Skip to content

Per app VPN configuration (iOS user policy)

The Per app VPN configuration lets you configure VPN settings for individual apps. When you assign the Per app VPN configuration to an app, it uses the VPN for all its network traffic. See Assign a VPN connection to an iPhone or iPad app.

Settings

Setting Description
Connection name The name of the connection shown on the device.
Connection type

The type of VPN connection:

  • Cisco AnyConnect
  • Cisco Legacy AnyConnect
  • F5
  • Check Point
  • Custom SSL/TLS

Select Custom SSL/TLS if your VPN vendor has an app in the App Store that provides the VPN connection.

Identifier (reverse DNS format)

The identifier of the VPN app in reverse DNS format.

The app must be installed on the device.

Example: com.example.vpn

Server The hostname or IP address of the server.
Account The user account for the authentication of the connection.
Third-party settings

If your vendor has specified custom connection properties, you can enter them in this field.

To enter a property, click Add and then enter Key and Value of the property in the dialog box.

This setting is available for the Custom SSL/TLS connection type.

Send all traffic through VPN All traffic is sent through VPN.
Connect automatically on demand

The device turns the VPN on when the app connects to the network.

When you turn this setting off, users must turn the VPN on.

Group

The group required for the authentication of the connection.

This setting is available for the Cisco AnyConnect and Cisco Legacy AnyConnect connection types.

User authentication The type of user authentication for the connection, either Password or Certificate.
Password The password for VPN authentication.
Certificate The certificate for VPN authentication.
Proxy

The proxy settings for the connection:

  • No proxy
  • Manually

    If you select this option, the fields Server and port, Authentication and Password are displayed.

    In the Server and port field, enter the valid address and the port of the proxy server.

    In the Authentication field, enter the username for the connection to the proxy server.

    In the Password field, enter the password for the connection to the proxy server.

  • Automatic

    If you select this option, the Proxy server URL field is displayed.

    Enter the URL of the server with the proxy setting in this field.

Provider type

The VPN connection type.

  • App proxy: Network traffic is sent through a VPN tunnel at the application layer.
  • Packet tunnel: Network traffic is sent through a VPN tunnel at the network layer.

This setting isn’t available for the Cisco AnyConnect connection type.

Domains in Safari Domains for which iOS uses a VPN connection when opened in Safari or other web browsers.
Domains in Calendar Domains for which iOS uses a VPN connection when opened in Calendar.
Domains in Contacts Domains for which iOS uses a VPN connection when opened in Contacts.
Domains in Mail Domains for which iOS uses a VPN connection when opened in Mail.

How to enter domains

The following rules apply to the Domains in Safari, Domains in Calendar, Domains in Contacts, and Domains in Mail fields:

  • Enter one domain, partial domain, or host name per line.
  • A partial domain matches a domain name when all components match, starting at the right.

    For example, example.com matches www.example.com and mail.example.com, but not www.myexample.com or example.com.net.

  • Leading and trailing dots are ignored.

    For example, .example.com and example.com are equivalent.

  • When you enter a string without dots, it matches a host with that name.

    For example, com matches com, but not www.example.com.

For security reasons, an additional rule applies to the Domains in Calendar, Domains in Contacts, and Domains in Mail fields:

  • The second-level domain must match the second-level domain of your VPN server.

    For example if your VPN server’s address is vpn.example.com, the domain can be mail.example.com but not mail.acme.com.