IKEv2 MDM settings for Apple devices
You can configure an IKEv2 connection for an iPhone, iPad, or Mac enrolled in a mobile device management (MDM) solution. Choose IKEv2 and select Always On VPN if you want to configure a payload so that iPhone and iPad devices must have an active VPN connection in order to connect to any network. You can configure Always On VPN for cellular and Wi-Fi separately, or together.
You can use the IKEv2 settings in the table below with the VPN payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Connection name | The display name of the VPN connection. | Yes | |||||||||
Hostname | The IP address or fully qualified domain name (FQDN) of the VPN server. | Yes | |||||||||
Local Identifier | This value should usually match the user/device certificate’s identity (Subject Alternative Name or Subject Common Name), since server implementation may require that match to validate the client’s identity. | Yes | |||||||||
Remote Identifier | This value should match the server certificate’s identity (Subject Alternative Name or Subject Common Name). Note: If this value doesn’t match the server certificate’s identity, | Yes | |||||||||
Always On VPN (Supervised) | Enables Always On VPN, which can tunnel all IP traffic back to your organization. Different configurations can be set up for Cellular and Wi-Fi. | No | |||||||||
Allow disabling connections | Specifies whether users can disable the Always On VPN connection. | No | |||||||||
Use same configuration | Specifies whether to use the same configuration for Wi-Fi and cellular. | No | |||||||||
Machine authentication | The options are:
| No | |||||||||
Extended authentication | Enables the Extensible Authentication Protocol (EAP). When enabled, select from the following authentication methods:
Note: Both authentication methods must be used for EAP–PEAP. | No | |||||||||
Disconnect on idle | The options are:
| No | |||||||||
NAT keepalive | Offloads sending NAT keepalives to hardware while the device is asleep, which keeps the connection up across device sleep cycles. If NAT keepalive is selected, an interval time value must be set. The minimum is 20 seconds. | No | |||||||||
Dead peer detection rate | How often to detect unresponsive connections. The options are:
| No | |||||||||
Redirects | Allows redirection to another VPN server. | No | |||||||||
Mobility and multihoming | Allows the device to keep the VPN connection active if:
| No | |||||||||
IPv4 and IPv6 internal subnet attributes | Enables both IPv4 and IPv6 tunnels for your VPN connection. | No | |||||||||
Perfect Forward Secrecy (PFS) | Enables PFS for your VPN connection. Doing so prevents past sessions from being decrypted. | No | |||||||||
Certificate revocation check | Allows the device to check the certificates it gets from the VPN server against a Certificate Revocation List (CRL). | No | |||||||||
Dynamic security associations (SA) parameters | Allows for the configuration of both IKE and Child parameters. Both values require the following attributes:
| No | |||||||||
Service exceptions | Allows service exceptions for voicemail, AirPrint, MMS messages, and cellular services. Each service can be configured to use one of the following:
| No | |||||||||
Traffic from captive web portals outside the VPN tunnel | Specifies whether traffic is permitted from captive web portals outside of the VPN tunnel. | No | |||||||||
Traffic from all captive networking apps outside the VPN tunnel | Specifies whether traffic is permitted from apps that connect to remote networks. If enabled, the apps must be listed (below). | No | |||||||||
Captive network app bundle identifiers | Identifies the networking apps that are permitted outside the VPN tunnel. They’re identified by their bundle ID. | No | |||||||||
DNS server addresses | The array of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses. | No | |||||||||
Primary domain name | The primary domain name of the VPN tunnel. | No | |||||||||
DNS search domains | The list of domain strings used to fully qualify single-label hostnames. | No | |||||||||
DNS supplemental match domains | The list of domain strings used to determine which DNS queries use the DNS resolver settings contained in ServerAddresses. This key is used to create a split DNS configuration where only hosts in certain domains are resolved using the tunnel’s DNS resolver. Hosts not in one of the domains in this list are resolved using the system’s default resolver. | No | |||||||||
Include supplemental domains | If false, appends the domains in the supplemental match domains list to the resolver’s list of search domains. | No | |||||||||
Vary the maximum transmission unit (MTU), in bytes | The default is 1280. | No | |||||||||
Note: Each MDM vendor implements these settings differently. To learn how IKEv2 settings are applied to your devices and users, consult your MDM vendor’s documentation.