SSL), you can use VPN on demand. You can define a list of URLs which the users select to be immediately connected to the VPN. This option is only available for iOS devices.

  • Create a VPN profile and select the Connection type IPSec (Cisco).
  • Under Machine authentication select the option Certificate.
  • Select the Enable VPN on demand checkbox and enter the appropriate URL.

Was this helpful?