iOS
and
macOS
: VPN profile settings

macOS

applies profiles to user accounts or devices. You can configure a VPN profile to apply to one or the other.

iOS and macOS : VPN profile setting	Description
Apply profile to	This setting specifies whether the VPN profile is applied to the user account or the device. Possible values: User Device This setting is valid only for macOS devices.
Connection type	This setting specifies the connection type that a device uses for a VPN gateway. Some connection types also require users to install the appropriate VPN app on the device. Possible values: L2TP PPTP IPsec Cisco AnyConnect Juniper Pulse Secure F5 SonicWALL Mobile Connect Aruba VIA Check Point Mobile OpenVPN Custom IKEv2 The default value is "L2TP." Some values are not valid for macOS devices.
VPN bundle ID	This setting specifies the bundle ID of the VPN app for a custom SSL VPN. The bundle ID is in reverse-DNS format (for example, com.example.VPNapp). This setting is valid only if the "Connection type" setting is set to "Custom."
Server	This setting specifies the FQDN or IP address of a VPN server.
Username	This setting specifies the username that a device uses to authenticate with the VPN gateway. If the profile is for multiple users, you can specify the %UserName% variable.
Custom key-value pairs	This setting specifies the keys and associated values for the custom SSL VPN. The configuration information is specific to the vendor's VPN app. This setting is valid only if the "Connection type" setting is set to "Custom."
Login group or Domain	This setting specifies the login group or domain that the VPN gateway uses to authenticate an iOS device. This setting is valid only if the "Connection type" setting is set to " SonicWALL Mobile Connect ."
Realm	This setting specifies the name of the authentication realm that the VPN gateway uses to authenticate an iOS device. This setting is valid only if the "Connection type" setting is set to " Juniper " or " Pulse Secure ."
Role	This setting specifies the name of the user role that the VPN gateway uses to verify the network resources that an iOS device can access. This setting is valid only if the "Connection type" setting is set to " Juniper " or Pulse Secure ."
Authentication type	This setting specifies the authentication type for the VPN gateway. The "Connection type" setting determines which authentication types are supported and the default value for this setting. Possible values: Password RSA SecurID Shared secret/Group name Shared certificate SCEP User credential
Password	This setting specifies the password that a device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" setting is set to "Password."
Group name	This setting specifies the group name for the VPN gateway. This setting is valid only in the following conditions: The "Connection type" setting is set to " Cisco AnyConnect ." The "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared secret/Group name."
Shared secret	This setting specifies the shared secret to use for VPN authentication. This setting is valid only in the following conditions: The "Connection type" setting is set to "L2TP." The "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared secret/Group name." The "Connection type" setting is set to "IKEv2" and the "Authentication method" setting is set to "Shared secret."
Shared certificate profile	This setting specifies the shared certificate profile with the client certificate that a device uses to authenticate with the VPN gateway. This setting is valid only if the "Authentication type" or the "Authentication method" setting is set to "Shared certificate."
Associated SCEP profile	This setting specifies the associated SCEP profile that an iOS device uses to obtain a client certificate to authenticate with the VPN. This setting is valid only if the "Authentication type" or the "Authentication method" setting is set to "SCEP."
Associated user credential profile	This setting specifies the associated user credential profile that a device uses to obtain a client certificate to authenticate with the VPN. This setting is valid only if the "Authentication type" or the "Authentication method" setting is set to "User credential."
Encryption level	This setting specifies the level of data encryption for the VPN connection. If this setting is set to "Automatic," all available encryption strengths are allowed. If this setting is set to "Maximum," only the maximum encryption strength is allowed. This setting is valid only if the "Connection type" setting is set to "PPTP." Possible values: None Automatic Maximum The default value is "None."
Route network traffic through VPN	This setting specifies whether to send all network traffic through the VPN connection. This setting is valid only if the "Connection type" setting is set to "L2TP" or "PPTP."
Use hybrid authentication	This setting specifies whether to use a server-side certificate for authentication. This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name"
Prompt for password	This setting specifies whether a device prompts the user for a password. This setting is valid only if the "Connection type" setting is set to "IPsec" and "Authentication type" is set to "Shared secret/Group name"
Prompt for user PIN	This setting specifies whether the device prompts the user for a PIN. This setting is valid only if the "Connection type" setting is set to "IPsec" and the "Authentication type" setting is set to "Shared Certificate," "SCEP," or "User credential."
Remote address	This setting specifies the IP address or hostname of the VPN server. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Local ID	This setting specifies the identity of the IKEv2 client in one of the following formats: FQDN, UserFQDN, Address, and ASN1DN. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Remote ID	This setting specifies the remote identifier of the IKEv2 client using one of the following formats: FQDN, user FQND, Address, or ASN1DN. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Authentication method	This setting specifies the authentication method for the VPN. This setting is valid only if the "Connection type" setting is set to "IKEv2." Possible values: Shared secret Shared certificate SCEP User credential
Enable VPN on demand	This setting specifies whether a device can start a VPN connection automatically when it accesses certain domains. For iOS devices, this setting applies to work apps. This setting is valid only in the following conditions: The "Connection type" setting is set to "IPsec," " Cisco AnyConnect ," " Juniper ," " Pulse Secure ," " F5 ," " SonicWALL Mobile Connect ," " Aruba VIA ," " Check Point Mobile ," " OpenVPN ," or "Custom" and the "Authentication type" is set to "Shared certificate," "SCEP," or "User credential." The "Connection type" setting is set to "IKEv2" and the "Authentication method" is set to "Shared certificate."
Domain or host names that can use VPN on demand	This setting specifies the domains and the associated actions for VPN on demand. This setting is valid only if the "Enable VPN on demand" setting is selected. Possible values for "On demand action": Always establish Establish if needed Never establish
VPN on demand rules for iOS 7.0 and later	This setting specifies the connection requirements for VPN on demand. You must use one or more keys from the payload format example. This setting overrides the "Domain or host names that can use VPN on demand" setting. This setting is valid only if the "Enable VPN on demand" setting is selected.
Enable extended authentication	This setting specifies whether the VPN supports xAuth. This setting is valid only if the "Connection type" setting is set to "IKEv2" or "IKEv2 Always On."
Minimum TLS version	This setting specifies the minimum TLS version that devices running iOS 11 and later use for EAP-TLS authentication. This setting is valid only if the Enable xAuth setting is selected and the Authentication type is “Certificate.” Possible values: 1.0 1.1 1.2 The default setting is “1.0.”
Maximum TLS version	This setting specifies the maximum TLS version that devices running iOS 11 and later use for EAP-TLS authentication. This setting is valid only if the Enable xAuth setting is selected and the Authentication type is “Certificate.” Possible values: 1.0 1.1 1.2 The default setting is “1.2.”
Keepalive interval	This setting specifies how often a device sends a keepalive packet. This setting is valid only if the "Connection type" setting is set to "IKEv2." Possible values: Disabled 30 minutes 10 minutes 1 minute The default setting is "10 minutes."
Disable MOBIKE	This setting specifies whether MOBIKE is disabled. This setting is valid only if the "Connection type" setting is set to "IKEv2." The minimum requirement for iOS devices is iOS 9.
Disable IKEv2 redirect	This setting specifies whether IKEv2 redirect is disabled. If this setting is not selected, the IKEv2 connection is redirected if a redirect request is received from the server. This setting is valid only if the "Connection type" setting is set to "IKEv2." The minimum requirement for iOS devices is iOS 9.
Enable perfect forward secrecy	This setting specifies whether the VPN supports PFS. This setting is valid only if the "Connection type" setting is set to "IKEv2." The minimum requirement for iOS devices is iOS 9.
Enable NAT keepalive	This setting specifies whether the VPN supports NAT keepalive packets. Keepalive packets are used to maintain NAT mappings for IKEv2 connections. This setting is valid only if the "Connection type" setting is set to "IKEv2." The minimum requirement for iOS devices is iOS 9.
NAT keepalive interval	This setting specifies how often a device sends a NAT keepalive packet (in seconds). This setting is valid only if the "Connection type" setting is set to "IKEv2" and the "Enable NAT keepalive" setting is selected. The minimum value and the default value is 20. The minimum requirement for iOS devices is iOS 9.
Use IPv4 and IPv6 IKEv2 internal subnets	This setting specifies whether the VPN can use the IKEv2 configuration attribute INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET. This setting is valid only if the "Connection type" setting is set to "IKEv2." The minimum requirement for iOS devices is iOS 9.
Common name of the server certificate	This setting specifies the common name in the certificate that the IKE server sends to the device. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Common name of the server certificate issuer	This setting specifies the common name of the certificate issuer in the certificate that the IKE server sends to the device. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Apply Child Security Association parameters	This setting specifies whether to apply child security association parameters. This setting is valid only if the "Connection type" setting is set to "IKEv2."
Apply IKE Security Association parameters	This setting specifies whether to apply IKE security association parameters. This setting is valid only if the "Connection type" setting is set to "IKEv2."
DH group	This setting specifies the DH group that a device uses to generate key material. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values: 0 1 2 5 14 15 16 17 18 The default setting is "2."
Encryption algorithm	This setting specifies the IKE encryption algorithm. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values: DES 3DES AES 128 AES 256 The default setting is "3DES."
Integrity algorithm	This setting specifies the IKE integrity algorithm. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. Possible values: SHA1 96 SHA1 160 SHA1 256 SHA2 384 SHA2 512 The default value is "SHA1-96."
Rekey interval	This setting specifies the lifetime of the IKE connection. This setting is valid only if the "Apply Child Security Association parameters" or "Apply IKE Security Association parameters" setting is selected. The possible values are from 10 to 1440 minutes. The default value is 1440.
Enable per-app VPN	This setting specifies whether the VPN gateway supports per-app VPN. This feature helps decrease the load on an organization’s VPN. For example, you can enable only certain work traffic to use the VPN, such as accessing application servers or webpages behind the firewall. This setting is valid only if the "Connection type" setting is set to " Cisco AnyConnect ," " Juniper ," " Pulse Secure ," " F5 ," " SonicWALL Mobile Connect ," " Aruba VIA ," " Check Point Mobile ," " OpenVPN ," "Custom," or "IKEv2."
Allow apps to connect automatically	This setting whether apps associated with per-app VPN can start the VPN connection automatically. This setting is valid only if the "Enable per-app VPN" setting is selected.
Safari domains	This setting specifies the domains that can start the VPN connection in Safari . This setting is valid only if the "Enable per-app VPN" setting is selected.
Traffic tunneling	This setting specifies whether the VPN tunnels traffic at the application layer or the IP layer. This setting is valid only if the "Enable per-app VPN" setting is selected. Possible values: Application layer IP layer The default setting is "Application layer."
Associated proxy profile	This setting specifies the associated proxy profile that an iOS device uses to connect to a proxy server when the device is connected to the VPN.

Section:

VPN profile settings

iOS and macOS: VPN profile settings

iOS
and
macOS
: VPN profile settings