VPN overview for Apple device deployment
Secure access to private corporate networks is available in iOS, iPadOS, macOS, tvOS, watchOS, and visionOS using established industry-standard virtual private network (VPN) protocols.
Supported protocols
iOS, iPadOS, macOS, tvOS, watchOS, and visionOS support the following protocols and authentication methods:
IKEv2: Support for both IPv4 and IPv6 and the following:
Authentication methods: Shared secret, certificates, EAP-TLS and EAP-MSCHAPv2
Suite B cryptography: ECDSA certificates, ESP encryption with GCM, and ECP Groups for the Diffie-Hellman Group
Additional features: MOBIKE, IKE fragmentation, server redirect, split tunnel
iOS, iPadOS, macOS, and visionOS also support the following protocols and authentication methods:
L2TP over IPsec: User authentication by MS-CHAP v2 password, two-factor token, certificate, machine authentication by shared secret or certificate
macOS can also use Kerberos machine authentication by shared secret or certificate with L2TP over IPsec.
IPsec: User authentication by password, two-factor token, and machine authentication by shared secret and certificates
If your organization supports those protocols, no additional network configuration or third-party apps are required in order to connect Apple devices to your virtual private network.
Support includes technologies such as IPv6, proxy servers, and split tunneling. Split tunneling provides a flexible VPN experience when connecting to an organization’s networks.
In addition, the Network Extension framework allows third-party developers to create a custom VPN solution for iOS, iPadOS, macOS, tvOS, and visionOS. Several VPN providers have created apps to help configure Apple devices for use with their solutions. To configure a device for a specific solution, install the provider’s companion app and optionally, provide a configuration profile with the necessary settings.
VPN On Demand
For devices with iOS, iPadOS, macOS, tvOS, and visionOS, VPN On Demand lets Apple devices automatically establish a connection on an as-needed basis. It requires an authentication method that doesn’t involve user interaction—for example, certificate-based authentication. VPN On Demand is configured using the OnDemandRules
key in a VPN payload of a configuration profile. Rules are applied in two stages:
Network detection stage: Defines VPN requirements that are applied when the device’s primary network connection changes.
Connection evaluation stage: Defines VPN requirements for connection requests to domain names on an as-needed basis.
Rules can be used to do things like:
Recognize when an Apple device is connected to an internal network and VPN isn’t necessary
Recognize when an unknown Wi-Fi network is being used and require VPN
Start the VPN when a DNS request for a specified domain name fails
Per-app VPN
For devices with iOS, iPadOS, macOS, watchOS, and visionOS 1.1, VPN connections can be established on a per-app basis, which provides more granular control over which data goes through VPN. This ability to segregate traffic at the app level allows the separation of personal data from organizational data—resulting in secure networking for internal-use apps, while at the same time preserving the privacy of personal device activity.
Per-app VPN lets each app that’s managed by a mobile device management (MDM) solution communicate with the private network using a secure tunnel, while excluding unmanaged apps from using the private network. Managed Apps can be configured with different VPN connections to further safeguard data. For example, a sales quote app might use an entirely different data center than an accounts payable app.
After creating a per-app VPN for any VPN configuration, you need to associate that connection with the apps using it to secure the network traffic for those apps. You do this with the per-app VPN mapping payload (macOS) or by specifying the VPN configuration within the app installation command (iOS, iPadOS, macOS, visionOS 1.1).
Per-app VPN can be configured to work with the built-in IKEv2 VPN client in iOS, iPadOS, watchOS, and visionOS 1.1. For information about per-app VPN support in custom VPN solutions, contact your VPN vendors.
Note: To use per-app VPN in iOS, iPadOS, watchOS 10, and visionOS 1.1, an app must be managed by MDM.
Always On VPN
Always On VPN available for IKEv2 gives your organization full control over iOS and iPadOS traffic by tunneling all IP traffic back to the organization. Your organization can now monitor and filter traffic to and from devices, secure data within your network, and restrict device access to the internet.
Always On VPN activation requires device supervision. After the Always On VPN profile is installed on a device, Always On VPN automatically activates with no user interaction, and it stays activated (including across restarts) until the Always On VPN profile is uninstalled.
With Always On VPN activated on the device, the VPN tunnel bring-up and teardown is tied to the interface IP state. When the interface gains IP network reachability, it attempts to establish a tunnel. When the interface IP state goes down, the tunnel is torn down.
Always On VPN also supports per-interface tunnels. For devices with cellular connections, there’s one tunnel for each active IP interface (one tunnel for the cellular interface and one tunnel for the Wi-Fi interface). As long as the VPN tunnels are up, all IP traffic is tunneled. Traffic includes all IP-routed traffic and all IP-scoped traffic (traffic from first-party apps such as FaceTime and Messages). If the tunnels aren’t up, all IP traffic is dropped.
All traffic tunneled from a device reaches a VPN server. You can apply optional filtering and monitoring treatments before forwarding the traffic to its destination within your organization’s network or to the internet. Similarly, traffic to the device is routed to your organization’s VPN server, where filtering and monitoring processes may be applied before being forwarded to the device.
Note: Apple Watch pairing isn’t supported with Always On VPN.
Transparent proxy
Transparent proxies are a special VPN type on macOS and can be used in different ways to monitor and transform network traffic. Common use cases are content filter solutions and brokers to access cloud services. Due to the variety of uses, it’s a good idea to define the order in which those proxies get to see and handle traffic. For example, you want to invoke proxy filtering network traffic before invoking a proxy that encrypts the traffic. You do this by defining the order in the VPN payload.