Category Filter

iOS VPN Settings

A Virtual Private Network (VPN) allows the users to send data through a private network. It creates a safe and encrypted connection to another network over the internet. VPN improves security by redirecting network traffic via a virtual network. It can route traffic only to the corporate approved apps. Hexnode allows the admin to set up VPN configurations on iOS via the MDM console.

Configure VPN settings via policy

To configure VPN settings via policy,

  1. Login to your Hexnode MDM portal.
  2. Navigate to Policies > New Policy. Assign a suitable name and description (optional) for the policy. You can also choose to continue with an existing policy.
  3. Go to iOS > Network > VPN, click Configure.

Hexnode VPN policy for iOS
VPN Settings Description
Connection Type Select the connection type and the rest of the settings change accordingly. The available connection types are IKEv2, Always-On, L2TP (default), PPTP, IPSec (Cisco), Cisco AnyConnect, Juniper SSL, F5 SSL, SonicWALL Mobile Connect, Aruba VIA, Check Point Mobile VPN, Open VPN, and iboss Cloud Connector 2020.
Connection Name Name for the VPN connection to be shown in the devices.
Server The IP address or fully qualified domain name (FQDN) of the VPN server to connect with the devices.
Account Provide the username for authenticating to the VPN server. %name% and %email% can be used to automatically collect username and email data respectively.
Proxy Set up proxy automatically or manually or select None (default) to skip the process.

Configuring IKEv2 Connection

IKEv2 Connection
IKEv2 Settings Description
Server Address Enter the IP address or hostname of the VPN server.
Remote Identifier Enter the remote identifier to identify the IKEv2 server. The supported formats are:
  • FQDN
  • UserFQDN
  • Address
  • ASN1DN
Local Identifier Enter the local identifier supplied by the VPN client and used by the mobile device. The supported formats are:
  • FQDN
  • UserFQDN
  • Address
  • ASN1DN
Machine Authentication Specify the device credentials to authenticate to the VPN server. The available options are:
  1. Certificate: To authenticate using certificate, select an existing certificate profile.
    • Certificate type: Specify the encryption type used by the certificate. The available encryption types are RSA, ECDSA256, ECDSA384, ECDSA521.
    • Server certificate issuer common name: Provide the Server certificate issuer common name of the VPN server certificate to establish the VPN connection.
    • Server Certificate Common Name: Provide the common name of the certificate itself.If left blank, the remote identifier value is used.
  2. Shared Secret: Provide a shared secret also known as the pre-shared key (PSK) to authenticate to the VPN server. .
  3. None

Note:
  • When ‘Machine Authentication’ is set to ‘None’ and ‘Enable Extended Authentication’ is disabled, the value of ‘Machine Authentication’ defaults to ‘Shared Secret’.

Enable Extended Authentication To enable EAP-only authentication, ‘Machine Authentication’ should be set to ‘None’ and ‘Enable Extended Authentication’ must be checked. When enabled, enter the Username and Password for the VPN server.
Enable NAT Keepalive To stay connected to the VPN, the device sends network packets called NAT Keepalive to remain active.
When enabled, offloads send NAT keepalives to hardware while the device is asleep, which keeps the connection up across device sleep cycles.
NAT Keepalive Interval (in seconds) If NAT keepalive is enabled, an interval time value must be set. The minimum interval is 20 seconds. By default, this value is set to 3600 seconds.
Dead Peer Detection Rate Select how often to detect unresponsive VPN connections. The available options are:
  • None: Select this option to disable dead peer detection.
  • Low: Select this option to send a keepalive message every 30 minutes.
  • Medium(default): Select this option to send a keepalive message every 10 minutes.
  • High: Select this option to send a keepalive message every 60 seconds.
Enable Perfect Forward Secrecy Enables Perfect Forward Secrecy (PFS) for your VPN connection. Doing so prevents past sessions from being decrypted.
Enable Certificate Revocation Check Allows the device to check the certificates it gets from the VPN server against a Certificate Revocation List (CRL).
Safari Domains Add one or more URLs to automatically establish the VPN connection when these sites are accessed through the Safari browser.
Security parameters Select the configurations required for either IKE or Child parameters.

The list of configurations required for IKE or Child security parameters include:

VPN Settings Description
Encryption Algorithm You can select one of the below algorithms:
  • DES
  • 3DES
  • AES-128
  • AES-256(default)
  • AES-128-GCM
  • AES-256-GCM
Integrity Algorithm You can select one of the below algorithms:
  • SHA1-96
  • SHA1-160
  • SHA2-256(default)
  • SHA2-384
  • SHA2-512
Diffie-Hellman Group Select the required Diffie-Hellman group. The available groups are 1, 2, 5, 14(default), 15, 16, 17, 18, 19, 20, 21.
Lifetime (in minutes) Enter a value (in minutes) between 10 and 1440 to specify the re-key interval.Default value is 1440
Use IPv4 / IPv6 Internal Subnet Attributes Check this option to enable both IPv4 and IPv6 tunnels for your VPN connection.
Disable MOBIKE When unchecked, it allows the device to keep the VPN connection active if:
  • The IP address of the device changes
  • One of the interfaces stops working
Disable Redirect When checked, it disables redirection to another VPN server.

Configuring Always-On (Supervised iOS devices) Connection

Always-On Connection

Warning:
  • An Always-on VPN may sometimes lead to a loss in network connectivity on devices deployed in Hexnode on-premise edition.

Always-On Settings Description
Allow users to disable automatic connection When this option is checked, the users can disable the Always-On VPN connection.
Note:
  • Disabling the Connect Automatically option in the VPN settings on your device will lead to the complete loss of network connectivity.

Allow traffic from captive web sheet outside the VPN tunnel Captive Web Sheet is a built-in web browser that handles captive sign on. Check this option to permit traffic from captive web portals outside the VPN tunnel.
Allow traffic from all captive networking apps outside the VPN tunnel A captive network refers to Wi-Fi hotspots typically found in public venues that offer free Wi-Fi hotspots.

Check this option to permit traffic from all captive networking apps outside the VPN tunnel. When this option is unchecked, add the required captive networking app(s) or app group(s) to permit traffic from the specific app(s) outside the VPN tunnel.

Service Exceptions: The system services that are exempt from Always-On VPN include Voicemail, AirPrint, and Cellular Services.

Always-On Settings Description
Voicemail Configure Voicemail to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
AirPrint Configure AirPrint to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
Cellular Services
(iOS 11.3+)
Configure Cellular Services to use one of the following:
  • Allow traffic via tunnel
  • Allow traffic outside the tunnel
  • Drop traffic
Use same tunnel configuration for Cellular and Wi-Fi Check this option to use the same configuration for both Wi-Fi and mobile data.

IKEv2 Settings: Specify the tunnel configurations separately for Wi-Fi and cellular data when Use same tunnel configuration for Cellular and Wi-Fi option is disabled.

Configuring L2TP Connection

L2TP Connection
L2TP Settings Description
User authentication Choose how the device needs to authenticate the VPN server. Two choices are available – Password and RSA SecurID (default).
Password
(If Password is selected for user authentication)
Enter the password which is used to authenticate with the server.
Shared secret A second password required to establish a connection. Also known as pre-shared key, the shared secret is previously known to the device and the VPN server, and no one else. This key is used just to establish a connection and not used for encryption.
Send all traffic Send all network traffic via VPN. Disabled by default.

Configuring PPTP Connection

PPTP Connection
PPTP Settings Description
User authentication The method which is used to authenticate with the VPN server. Available options are Password and RSA SecurID (default).
Password
(If Password is selected for user authentication)
The password which is required to connect to the VPN server.
Encryption level Select how secure your VPN connection should be. You can choose from None (default), Automatic and Maximum (128 bit).
Send all traffic Force all traffic through the VPN. Disabled by default.

Configuring IPSec (Cisco)

IPSEC (Cisco)
IPSec (Cisco) Settings Description
Password Provide the password for server authentication.
Machine authentication Select a machine authentication method – Certificate, Shared secret/Group name (default).
Certificate
(Select certificate machine authentication to modify)
Select a credential certificate for machine authentication. If no certificates are found, probably you haven’t uploaded any. Go to iOSSecurityCertificates to upload a new certificate.
Include user PIN
(Select certificate machine authentication to modify)
The device asks the user to provide PIN while attempting to make a connection. Disabled by default.
Group name
(Select shared secret/group name machineauthentication to modify)
The group name of the connection.
Shared secret
(Select shared secret/group name machineauthentication to modify)
A second password, previously known to the device and the VPN server (and no one else), required to establish a connection. This key is not used for encryption, it is used just to establish a connection.
Use hybrid authentication
(Select shared secret/group name machine authentication to modify)
Enable this option to use hybrid authentication. Hybrid authentication is a more secure way of authentication by using a server-side certificate for the process. Hybrid authentication is disabled by default.
Prompt for password
(Select shared secret/group name machine authentication to modify)
The device prompts the user to provide the password. By default, the device will not prompt for password.

Configuring Cisco AnyConnect

Cisco AnyConnect
AnyConnect Settings Description
Group Enter group name of AnyConnect VPN.
User authentication Select how devices authenticate with the VPN server. Select from Password and Certificate. Password will be selected by default.
Password
(Enter password if password user authentication method is selected)
Provide the password which is required to authenticate with the VPN server.
Certificate
(Select the certificate if certificate user authentication method is selected)
Select the credential certificate from the list. To add a new certificate, go to iOS > Security > Certificates and upload a new one there.

Configuring Juniper SSL Connection

Juniper SSL Connections
Juniper SSL Settings Description
Realm Provide the authentication realm. This is the server to which the device needs to be authenticated to.
Role Assign a role to the user. In short, specify the resources which the users can access.
User authentication Choose a user authentication method, Password (default) or Certificate, to connect to the VPN server.
Password
(If password is selected as the user authentication method)
Enter the password to authenticate to the VPN server.
Certificate
(If certificate is selected as the user authentication method)
Select a credential certificate from the list or add a new one at iOS > Security > Certificates

Configuring F5 SSL

F5 SSL
F5 SSL Settings Description
User authentication Select an authentication method, one which is used to authenticate to the VPN server. The available options are Password (default) and Certificate.
Password
(Can be modified if password is selected as the user authentication method)
Provide the password which is used to authenticate to the VPN server.
Certificate
(Can be modified if certificate is selected as the user authentication method)
To select a certificate, go to iOSSecurityCertificates and upload one there. After adding a certificate, it’ll be available to select from here.

Configuring SonicWALL Mobile Connect

SonicWall Mobile Connect
Mobile Connect Settings Description
Login group or domain The login group name or the domain name.
User authentication Select how to authenticate with the VPN server, using a password (default) or a certificate.
Password
(If selected Password in user authentication field)
Specify a password which can provide you access to the VPN server.
Certificate
(If selected Certificate in user authentication field)
Add a certificate from iOS > Security > Certificates and it’ll be available to select from this field.

Configuring ArubaVIA, Check Point Mobile VPN and Open VPN

ArubaVIA, Check Point Mobile VPN and Open VPN
Settings Description
User authentication Select the method of authentication from two options – Password(default) and Certificate.
Password
(Available if user authentication is set Password)
Provide the password to connect to the VPN server.
Certificate
(Available if user authentication is set Certificate)
Select an existing credential certificate from the list. To add one, proceed to iOS > Security > Certificates.

Configuring iboss Cloud Connector 2020 Connection

iboss Cloud Connector 2020
Settings Description
User authentication Select the method of authentication from two options – Password and Certificate (default).
Password (Available if Password is selected as the method of user authentication) Provide the password to connect to the VPN server.
Certificate (Available if Certificate is selected as the method of user authentication) Select an existing credential certificate from the list. To add one, proceed to iOS > Security > Certificates.
Third party VPN Configuration Configure information specific to third party VPN solutions (apps) which the iOS devices do not support directly.

VPN On Demand

When a VPN profile is configured, natively the user must turn it on manually on the device. Since VPN works over Wi-Fi or cellular network, VPN turns off automatically once the device loses the network connectivity. VPN On Demand can be enabled which allows you to connect to the VPN automatically thereby eliminating the need to toggle it on manually.

VPN On Demand can be configured for specific type of connections such as

  • IKEv2
  • IPSec (Cisco)
  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWALL Mobile Connect
  • Aruba VIA
  • Check Point Mobile VPN
  • Open VPN
  • iboss Cloud Connector 2020

To enable VPN On Demand

Check the option VPN On Demand under Policies > iOS > Network> VPN.

VPN settings for iOS MDM
To configure VPN On Demand settings,
Settings Description
Network type Select the network type to be configured for VPN On Demand. The available options are Ethernet, Wi-Fi(default) and Cellular.
SSID Provide the name of the network connectivity to be made.
Domain Provide the domain name of the server.
Server address Provide the IP Address of the server.
Note:


You can configure VPN On Demand for multiple SSID / Domain / Server address by clicking on Add+ button and providing the details.

Proxy Settings

A proxy server is used to serve as an intermediary between the devices and the internet by hiding the actual IP address of the device thereby reducing the level of risk incurred by the device. You can either skip setting up a proxy server for VPN or you can set it up, manually or automatically.

  1. None – Select this option if you don’t want to set up a proxy server.
  2. Manual – To set up proxy manually, provide
    1. Server – The IP address or the domain name of the proxy server.
    2. Port – Port number of the proxy server.
    3. Authentication – Username required to connect to the proxy server.
    4. Password – Password which is required to authenticate to the proxy server.
  3. Automatic – If you’d like to set up proxy automatically, provide the proxy server URL.

How to associate VPN with iOS Devices/Groups?

If the policy has not been saved,

  1. Navigate to Policy Targets > +Add Devices.
  2. Choose the target devices and click OK. Click Save.
  3. You can also associate the policy to device groups, users, user groups or domains from the left pane of the Policy Targets tab.

If you have the policy saved already,

  1. Go to Policies tab and choose the desired policy.
  2. Click on the Manage drop-down and select Associate Targets.
  3. Choose the target entities and click Associate.