Per app VPN configuration (iOS device profile)

With the Per app VPN configuration you define VPN settings to support the iOS feature Per app VPN.

You can configure apps to automatically connect to VPN when they are started. So you can, for example, ensure that data transmitted by managed apps travels through VPN.

After you have set up per app VPN configurations, you can select a configuration on the Edit package page of an application. See Configure per app VPN and settings for iOS apps.

Setting/Field Description
Connection name The name of the connection shown on the device.
Connection type The type of the VPN connection:
  • Cisco AnyConnect
  • F5
  • Check Point
  • Custom SSL

Different entry fields are shown on the VPN page depending on the connection type you select here.

Identifier (reverse DNS format) (connection type Custom SSL) The custom identifier in reverse DNS format.
Server (all connection types) The host name or the IP address of the server.
Account (all connection types) The user account for the authentication of the connection.

Custom data (connection type Custom SSL)

If your vendor has specified custom connection properties, you can enter them in this field.

To enter a property, click Add and then enter Key and Value of the property in the dialog box.

Group (connection type Cisco AnyConnect) In this field, enter the group that may be required for the authentication of the connection.
Send all traffic through VPN All traffic is sent through VPN.
User authentication (connection type Cisco AnyConnect, F5, Custom SSL) In this list, select the type of user authentication for the connection:
  • Password

    If you select this option, the Password field is shown below the User authentication field. Enter the password for authentication.

  • Certificate

    If you select this option, the Certificate field is shown below the User authentication field. Select a certificate.

Device authentication (connection type IPSec (Cisco))

In this list, select the type of device authentication:
  • Keys (Shared Secret)/Group name

    If you select this option, the fields Group name, Keys (Shared Secret), Use hybrid authentication and Request password are displayed below the Device authentication field. Enter the required authentication information in the Group name and Keys (Shared Secret) fields. Select Use hybrid authentication and Request password as required.

  • Certificate

    If you select this option, the fields Certificate and Including user PIN are displayed below the Device authentication field. In the Certificate list, select the required certificate. Select Including user PIN to include the user PIN in device authentication.

Proxy (all connection types)

In this list, select the proxy settings for the connection:
  • None
  • Manually

    If you select this option, the fields Server and port, Authentication and Password are displayed. In the Server and port field, enter the valid address and the port of the proxy server. In the Authentication field, enter the user name for the connection to the proxy server. In the Password field, enter the password for the connection to the proxy server.

  • Automatic

    If you select this option, the Proxy server URL field is displayed. Enter the URL of the server with the proxy setting in this field.

Provider type

The VPN connection type.

  • App proxy: Network traffic is sent through a VPN tunnel at the application layer.
  • Packet tunnel: Network traffic is sent through a VPN tunnel at the network layer.

Safari domains

In this field, you can enter a list of domain strings.

When a domain that matches one of the domain strings is opened in Safari or another browser app, the VPN connection is triggered.

Use a new line for each domain string.

The rule matching behavior is as follows:
  • Leading and trailing dots are ignored. For example, the string .example.com matches the same domains as the string example.com.
  • Each string component must match a whole domain component. For example, the string example.com matches the domain www.example.com, but not www.myexample.com.
  • Strings with a single component only match that specific domain. For example, the string example matches the domain example, but not www.example.com.