1. Home
  2. iOS
  3. iOS VPN Settings

iOS VPN Settings

A Virtual Private Network (VPN) allows the users to send data through a private network. It creates a safe and encrypted connection to another network over the internet. VPN improves security by redirecting network traffic via a virtual network. It can route traffic only to the corporate approved apps. Hexnode allows the admin to set up VPN configurations on iOS via the MDM console.

Configure VPN settings via policy

To configure VPN settings via policy,

  1. Login to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Network > VPN, click Configure.

Hexnode VPN policy for iOS

VPN Settings Description
Connection Type Select the connection type and the rest of the settings changes accordingly. The available connection types are L2TP (default), PPTP, IPSec (Cisco), Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Aruba VIA, Check Point Mobile VPN and Open VPN.
Connection Name A name for the VPN.
Server IP address or domain name of the server.
Account Username for authenticating to the VPN server. %name% and %email% can be used to automatically collect username and email data respectively.
Proxy Set up proxy automatically or manually or select None (default) to skip the process. (link to the proxy set up steps in the same doc will be attached here)

Configuring L2TP Connection

L2TP Connection

L2TP Settings Description
User authentication Choose how the device needs to authenticate the VPN server. Two choices are available – Password and RSA SecurID (default).
Password
(If Password is selected for user authentication)
Enter the password which is used to authenticate with the server.
Shared secret A second password required to establish a connection. Also known as pre-shared key, the shared secret is previously known to the device and the VPN server, and no one else. This key is used just to establish a connection and not used for encryption.
Send all traffic Send all network traffic via VPN. Disabled by default.

Configuring PPTP Connection

PPTP Connection

PPTP Settings Description
User authentication The method which is used to authenticate with the VPN server. Available options are Password and RSA SecurID (default).
Password
(If Password is selected for user authentication)
The password which is required to connect to the VPN server.
Encryption level Select how secure your VPN connection should be. You can choose from None (default), Automatic and Maximum (128 bit).
Send all traffic Force all traffic through the VPN. Disabled by default.

Configuring IPSec (Cisco)

IPSEC (Cisco)

IPSec (Cisco) Settings Description
Password Provide the password for server authentication.
Machine authentication Select a machine authentication method – Certificate, Shared secret/Group name (default).
Certificate
(Select certificate machine authentication to modify)
Select a credential certificate for machine authentication. If no certificates are found, probably you haven’t uploaded any. Go to iOSSecurityCertificates to upload a new certificate.
Include user PIN
(Select certificate machine authentication to modify)
The device asks the user to provide PIN while attempting to make a connection. Disabled by default.
Group name
(Select shared secret/group name machineauthentication to modify)
The group name of the connection.
Shared secret
(Select shared secret/group name machineauthentication to modify)
A second password, previously known to the device and the VPN server (and no one else), required to establish a connection. This key is not used for encryption, it is used just to establish a connection.
Use hybrid authentication
(Select shared secret/group name machine authentication to modify)
Enable this option to use hybrid authentication. Hybrid authentication is a more secure way of authentication by using a server-side certificate for the process. Hybrid authentication is diabled by default.
Prompt for password
(Select shared secret/group name machine authentication to modify)
The device prompts the user to provide the password. By default, the device will not prompt for password.

Configuring Cisco AnyConnect

Cisco AnyConnect

AnyConnect Settings Description
Group Enter group name of AnyConnect VPN.
User authentication Select how devices authenticate with the VPN server. Select from Password and Certificate. Password will be selected by default.
Password
(Enter password if password user authentication method is selected)
Provide the password which is required to authenticate with the VPN server.
Certificate
(Select the certificate if certificate user authentication method is selected)
Select the credential certificate from the list. To add a new certificate, go to iOS > Security > Certificates and upload a new one there.

Configuring Juniper SSL Connection

Juniper SSL Connections

Juniper SSL Settings Description
Realm Provide the authentication realm. This is the server to which the device needs to be authenticated to.
Role Assign a role to the user. In short, specify the resources which the users can access.
User authentication Choose a user authentication method, Password (default) or Certificate, to connect to the VPN server.
Password
(If password is selected as the user authentication method)
Enter the password to authenticate to the VPN server.
Certificate
(If certificate is selected as the user authentication method)
Select a credential certificate from the list or add a new one at iOS > Security > Certificates

Configuring F5 SSL

F5 SSL

F5 SSL Settings Description
User authentication Select an authentication method, one which is used to authenticate to the VPN server. The available options are Password (default) and Certificate.
Password
(Can be modified if password is selected as the user authentication method)
Provide the password which is used to authenticate to the VPN server.
Certificate
(Can be modified if certificate is selected as the user authentication method)
To select a certificate, go to iOSSecurityCertificates and upload one there. After adding a certificate, it’ll be available to select from here.

Configuring SonicWALL Mobile Connect

SonicWall Mobile Connect

Mobile Connect Settings Description
Login group or domain The login group name or the domain name.
User authentication Select how to authenticate with the VPN server, using a password (default) or a certificate.
Password
(If selected Password in user authentication field)
Specify a password which can provide you access to the VPN server.
Certificate
(If selected Certificate in user authentication field)
Add a certificate from iOS > Security > Certificates and it’ll be available to select from this field.

Configuring ArubaVIA, Check Point Mobile VPN and Open VPN

ArubaVIA, Check Point Mobile VPN and Open VPN

Settings Description
User authentication Select the method of authentication from two options – Password and Certificate (default).
Password
(Available if user authentication is set Password)
Provide the password to connect to the VPN server.
Certificate
(Available if user authentication is set Certificate)
Select an existing credential certificate from the list. To add one, proceed to iOS > Security > Certificates.

VPN On Demand

When a VPN profile is configured, natively the user must turn it on manually on the device. Since VPN works over Wi-Fi or cellular network, VPN turns off automatically once the device loses the network connectivity. VPN On Demand can be enabled which allows you to connect to the VPN automatically thereby eliminating the need to toggle it on manually.

VPN On Demand can be configured for specific type of connections such as

  • IKEv2
  • IPSec (Cisco)
  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Check Point Mobile VPN
  • Open VPN

To enable VPN On Demand

Check the option VPN On Demand under Policies > iOS > Network> VPN.

VPN settings for iOS MDM

To configure VPN On Demand settings,

Settings Description
Network type Select the network type to be configured for VPN On Demand. The available options are Ethernet, Wi-Fi and Cellular.
SSID Provide the name of the network connectivity to be made.
Domain Provide the domain name of the server.
Server address Provide the IP Address of the server.
Note:


You can configure VPN On Demand for multiple SSID / Domain / Server address by clicking on Add+ button and providing the details.

Proxy Settings

A proxy server is used to serve as an intermediary between the devices and the internet by hiding the actual IP address of the device thereby reducing the level of risk incurred by the device. You can either skip setting up a proxy server for VPN or you can set it up, manually or automatically.

  1. None – Select this option if you don’t want to set up a proxy server.
  2. Manual – To set up proxy manually, provide
    1. Server – The IP address or the domain name of the proxy server.
    2. Port – Port number of the proxy server.
    3. Authentication – Username required to connect to the proxy server.
    4. Password – Password which is required to authenticate to the proxy server.
  3. Automatic – If you’d like to set up proxy automatically, provide the proxy server URL.

How to associate VPN to iOS Devices/Groups?

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click OK. Click Save.
  3. You can also associate the policy to device groups, users, user groups or domains from the left pane of the Policy Targets tab.

If you have the policy saved already,

  1. Go to Policies tab and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.
  •  
  •  
  •  
  •  
  •  

Was this article helpful?

Related Articles

Leave a Comment