Category filter

iOS VPN Settings

A Virtual Private Network (VPN) allows the users to send data through a private network. It creates a safe and encrypted connection to another network over the internet. VPN improves security by redirecting network traffic via a virtual network. It can route traffic only to the corporate-approved apps. Hexnode allows the admin to set up VPN configurations on iOS via the UEM console.

Configure VPN settings via policy

To configure VPN settings via policy,

  1. Login to your Hexnode UEM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Network > VPN, click Configure.

create VPN configuration settings for iOS devices with mdm
VPN Settings Description
Connection Type Select the connection type and the rest of the settings change accordingly. The available connection types are IKEv2, Always-On, L2TP (default), PPTP, IPSec (Cisco), Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Aruba VIA, Check Point Mobile VPN, Open VPN, and iboss Cloud Connector 2020.
Connection Name Name for the VPN connection to be shown in the devices.
Server The IP address or fully qualified domain name (FQDN) of the VPN server to connect with the devices.
Account Provide the username for authenticating to the VPN server. This field supports the use of wildcards. The supported wildcards are
  • %name%
  • %email%
Proxy Set up proxy automatically or manually or select None (default) to skip the process.

Configuring IKEv2 Settings

IKEv2 Connection
IKEv2 Settings Description
Server Address Enter the IP address or hostname of the VPN server.
Remote Identifier Enter the remote identifier to identify the IKEv2 server. The supported formats are:
  • FQDN
  • UserFQDN
  • Address
  • ASN1DN
Local Identifier Enter the local identifier supplied by the VPN client and used by the mobile device. The supported formats are:
  • FQDN
  • UserFQDN
  • Address
  • ASN1DN
Machine Authentication Specify the device credentials to authenticate to the VPN server. The available options are:
  1. Certificate: To authenticate using certificate, select an existing certificate profile.
    • Certificate type: Specify the encryption type used by the certificate. The available encryption types are RSA, ECDSA256, ECDSA384, ECDSA521.
    • Server certificate issuer common name: Provide the Server certificate issuer common name of the VPN server certificate to establish the VPN connection.
    • Server Certificate Common Name: Provide the common name of the certificate itself. If left blank, the remote identifier value is used.
  2. Shared Secret: Provide a shared secret also known as the pre-shared key (PSK) to authenticate the VPN server.
  3. None

Note:
  • When ‘Machine Authentication’ is set to ‘None’ and ‘Enable Extended Authentication’ is disabled, the value of ‘Machine Authentication’ defaults to ‘Shared Secret’.

Enable Extended Authentication To enable EAP-only authentication, ‘Machine Authentication’ should be set to ‘None’ and ‘Enable Extended Authentication’ must be checked. When enabled, enter the Username and Password for the VPN server.
Enable NAT Keepalive To stay connected to the VPN, the device sends network packets called NAT Keepalive to remain active.
When enabled, offloads send NAT keepalives to hardware while the device is asleep, which keeps the connection up across device sleep cycles.
NAT Keepalive Interval (in seconds) If NAT keepalive is enabled, an interval time value must be set. The minimum interval is 20 seconds. By default, this value is set to 3600 seconds.
Dead Peer Detection Rate Select how often to detect unresponsive VPN connections. The available options are:
  • None: Select this option to disable dead peer detection.
  • Low: Select this option to send a keepalive message every 30 minutes.
  • Medium(default): Select this option to send a keepalive message every 10 minutes.
  • High: Select this option to send a keepalive message every 60 seconds.
Enable Perfect Forward Secrecy Enables Perfect Forward Secrecy (PFS) for your VPN connection. Doing so prevents past sessions from being decrypted.
Enable Certificate Revocation Check Allows the device to check the certificates it gets from the VPN server against a Certificate Revocation List (CRL).
Use IPv4 / IPv6 Internal Subnet Attributes Check this option to enable both IPv4 and IPv6 tunnels for your VPN connection.
Disable MOBIKE When unchecked, it allows the device to keep the VPN connection active if:
  • The IP address of the device changes
  • One of the interfaces stops working
Disable Redirect When checked, it disables redirection to another VPN server.
Security parameters Select the configurations required for either IKE or Child parameters.

The list of configurations required for IKE or Child security parameters include:

VPN Settings Description
Encryption Algorithm You can select one of the below algorithms:
  • DES
  • 3DES
  • AES-128
  • AES-256(default)
  • AES-128-GCM
  • AES-256-GCM
Integrity Algorithm You can select one of the below algorithms:
  • SHA1-96
  • SHA1-160
  • SHA2-256(default)
  • SHA2-384
  • SHA2-512
Diffie-Hellman Group Select the required Diffie-Hellman group. The available groups are 1, 2, 5, 14(default), 15, 16, 17, 18, 19, 20, 21.
Lifetime (in minutes) Enter a value (in minutes) between 10 and 1440 to specify the re-key interval.Default value is 1440

Configurations for Always-On (Supervised iOS devices) Connection

Always-On Connection
Always-On Settings Description
Allow users to disable automatic connection When this option is checked, the users can disable the Always-On VPN connection.
Note:
  • Disabling the Connect Automatically option in the VPN settings on your device will lead to the complete loss of network connectivity.

Allow traffic from captive web sheet outside the VPN tunnel Captive Web Sheet is a built-in web browser that handles captive sign on. Check this option to permit traffic from captive web portals outside the VPN tunnel.
Allow traffic from all captive networking apps outside the VPN tunnel

A captive network refers to Wi-Fi hotspots typically found in public venues that offer free Wi-Fi hotspots.

Users are redirected to an authentication portal or captive portal when they try to access the network and are required to log in or authenticate before gaining access to the network. Captive networking apps are designed to facilitate interaction with captive portals.

Check this option to permit traffic from all captive networking apps outside the VPN tunnel. When this option is unchecked, add the required captive networking app(s) or app group(s) to permit traffic from the specific app(s) outside the VPN tunnel.

Service Exceptions: The system services that are exempt from Always-On VPN include Voicemail, AirPrint, and Cellular Services.

Always-On Settings Description
Voicemail Configure Voicemail to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
AirPrint Configure AirPrint to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
Cellular Services
(iOS 11.3+)
Configure Cellular Services to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
Use same tunnel configuration for Cellular and Wi-Fi Check this option to use the same configuration for both Wi-Fi and mobile data.

IKEv2 Settings: Specify the tunnel configurations separately for Wi-Fi and cellular data when Use same tunnel configuration for Cellular and Wi-Fi option is disabled.

Configuring L2TP Settings

L2TP Connection
L2TP Settings Description
User authentication Choose how the device needs to authenticate the VPN server. Two choices are available – Password and RSA SecurID (default).
Password

(If Password is selected for user authentication)

Enter the password which is used to authenticate with the server.
Shared secret A second password required to establish a connection. Also known as pre-shared key, the shared secret is previously known to the device and the VPN server, and no one else. This key is used just to establish a connection and not used for encryption.
Send all traffic Send all network traffic via VPN. Disabled by default.

Configuring PPTP Settings

PPTP Connection
PPTP Settings Description
User authentication The method which is used to authenticate with the VPN server. Available options are Password and RSA SecurID (default).
Password

(If Password is selected for user authentication)

The password which is required to connect to the VPN server.
Encryption level Select how secure your VPN connection should be. You can choose from None (default), Automatic and Maximum (128 bit).
Send all traffic Force all traffic through the VPN. Disabled by default.

Configuring IPSec (Cisco)

IPSEC (Cisco)
IPSec (Cisco) Settings Description
Password Provide the password for server authentication.
Machine authentication Select a machine authentication method – Certificate, Shared secret/Group name (default).
Certificate

(Select certificate machine authentication to modify)

Select a credential certificate for machine authentication. If no certificates are found, probably you haven’t uploaded any. Go to iOSSecurityCertificates to upload a new certificate.
Include user PIN

(Select certificate machine authentication to modify)

The device asks the user to provide PIN while attempting to make a connection. Disabled by default.
Group name

(Select shared secret/group name machineauthentication to modify)

The group name of the connection.
Shared secret

(Select shared secret/group name machineauthentication to modify)

A second password, previously known to the device and the VPN server (and no one else), required to establish a connection. This key is not used for encryption, it is used just to establish a connection.
Use hybrid authentication

(Select shared secret/group name machine authentication to modify)

Enable this option to use hybrid authentication. Hybrid authentication is a more secure way of authentication by using a server-side certificate for the process. Hybrid authentication is disabled by default.
Prompt for password

(Select shared secret/group name machine authentication to modify)

The device prompts the user to provide the password. By default, the device will not prompt for password.

Configuring Cisco AnyConnect

Cisco AnyConnect
AnyConnect Settings Description
Group Enter group name of AnyConnect VPN.
User authentication Select how devices authenticate with the VPN server. Select from Password and Certificate. Password will be selected by default.
Password

(Enter password if password user authentication method is selected)

Provide the password which is required to authenticate with the VPN server.
Certificate

(Select the certificate if certificate user authentication method is selected)

Select the credential certificate from the list. To add a new certificate, go to iOS > Security > Certificates and upload a new one there.

Configuring Juniper SSL

Juniper SSL Connections
Juniper SSL Settings Description
Realm Provide the authentication realm. This is the server to which the device needs to be authenticated to.
Role Assign a role to the user. In short, specify the resources which the users can access.
User authentication Choose a user authentication method, Password (default) or Certificate, to connect to the VPN server.
Password

(If password is selected as the user authentication method)

Enter the password to authenticate to the VPN server.
Certificate

(If certificate is selected as the user authentication method)

Select a credential certificate from the list or add a new one at iOS > Security > Certificates

Configuring F5 SSL

F5 SSL
F5 SSL Settings Description
User authentication Select an authentication method, one which is used to authenticate to the VPN server. The available options are Password (default) and Certificate.
Password

(Can be modified if password is selected as the user authentication method)

Provide the password which is used to authenticate to the VPN server.
Certificate

(Can be modified if certificate is selected as the user authentication method)

To select a certificate, go to iOSSecurityCertificates and upload one there. After adding a certificate, it’ll be available to select from here.

Configuring SonicWALL Mobile Connect

SonicWall Mobile Connect
Mobile Connect Settings Description
Login group or domain The login group name or the domain name.
User authentication Select how to authenticate with the VPN server, using a password (default) or a certificate.
Password

(If selected Password in user authentication field)

Specify a password which can provide you access to the VPN server.
Certificate

(If selected Certificate in user authentication field)

Add a certificate from iOS > Security > Certificates and it’ll be available to select from this field.

Configuring ArubaVIA, Check Point Mobile VPN and Open VPN

ArubaVIA, Check Point Mobile VPN and Open VPN
Settings Description
User authentication Select the method of authentication from two options – Password(default) and Certificate.
Password

(Available if user authentication is set Password)

Provide the password to connect to the VPN server.
Certificate

(Available if user authentication is set Certificate)

Select an existing credential certificate from the list. To add one, proceed to iOS > Security > Certificates.

Configuring iboss Cloud Connector 2020

iboss Cloud Connector 2020
Settings Description
User authentication Select the method of authentication from two options – Password and Certificate (default).
Password 

(Available if Password is selected as the method of user authentication)

Provide the password to connect to the VPN server.
Certificate 

(Available if Certificate is selected as the method of user authentication)

Select an existing credential certificate from the list. To add one, proceed to iOS > Security > Certificates.
Third party VPN Configuration Configure information specific to third party VPN solutions (apps) which the iOS devices do not support directly.

Note:


For third party types of VPN connection, corresponding VPN apps must be installed on the devices. Few third-party VPN apps are available in the App Store.

VPN On Demand

When a VPN profile is configured, natively the user must turn it on manually on the device. Since VPN works over ethernet, Wi-Fi or cellular networks, VPN turns off automatically once the device loses the network connectivity. VPN On Demand allows you to automatically connect to the VPN when on specific networks, thereby eliminating any manual intervention. You can even customize the on-demand VPN connectivity through multiple rules configured via the MDM console.

VPN On Demand can be configured for the following Connection Types:

  • IPSec (Cisco)
  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Check Point Mobile VPN
  • Open VPN
  • iboss cloud connector 2020

Enable VPN On Demand

To set up VPN On Demand, you have to choose the authentication type as Certificate in Machine Authentication/User Authentication. Then, check the option VPN On Demand and then on + Add VPN On Demand Rule to set up the configurations.

iOS VPN on demand configuration in Hexnode MDM
Settings Description
Action Select the action that defines the VPN connectivity of the device based on the configured on-demand VPN rules. If the configured rules are satisfied, the selected action is carried out on the device. You can choose any one of the following actions:

Connect: Choose this action to unconditionally initiate an on-demand VPN connection whenever the system tries to connect to a network. The network connectivity will be blocked until the VPN connection is established.

Disconnect: Choose this to disable the current VPN connection and to disable future on-demand VPN connections on the device.

Ignore: Choose this to stop making new on demand VPN connections; however, the current VPN status of the device will be left unchanged.

Network type Select the network type to be configured for VPN On Demand. The available options are Ethernet, Wi-Fi (default), Cellular and None.

Select None to apply the on-demand VPN configurations to the device irrespective of the connected network.

SSID Enter the SSID of a Wi-Fi network. The on-demand VPN configurations will take effect only if the device is connected to the specified network.
Note:


Applicable only if the Network Type is Wi-Fi.


You can add multiple SSID’s by clicking on the “+Add” icon.
Domain Provide the domain name. The connection can only be established if the device’s current network search domain is added to this list. You can add multiple domains by clicking on “+Add”.
Server Address Provide the IP Address. The VPN on-demand connection rules are satisfied only if the network’s specified DNS server addresses matches the IP addresses added here. You can add multiple addresses by clicking “+Add”.
Probe URL Enter an HTTP or HTTPS URL to probe. The VPN on-demand rule is fulfilled only if this URL is successfully fetched. If succeeds, the URL will return an HTTP 200 OK response without any redirections.

If this field is left empty, the HTTP request does not factor into the VPN connection rules.

Exception:


If the on-demand VPN policy attached to an iPhone 4S is disassociated, the VPN connection will be cut off. Consequently, the device will behave like one with no network connectivity, even though it remains connected to the network. The users may have to restart the device to regain network connectivity. Note that this is applicable only for iPhone 4S.

Proxy Settings

A proxy server is used to serve as an intermediary between the devices and the internet by hiding the actual IP address of the device thereby reducing the level of risk incurred by the device. You can either skip setting up a proxy server for VPN or you can set it up, manually or automatically.

  1. None – Select this option if you don’t want to set up a proxy server.
  2. Manual – To set up proxy manually, provide
    • Server – The IP address or the domain name of the proxy server.
    • Port – Port number of the proxy server.
    • Authentication – Username required to connect to the proxy server.
    • Password – Password which is required to authenticate to the proxy server.
  3. Automatic – If you’d like to set up proxy automatically, provide the proxy server URL.

How to associate VPN with iOS Devices/Groups?

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click OK. Click Save.
  3. You can also associate the policy with device groups, users, user groups or domains from the left pane of the Policy Targets tab.

If you have the policy saved already,

  1. Go to Policies tab and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.

What happens at the device end?

Once the policy is successfully associated, the VPN configuration will be saved under Settings > General > VPN.

your VPN will be saved on the device settings

  • Managing iOS Devices