com.apple.vpn.managed.yaml

title: VPN
description: Use this section to define settings for VPN access.
payload:
  payloadtype: com.apple.vpn.managed
  supportedOS:
    iOS:
      introduced: '4.0'
      multiple: true
      supervised: false
      allowmanualinstall: true
      sharedipad:
        mode: allowed
        devicechannel: true
        userchannel: false
      userenrollment:
        mode: forbidden
    macOS:
      introduced: '10.7'
      multiple: true
      devicechannel: true
      userchannel: true
      requiresdep: false
      userapprovedmdm: false
      allowmanualinstall: true
      userenrollment:
        mode: forbidden
    tvOS:
      introduced: '17.0'
      multiple: true
      supervised: false
      allowmanualinstall: true
    visionOS:
      introduced: '1.0'
      multiple: true
      supervised: false
      allowmanualinstall: true
      userenrollment:
        mode: forbidden
    watchOS:
      introduced: n/a
payloadkeys:
- key: VPNType
  title: Type
  type: <string>
  presence: required
  rangelist:
  - VPN
  - L2TP
  - IPSec
  - IKEv2
  - AlwaysOn
  - TransparentProxy
  content: |-
    The type of the VPN, which defines which settings are appropriate for this VPN payload.
    If the type is 'VPN' or 'TransparentProxy', then the system requires a value for 'VPNSubType'.
    'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled. Not available in watchOS.
- key: VPNSubType
  title: VPN Subtype
  type: <string>
  presence: optional
  content: |-
    An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'.
    If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
    If 'VPNType' is 'IKEv2', then the 'VPNSubType' field is optional and reserved for future use. If it's specified, it needs to contain an empty string.
    Not available in watchOS.
- key: UserDefinedName
  title: User Defined Name
  type: <string>
  presence: required
  content: The description of the VPN connection that the system displays on the device.
    Not available in watchOS.
- key: VendorConfig
  title: Vendor Configuration Dictionary
  type: <dictionary>
  presence: optional
  content: The vendor-specific configuration dictionary, which the system reads only
    when 'VPNSubType' has a value. Not available in watchOS.
  subkeys:
  - key: Realm
    title: Realm
    type: <string>
    presence: optional
    content: The Kerberos realm name, which needs to be properly capitalized. Valid
      only for Juniper SSL and Pulse Secure. Not available in watchOS.
  - key: Role
    title: Role
    type: <string>
    presence: optional
    content: The role to select when connecting to the server. Valid only for Juniper
      SSL and Pulse Secure. Not available in watchOS.
  - key: Group
    title: Group
    type: <string>
    presence: optional
    content: The group to connect to on the head end. Valid for Cisco AnyConnect and
      Cisco Legacy AnyConnect. Not available in watchOS.
  - key: LoginGroupOrDomain
    title: Login Group or Domain
    type: <string>
    presence: optional
    content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not
      available in watchOS.
- key: VPN
  title: VPN
  type: <dictionary>
  presence: optional
  content: The VPN dictionary is used when VPNType is VPN.
  subkeys:
  - key: AuthenticationMethod
    title: Authentication Method
    type: <string>
    presence: optional
    rangelist:
    - Password
    - Certificate
    - Password+Certificate
    default: Password
    content: The authentication method to use.
  - key: PayloadCertificateUUID
    title: Certificate UUID
    type: <string>
    presence: optional
    content: The UUID of the certificate payload within the same profile to use for
      account credentials.
  - key: Password
    title: Account Password
    type: <string>
    presence: optional
    content: The VPN user password.
  - key: ProviderBundleIdentifier
    title: Provider Bundle Identifier
    type: <string>
    presence: optional
    content: The bundle identifier for the VPN provider. Not available in watchOS.
  - key: ProviderDesignatedRequirement
    title: Provider Designated Requirement
    supportedOS:
      iOS:
        introduced: n/a
      macOS:
        introduced: '10.15'
      visionOS:
        introduced: n/a
    type: <string>
    presence: optional
    content: If the VPN provider is implemented as a system extension, this field
      is required. Not available in watchOS.
  - key: DisconnectOnIdle
    title: Enable Disconnect on Idle
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', disconnects after an on-demand connection idles.
  - key: DisconnectOnIdleTimer
    title: Disconnect on Idle time
    type: <integer>
    presence: optional
    content: The length of time to wait, in seconds, before disconnecting an on-demand
      connection. In watchOS, the maximum allowed value is '15'.
  - key: ProviderType
    type: <string>
    presence: optional
    rangelist:
    - packet-tunnel
    - app-proxy
    default: packet-tunnel
    content: The type of VPN service. If the value is 'app-proxy', the service tunnels
      traffic at the app level. If the value is 'packet-tunnel', the service tunnels
      traffic at the IP layer. Not available in watchOS.
  - key: IncludeAllNetworks
    title: Include All Networks
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '10.15'
      tvOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, ExcludeAPNs and ExcludeDeviceCommunication properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS.

      * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
      * Traffic necessary for connecting to captive networks.
      * Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
      * Network communication with a companion device such as a watchOS device.
  - key: EnforceRoutes
    title: Enforce Routes
    supportedOS:
      iOS:
        introduced: '14.2'
      macOS:
        introduced: '11.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', all the VPN's non-default routes take precedence over any locally defined routes.
      If 'IncludeAllNetworks' is '1', the system ignores the value of 'EnforceRoutes'.
      Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS.
  - key: ExcludeLocalNetworks
    title: Exclude Local Networks
    supportedOS:
      iOS:
        introduced: '14.2'
      macOS:
        introduced: '10.15'
      tvOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1' and 'IncludeAllNetworks' is '1', routes all local network traffic
      outside the VPN. Not available in watchOS.
  - key: ExcludeCellularServices
    title: Exclude Cellular Services
    supportedOS:
      iOS:
        introduced: '16.4'
      macOS:
        introduced: '13.3'
      tvOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes internet-routable
      network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual
      Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular
      services traffic directly to the carrier network, bypassing the internet. Such
      cellular services traffic is always excluded from the tunnel. Not available
      in watchOS.
  - key: ExcludeAPNs
    title: Exclude APNs
    supportedOS:
      iOS:
        introduced: '16.4'
      macOS:
        introduced: '13.3'
      tvOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes the
      network traffic for the Apple Push Notification service (APNs) from the tunnel.
      Not available in watchOS.
  - key: ExcludeDeviceCommunication
    title: Exclude Device Communication
    supportedOS:
      iOS:
        introduced: '17.4'
      macOS:
        introduced: '14.4'
      tvOS:
        introduced: n/a
      visionOS:
        introduced: '1.1'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating
      with devices connected via USB or Wi-Fi is excluded from the tunnel.
  - key: OnDemandEnabled
    title: Enable VPN On Demand
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', enables VPN On Demand.
  - key: OnDemandUserOverrideDisabled
    title: Prevent users from toggling VPN On Demand
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the Connect On Demand toggle in Settings is disabled for this
      configuration. Available in iOS 14 and later. Not available in watchOS.
  - key: OnDemandMatchDomainsAlways
    title: On Demand Match Domains Always
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: |-
      A list of domain names. The system treats associated domain names as though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden by 'OnDemandRules'.
      In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
      Not available in watchOS.
    subkeytype: MatchDomainAlwaysElement
    subkeys: &id001
    - key: MatchDomainAlwaysElement
      title: Match Domain Always Element
      type: <string>
  - key: OnDemandMatchDomainsNever
    title: On Demand Match Domains Never
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: |-
      A list of domain names. If the host name ends with one of these domain names, the system doesn't start the VPN automatically. The system uses this value to exclude a subdomain within an included domain.
      In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
      Not available in watchOS.
    subkeytype: MatchDomainNeverElement
    subkeys: &id002
    - key: MatchDomainNeverElement
      title: Match Domain Never Element
      type: <string>
  - key: OnDemandMatchDomainsOnRetry
    title: On Demand Match Domains On Retry
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: |-
      A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the system starts the VPN automatically.
      In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
      Not available in watchOS.
    subkeytype: MatchDomainOnRetryElement
    subkeys: &id003
    - key: MatchDomainOnRetryElement
      title: Match Domain On Retry Element
      type: <string>
  - key: OnDemandRules
    title: On Demand Rules
    type: <array>
    presence: optional
    content: An array of dictionaries defining On Demand Rules.
    subkeytype: OnDemandRulesElement
    subkeys: &id004
    - key: OnDemandRulesElement
      title: On Demand Rules Element
      type: <dictionary>
      subkeys:
      - key: Action
        title: On Demand Action
        type: <string>
        presence: required
        rangelist:
        - Allow
        - Connect
        - Disconnect
        - EvaluateConnection
        - Ignore
        content: |-
          The action to take if this dictionary matches the current network. Possible values are:
          * 'Allow': Deprecated. Allow VPN On Demand to connect if triggered.
          * 'Connect': Unconditionally initiate a VPN connection on the next network attempt.
          * 'Disconnect': Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
          * 'EvaluateConnection': Evaluate the ActionParameters array for each connection attempt.
          * 'Ignore:' Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
          Only the 'Disconnect' action is available on watchOS 10 and later.
      - key: ActionParameters
        title: Action Parameters
        type: <array>
        presence: optional
        content: An array of dictionaries that provides rules similar to the 'OnDemandRules'
          dictionary, but evaluated on each connection instead of when the network
          changes. This value is only for use with dictionaries in which the 'Action'
          value is 'EvaluateConnection'. The system evaluates these dictionaries in
          order and the first dictionary that matches determines the behavior. Not
          available in watchOS.
        subkeys:
        - key: ActionParameter
          title: Action Parameter
          type: <dictionary>
          presence: optional
          content: |-
            A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
            The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
          subkeys:
          - key: Domains
            title: Domains
            type: <array>
            presence: required
            content: The domains to apply this evaluation.
            subkeys:
            - key: DomainsElement
              title: Domains Element
              type: <string>
          - key: DomainAction
            title: Domain Action
            type: <string>
            presence: required
            rangelist:
            - ConnectIfNeeded
            - NeverConnect
            content: |-
              Defines the VPN behavior for the specified domains. Allowed values are:
              * 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
              * 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
          - key: RequiredDNSServers
            title: Required DNS Servers
            type: <array>
            presence: optional
            content: |-
              An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
              This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
            subkeys:
            - key: RequiredDNSServersElement
              title: Required DNS Servers Element
              type: <string>
          - key: RequiredURLStringProbe
            title: Required URL String Probe
            type: <string>
            presence: optional
            content: |-
              An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
              This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
      - key: DNSDomainMatch
        title: DNS Domain Match
        type: <array>
        presence: optional
        content: |-
          An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
          The system supports a wildcard ('*') prefix. For example, '*.example.com' matches against either 'mydomain.example.com' or 'yourdomain.example.com'.
        subkeys:
        - key: DNSDomainMatchElement
          title: DNS Domain Match Element
          type: <string>
      - key: DNSServerAddressMatch
        title: DNS Server Address Match
        type: <array>
        presence: optional
        content: |-
          An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
          The system supports matching with a single wildcard. For example, '17.*' matches any DNS server in the '17.0.0.0/8' subnet.
        subkeys:
        - key: DNSServerAddressMatchElement
          title: DNS Server Address Match Element
          type: <string>
      - key: InterfaceTypeMatch
        title: Interface Type Match
        type: <string>
        presence: optional
        rangelist:
        - Ethernet
        - WiFi
        - Cellular
        content: An interface type. If specified, this rule matches only if the primary
          network interface hardware matches the specified type.
      - key: SSIDMatch
        title: SSID Match
        type: <array>
        presence: optional
        content: |-
          An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
          Omit this key and the corresponding array to match against any SSID.
        subkeys:
        - key: SSIDMatchElement
          title: SSID Match Element
          type: <string>
      - key: URLStringProbe
        title: URL String Probe
        type: <string>
        presence: optional
        content: A URL to probe. This rule matches when this URL is successfully fetched
          (returns a '200' HTTP status code) without redirection. Not available in
          watchOS.
- key: IPv4
  title: IPv4 Settings
  supportedOS:
    tvOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
  content: The dictionary that contains IPv4 settings. Not available in watchOS.
  subkeys:
  - key: OverridePrimary
    title: Override Primary Connection
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the system sends all network traffic over VPN. Only applies to
      Cisco IPsec and L2TP VPN types.
- key: PPP
  title: PPP
  supportedOS:
    tvOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
  content: The dictionary to use when 'VPNType' is 'L2TP' or 'PTPP'. Not available
    in watchOS.
  subkeys:
  - key: AuthName
    title: Account Username
    type: <string>
    presence: optional
    content: The VPN account user name. This key is for use with L2TP and PPTP networks.
  - key: AuthPassword
    title: Account Password
    type: <string>
    presence: optional
    content: If 'TokenCard' is '1', use this password for authentication. This key
      is for use with L2TP and PPTP networks.
  - key: TokenCard
    title: Use Token Card
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', uses a token card such as an RSA SecurID card for connecting.
      This key is for use with L2TP networks.
  - key: CommRemoteAddress
    title: Remote Address
    type: <string>
    presence: optional
    content: The IP address or host name of VPN server. This key is for use with L2TP
      and PPTP networks.
  - key: AuthEAPPlugins
    title: EAP Plugins
    type: <array>
    presence: optional
    content: 'An array of authentication plugins. For use of RSA SecurID, this array
      should only have one value: ''EAP-RSA''. This key is for use with L2TP and PPTP
      networks.'
    subkeys:
    - key: EAPPluginElement
      title: EAP Plugin
      type: <string>
      rangelist:
      - EAP-RSA
      - EAP-TLS
      - EAP-KRB
      repetition:
        min: 1
        max: 1
  - key: AuthProtocol
    title: Protocol
    type: <array>
    presence: optional
    content: An array of authentication protocols. For use of RSA SecurID, this array
      should have one value, 'EAP'. This key is for use with L2TP and PPTP networks.
    subkeys:
    - key: AuthProtocolElement
      title: Auth Protocol
      type: <string>
      rangelist:
      - EAP
      repetition:
        min: 1
        max: 1
  - key: CCPMPPE40Enabled
    title: Enable CCPMPPE40
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE128 encryption.
  - key: CCPMPPE128Enabled
    title: Enable CCPMPPE128
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE40 encryption.
  - key: CCPEnabled
    title: Enable CCP
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1', enables encryption on the connection. This key is for use with
      PPTP networks.
  - key: DisconnectOnIdle
    title: Enable Disconnect on Idle
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', disconnects after an on demand connection idles.
  - key: DisconnectOnIdleTimer
    title: Disconnect on Idle time
    type: <integer>
    presence: optional
    content: The length of time to wait before disconnecting an on demand connection
- key: IPSec
  title: IPSec Settings
  supportedOS:
    tvOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
  content: The dictionary that contains IPSec settings. Not available in watchOS.
  subkeys:
  - key: RemoteAddress
    title: Remote Address
    type: <string>
    presence: optional
    content: The IP address or host name of the VPN server.
  - key: AuthenticationMethod
    title: Authentication Method
    type: <string>
    presence: optional
    rangelist:
    - SharedSecret
    - Certificate
    default: SharedSecret
    content: The authentication method for L2TP and Cisco IPSec.
  - key: XAuthName
    title: Username
    type: <string>
    presence: optional
    content: The user name for the VPN account for Cisco IPSec.
  - key: XAuthPassword
    title: Password
    type: <string>
    presence: optional
    content: The VPN account password for Cisco IPSec.
  - key: XAuthEnabled
    title: XAUTH Enabled
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1', enables Xauth for Cisco IPSec VPNs.
  - key: XAuthPasswordEncryption
    title: XAUTH Password Encryption
    type: <string>
    presence: optional
    rangelist:
    - Prompt
    content: A string that either has the value “Prompt” or isn't present.
  - key: LocalIdentifier
    title: Local Identifier
    type: <string>
    presence: optional
    content: |-
      The name of the group. For hybrid authentication, the string needs to end with 'hybrid'.
      Present only for Cisco IPSec if 'AuthenticationMethod' is 'SharedSecret'.
  - key: LocalIdentifierType
    title: Local Identifier Type
    type: <string>
    presence: optional
    rangelist:
    - KeyID
    default: KeyID
    content: Present only if 'AuthenticationMethod' is 'SharedSecret'. The value is
      'KeyID'. The system uses this value for L2TP and Cisco IPSec VPNs.
  - key: SharedSecret
    title: Shared Secret
    type: <data>
    presence: optional
    content: |-
      The shared secret for this VPN account.
      Only use this with L2TP and Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'SharedSecret'.
  - key: PayloadCertificateUUID
    title: Certificate UUID
    type: <string>
    presence: optional
    content: |-
      The UUID of the certificate payload within the same profile to use for the account credentials.
      Only use this with Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'Certificate'.
  - key: PromptForVPNPIN
    title: Prompt for PIN
    type: <boolean>
    presence: optional
    default: false
    content: If 'true', prompts for a PIN when connecting to Cisco IPSec VPNs.
  - key: DisconnectOnIdle
    title: Enable Disconnect on Idle
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', disconnect after an on-demand connection idles.
  - key: DisconnectOnIdleTimer
    title: Disconnect on Idle time
    type: <integer>
    presence: optional
    content: The length of time to wait before disconnecting an on-demand connection.
  - key: OnDemandEnabled
    title: Enable VPN On Demand
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', enables bringing the VPN connection up on demand.
  - key: OnDemandMatchDomainsAlways
    title: On Demand Match Domains Always
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: Deprecated. A list of domain names. In iOS 7 and later, if this key is
      present, the system treats associated domain names as though they're associated
      with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden
      by 'OnDemandRules'.
    subkeytype: MatchDomainAlwaysElement
    subkeys: *id001
  - key: OnDemandMatchDomainsNever
    title: On Demand Match Domains Never
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated
      (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules'
      dictionaries.
    subkeytype: MatchDomainNeverElement
    subkeys: *id002
  - key: OnDemandMatchDomainsOnRetry
    title: On Demand Match Domains On Retry
    supportedOS:
      iOS:
        deprecated: '7.0'
    type: <array>
    presence: optional
    content: Deprecated. A list of domain names. In iOS 7 and later, this field is
      deprecated (but still supported) in favor of 'EvaluateConnection' actions in
      the 'OnDemandRules' dictionaries.
    subkeytype: MatchDomainOnRetryElement
    subkeys: *id003
  - key: OnDemandRules
    title: On Demand Rules
    type: <array>
    presence: optional
    content: The on-demand rules dictionary.
    subkeytype: OnDemandRulesElement
    subkeys: *id004
- key: IKEv2
  title: IKEv2
  supportedOS:
    watchOS:
      introduced: '10.0'
  type: <dictionary>
  presence: optional
  content: The dictionary to use when 'VPNType' is 'IKEv2'.
  subkeys:
  - key: RemoteAddress
    title: RemoteAddress
    type: <string>
    presence: required
    content: The IP address or host name of the VPN server.
  - key: LocalIdentifier
    title: LocalIdentifier
    type: <string>
    presence: required
    content: Identifier of the IKEv2 client.
  - key: RemoteIdentifier
    title: RemoteIdentifier
    type: <string>
    presence: required
    content: The remote identifier.
  - key: AuthenticationMethod
    title: AuthenticationMethod
    type: <string>
    presence: required
    rangelist:
    - None
    - SharedSecret
    - Certificate
    content: |-
      The type of authentication method for the VPN.
      To enable EAP-only authentication, set this to 'None' and 'ExtendedAuthEnabled' to '1'. If this is 'None' and the 'ExtendedAuthEnabled' key isn't set, the authentication configuration defaults to 'SharedSecret'.
  - key: CertificateType
    title: Certificate Type
    type: <string>
    presence: optional
    rangelist:
    - RSA
    - ECDSA256
    - ECDSA384
    - ECDSA521
    - RSA-PSS
    default: RSA
    content: The type of 'PayloadCertificateUUID' to use for IKEv2 machine authentication.
      If this key is included, the system requires a value for 'ServerCertificateIssuerCommonName'.
  - key: PayloadCertificateUUID
    title: PayloadCertificateUUID
    type: <string>
    presence: optional
    content: The UUID of the certificate payload within the same profile to use as
      the account credential. If the value of 'AuthenticationMethod' is 'Certificate',
      the system sends this certificate out for IKEv2 machine authentication. If extended
      authentication (EAP) is used, the system sends this certificate out for EAP-TLS
      authentication.
  - key: Password
    title: Account Password
    type: <string>
    presence: optional
    content: The password to use for the account credentials. Only used if 'AuthenticationMethod'
      is 'Password'.
  - key: ProviderBundleIdentifier
    title: Provider Bundle Identifier
    type: <string>
    presence: optional
    content: If the VPNSubType field contains the bundle identifier of an app that
      contains multiple VPN providers of the same type (app-proxy or packet-tunnel),
      then the system uses this field to choose which provider to use for this configuration.
      If the VPN provider is implemented as a System Extension, then this field is
      required.
  - key: ProviderDesignatedRequirement
    title: Provider Designated Requirement
    supportedOS:
      iOS:
        introduced: n/a
      macOS:
        introduced: '10.15'
      visionOS:
        introduced: n/a
    type: <string>
    presence: optional
    content: If the VPN provider is implemented as a System Extension, then this field
      is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS
      10 and later.
  - key: SharedSecret
    title: SharedSecret
    type: <string>
    presence: optional
    content: If 'AuthenticationMethod' is 'SharedSecret', this value is used for IKE
      authentication.
  - key: ExtendedAuthEnabled
    title: ExtendedAuthEnabled
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', enables EAP-only authentication.
  - key: AuthName
    title: AuthName
    type: <string>
    presence: optional
    content: The user name to use for authentication.
  - key: AuthPassword
    title: AuthPassword
    type: <string>
    presence: optional
    content: The password to use for authentication.
  - key: OnDemandEnabled
    title: Enable VPN On Demand
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', enables VPN up on demand.
  - key: OnDemandUserOverrideDisabled
    title: Prevent users from toggling VPN On Demand
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the system disables the Connect On Demand toggle in Settings
      for this configuration.
  - key: OnDemandRules
    title: On Demand Rules
    type: <array>
    presence: optional
    content: A list of rules that determine when and how to use an OnDemand VPN.
    subkeytype: OnDemandRulesElement
    subkeys: *id004
  - key: DeadPeerDetectionRate
    title: Dead Peer Detection Rate
    supportedOS:
      watchOS:
        introduced: n/a
    type: <string>
    presence: optional
    rangelist:
    - None
    - Low
    - Medium
    - High
    default: Medium
    content: |-
      One of the following:
      * 'None': No keepalive.
      * 'Low': Send keepalive every 30 minutes.
      * 'Medium': Send keepalive every 10 minutes.
      * 'High': Send keepalive every 1 minute.
      Not available in watchOS.
  - key: ServerCertificateIssuerCommonName
    title: ServerCertificateIssuerCommonName
    type: <string>
    presence: optional
    content: Common Name of the server certificate issuer. If set, this field causes
      IKE to send a certificate request based on this certificate issuer to the server.
      This key is required if the 'CertificateType' key is included and the 'ExtendedAuthEnabled'
      key is '1'.
  - key: ServerCertificateCommonName
    title: ServerCertificateCommonName
    type: <string>
    presence: optional
    content: The common name of the server certificate. The system uses this name
      to validate the certificate sent by the IKE server. If not set, the system uses
      the remote identifier to validate the certificate.
  - key: TLSMinimumVersion
    title: TLS Minimum Version
    supportedOS:
      iOS:
        introduced: '11.0'
      macOS:
        introduced: '10.13'
    type: <string>
    presence: optional
    rangelist:
    - '1.0'
    - '1.1'
    - '1.2'
    default: '1.0'
    content: The minimum TLS version to use with EAP-TLS authentication.
  - key: TLSMaximumVersion
    title: TLS Maximum Version
    supportedOS:
      iOS:
        introduced: '11.0'
      macOS:
        introduced: '10.13'
    type: <string>
    presence: optional
    rangelist:
    - '1.0'
    - '1.1'
    - '1.2'
    default: '1.2'
    content: The maximum TLS version to use with EAP-TLS authentication.
  - key: UseConfigurationAttributeInternalIPSubnet
    title: Use IPv4 / IPv6 Internal Subnet Attributes
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', negotiations should use IKEv2 Configuration Attribute 'INTERNAL_IP4_SUBNET'
      and 'INTERNAL_IP6_SUBNET'.
  - key: DisableMOBIKE
    title: Disable Mobility and Multihoming
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the system disables MOBIKE.
  - key: DisableRedirect
    title: Disable Redirect
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the system disables IKEv2 redirect. If not set, the system redirects
      an IKEv2 connection when it receives a redirect request from the server.
  - key: DisconnectOnIdle
    title: Enable Disconnect on Idle
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the VPN disconnects automatically after a period defined by 'DisconnectOnIdleTimer'.
  - key: DisconnectOnIdleTimer
    title: Disconnect on Idle time
    type: <integer>
    presence: optional
    content: Only used if 'DisconnectOnIdle' is '1'. The number of seconds before
      the VPN disconnects. On watchOS, maximum allowed value is 15 seconds
  - key: NATKeepAliveOffloadEnable
    title: NAT Keep Alive Offload Enable
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: |-
      If '1', enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If 'NATKeepAliveOffloadEnable' is '1', the system offloads keepalive packets to hardware while the device is asleep.
      NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over WiFi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the 'NATKeepAliveInterval' key.
  - key: NATKeepAliveInterval
    title: NAT Keepalive Interval
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    default: 20
    content: The NAT Keepalive interval for Always On VPN IKEv2 connections. This
      value controls the interval that the device sends keepalive offload packets.
      The minimum value is 20 seconds. If no key is specified, the default is 20 seconds
      over Wi-Fi and 110 seconds over a cellular interface.
  - key: EnablePFS
    title: Enable perfect forward secrecy
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1',  enables Perfect Forward Secrecy (PFS) for IKEv2 Connections.
  - key: EnableCertificateRevocationCheck
    title: Enable certificate revocation check
    supportedOS:
      iOS:
        introduced: '9.0'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', the system performs a certificate revocation check for IKEv2
      connections. This is a best-effort revocation check and server response timeouts
      won't cause it to fail.
  - key: EnableFallback
    title: Enable fallback
    supportedOS:
      iOS:
        introduced: '13.0'
      macOS:
        introduced: n/a
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', the system enables a tunnel over cellular data to carry traffic that's eligible for WiFi Assist and also requires VPN.
      Enabling fallback requires that the server support multiple tunnels for a single user.
      This field is available in iOS 13 and later, and tvOS 17 and later. Not available in watchOS.
  - key: MTU
    title: Maximum Transmission Unit
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '11.0'
    type: <integer>
    presence: optional
    range:
      min: 1280
      max: 1400
    default: 1280
    content: The Maximum Transmission Unit (MTU) specifies the maximum size in bytes
      of each packet that the system sends over the IKEv2 VPN interface. Available
      in iOS 14 and later, and macOS 11 and later.
  - key: ProviderType
    type: <string>
    presence: optional
    rangelist:
    - packet-tunnel
    - app-proxy
    default: packet-tunnel
    content: If the value of this key is 'app-proxy', the VPN service tunnels traffic
      at the application layer. If the value of this key is 'packet-tunnel', the VPN
      service tunnels traffic at the IP layer.
  - key: IncludeAllNetworks
    title: Include All Networks
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '10.15'
      tvOS:
        introduced: n/a
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', then the system routes all network traffic through the VPN, with some controllable exclusions, such as 'ExcludeLocalNetworks', 'ExcludeCellularServices', 'ExcludeAPNs', and 'ExcludeDeviceCommunication' properties. The system always excludes the following traffic from the tunnel:
      * Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
      * Traffic necessary for connecting to captive networks.
      * Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the 'ExcludeCellularServices' field for more information.
      * Network communication with a companion device such as a watchOS device.
  - key: EnforceRoutes
    title: Enforce Routes
    supportedOS:
      iOS:
        introduced: '14.2'
      macOS:
        introduced: '11.0'
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', all the VPN's non-default routes take precedence over any locally-defined
      routes. If 'IncludeAllNetworks' is '1', the system ignores 'EnforceRoutes'.
  - key: ExcludeLocalNetworks
    title: Exclude Local Networks
    supportedOS:
      iOS:
        introduced: '14.2'
      macOS:
        introduced: '10.15'
      tvOS:
        introduced: n/a
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If '1' and either 'IncludeAllNetworks' or 'EnforceRoutes' are '1', then
      the system routes local network traffic outside of the VPN. The default for
      this value is '0' on macOS and '1' on iOS.
  - key: ExcludeCellularServices
    title: Exclude Cellular Services
    supportedOS:
      iOS:
        introduced: '16.4'
      macOS:
        introduced: '13.3'
      tvOS:
        introduced: n/a
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If '1' and 'IncludeAllNetworks' is '1', the system excludes internet-routable
      network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual
      Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular
      services traffic directly to the carrier network, bypassing the internet. Such
      cellular services traffic is always excluded from the tunnel.
  - key: ExcludeAPNs
    title: Exclude APNs
    supportedOS:
      iOS:
        introduced: '16.4'
      macOS:
        introduced: '13.3'
      tvOS:
        introduced: n/a
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If '1' and 'IncludeAllNetworks' is '1', the system excludes network traffic
      for the Apple Push Notification service (APNs) from the tunnel.
  - key: ExcludeDeviceCommunication
    title: Exclude Device Communication
    supportedOS:
      iOS:
        introduced: '17.4'
      macOS:
        introduced: '14.4'
      tvOS:
        introduced: n/a
      visionOS:
        introduced: '1.1'
      watchOS:
        introduced: n/a
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating
      with devices connected via USB or Wi-Fi is excluded from the tunnel.
  - key: IKESecurityAssociationParameters
    title: IKESecurityAssociationParameters
    type: <dictionary>
    presence: optional
    content: These parameters apply to Child Security Association unless 'ChildSecurityAssociationParameters'
      is specified.
    subkeytype: SecurityAssociationParameters
    subkeys: &id005
    - key: EncryptionAlgorithm
      title: EncryptionAlgorithm
      type: <string>
      presence: optional
      rangelist:
      - DES
      - 3DES
      - AES-128
      - AES-256
      - AES-128-GCM
      - AES-256-GCM
      - ChaCha20Poly1305
      default: AES-256
      content: The encryption algorithm.
    - key: IntegrityAlgorithm
      title: IntegrityAlgorithm
      type: <string>
      presence: optional
      rangelist:
      - SHA1-96
      - SHA1-160
      - SHA2-256
      - SHA2-384
      - SHA2-512
      default: SHA2-256
      content: The integrity algorithm.
    - key: DiffieHellmanGroup
      title: DiffieHellmanGroup
      type: <integer>
      presence: optional
      rangelist:
      - 1
      - 2
      - 5
      - 14
      - 15
      - 16
      - 17
      - 18
      - 19
      - 20
      - 21
      - 31
      - 32
      default: 14
      content: The Diffie-Hellman group. For AlwaysOn VPN, minimum allowed Diffie
        Hellman Group is '14' in iOS 14.2 and later.
    - key: LifeTimeInMinutes
      title: LifeTimeInMinutes
      type: <integer>
      presence: optional
      range:
        min: 10
        max: 1440
      default: 1440
      content: The SA lifetime (rekey interval) in minutes.
  - key: ChildSecurityAssociationParameters
    title: ChildSecurityAssociationParameters
    type: <dictionary>
    presence: optional
    content: The 'ChildSecurityAssociationParameters' dictionaries.
    subkeytype: SecurityAssociationParameters
    subkeys: *id005
- key: DNS
  title: DNS
  supportedOS:
    watchOS:
      introduced: '10.0'
  type: <dictionary>
  presence: optional
  content: A dictionary to use for all VPN types.
  subkeys:
  - key: DNSProtocol
    title: DNS Protocol
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '11.0'
    type: <string>
    presence: required
    rangelist:
    - Cleartext
    - HTTPS
    - TLS
    content: The transport protocol to communicate with the DNS server.
  - key: ServerURL
    title: Server URL
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '11.0'
    type: <string>
    presence: optional
    content: The URI template of a DNS-over-HTTPS server, as defined in RFC 8484,
      which needs to use the 'https://' scheme. The system uses the hostname or address
      in the URL to validate the server certificate. If 'ServerAddresses' isn't specified,
      the system uses the hostname or address in the URL to determine the server addresses.
      This key is required if the 'DNSProtocol' is 'HTTPS'.
  - key: ServerName
    title: Server Name
    supportedOS:
      iOS:
        introduced: '14.0'
      macOS:
        introduced: '11.0'
    type: <string>
    presence: optional
    content: The hostname of a DNS-over-TLS server to validate the server certificate,
      as defined in RFC 7858. If 'ServerAddresses' isn't specified, the system uses
      the hostname to determine the server addresses. This key is required if the
      'DNSProtocol' is 'TLS'.
  - key: ServerAddresses
    title: DNS Server Addresses
    supportedOS:
      iOS:
        introduced: '10.0'
      macOS:
        introduced: '10.12'
    type: <array>
    presence: required
    content: The array of DNS server IP address strings. These IP addresses can be
      a mixture of IPv4 and IPv6 addresses.
    subkeys:
    - key: ServerAddressesElement
      title: Server Address Element
      type: <string>
  - key: SearchDomains
    title: DNS Search Domains
    supportedOS:
      iOS:
        introduced: '10.0'
      macOS:
        introduced: '10.12'
    type: <array>
    presence: optional
    content: The list of domain strings used to fully qualify single-label host names.
    subkeys:
    - key: SearchDomainsElement
      title: Search Domains Element
      type: <string>
  - key: DomainName
    title: Domain Name
    supportedOS:
      iOS:
        introduced: '10.0'
      macOS:
        introduced: '10.12'
    type: <string>
    presence: optional
    content: The primary domain of the tunnel.
  - key: SupplementalMatchDomains
    title: Supplemental Match Domains
    supportedOS:
      iOS:
        introduced: '10.0'
      macOS:
        introduced: '10.12'
    type: <array>
    presence: optional
    content: |-
      The list of domain strings used to determine which DNS queries use the DNS resolver settings in 'ServerAddresses'. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
      If 'SupplementalMatchDomains' contains the empty string it becomes the default domain.
      Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in 'ServerAddresses' become the default resolver and the system ignores the 'SupplementalMatchDomains' list.
    subkeys: &id006
    - key: SupplementalMatchDomainsElement
      title: Supplemental Match Domains Element
      type: <string>
  - key: SupplementalMatchDomainsNoSearch
    title: Supplemental Match Domains No Search
    supportedOS:
      iOS:
        introduced: '10.0'
      macOS:
        introduced: '10.12'
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '0', append the domains in the 'SupplementalMatchDomains' list to
      the resolver's list of search domains.
  - key: PayloadCertificateUUID
    title: DNS Certificate UUID
    supportedOS:
      iOS:
        introduced: '16.0'
      macOS:
        introduced: '13.0'
    type: <string>
    presence: optional
    format: ^[0-9A-Za-z]{8}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{4}-[0-9A-Za-z]{12}$
    content: That UUID that points to an identity certificate payload. The system
      uses this identity to authenticate the user to the DNS resolver.
- key: Proxies
  title: Proxies
  supportedOS:
    watchOS:
      introduced: '10.0'
  type: <dictionary>
  presence: optional
  content: The dictionary to use to configure 'Proxies' for use with 'VPN'.
  subkeys:
  - key: ProxyAutoConfigEnable
    title: Proxy AutoConfig Enable
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    content: If 'true', enables automatic proxy configuration.
  - key: ProxyAutoDiscoveryEnable
    title: Proxy Auto Discovery Enable
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 1
    content: If 'true', enables proxy auto discovery.
  - key: ProxyAutoConfigURLString
    title: Proxy Server URL
    type: <string>
    presence: optional
    content: The URL to the location of the proxy auto-configuration file. Used only
      when 'ProxyAutoConfigEnable' is 'true'.
  - key: SupplementalMatchDomains
    title: Supplemental Match Domains
    type: <array>
    presence: optional
    content: An array of domains that defines which hosts use proxy settings for hosts.
    subkeys: *id006
  - key: HTTPEnable
    title: Enable HTTP
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', enables proxy for HTTP traffic.
  - key: HTTPProxy
    title: HTTP Proxy
    type: <string>
    presence: optional
    content: The port number of the HTTP proxy. This field is required if 'HTTPProxy'
      is specified.
  - key: HTTPPort
    title: HTTP Port
    type: <integer>
    presence: optional
    range:
      min: 0
      max: 65535
    content: The host name of the HTTP proxy.
  - key: HTTPProxyUsername
    title: HTTP ProxyUsername
    type: <string>
    presence: optional
    content: The user name used for authentication.
  - key: HTTPProxyPassword
    title: HTTP ProxyPassword
    type: <string>
    presence: optional
    content: The password used for authentication.
  - key: HTTPSEnable
    title: Enable HTTPS
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If 'true', enables proxy for HTTPS traffic.
  - key: HTTPSProxy
    title: HTTPS Proxy
    type: <string>
    presence: optional
    content: The host name of the HTTPS proxy.
  - key: HTTPSPort
    title: HTTPS Port
    type: <integer>
    presence: optional
    range:
      min: 0
      max: 65535
    content: The port number of the HTTPS proxy. This field is required if 'HTTPSProxy'
      is specified.
- key: AlwaysOn
  title: AlwaysOn
  supportedOS:
    iOS:
      introduced: '8.0'
    macOS:
      introduced: n/a
    tvOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
  content: The dictionary to use when 'VPNType' is 'AlwaysOn'. Not available in tvOS
    or watchOS.
  subkeys:
  - key: UIToggleEnabled
    title: UI Toggle Enabled
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', allows the user to disable the VPN configuration.
  - key: TunnelConfigurations
    title: TunnelConfigurations
    type: <array>
    presence: required
    content: An array that contains an arbitrary number of tunnel configurations.
    subkeys:
    - key: TunnelConfigurationElement
      title: A TunnelConfiguration Element
      type: <dictionary>
      subkeys:
      - key: ProtocolType
        title: Protocol Type
        type: <string>
        presence: required
        rangelist:
        - IKEv2
        content: The type of connection, which needs to be 'IKEv2'.
      - key: Interfaces
        title: Interfaces
        type: <array>
        presence: optional
        content: The interfaces to apply this configuration to.
        subkeys:
        - key: InterfacesElement
          title: Interfaces Element
          type: <string>
          rangelist:
          - Cellular
          - WiFi
  - key: ServiceExceptions
    title: ServiceExceptions
    type: <array>
    presence: optional
    content: An array that contains an arbitrary number of service exceptions.
    subkeys:
    - key: ServiceExceptionElement
      title: A ServiceException Element
      type: <dictionary>
      subkeys:
      - key: ServiceName
        title: Service Name
        type: <string>
        presence: required
        rangelist:
        - VoiceMail
        - AirPrint
        - CellularServices
        - DeviceCommunication
        content: The name of a service that's exempt from Always On VPN. 'CellularServices'
          is available in iOS 11.3 and later; it exempts 'VoLTE', 'IMS' and 'MMS'.
          WiFiCalling is exempted in iOS 13.4 and later.  DeviceCommunication is available
          in iOS 17.4 and later; it exempts network traffic used for communicating
          with devices connected via USB or Wi-Fi.
      - key: Action
        title: Action
        type: <string>
        presence: required
        rangelist:
        - Allow
        - Drop
        content: The action to take with network connections from the named service.
  - key: ApplicationExceptions
    title: ApplicationExceptions
    supportedOS:
      iOS:
        introduced: '13.6'
    type: <array>
    presence: optional
    content: An array that contains an arbitrary number of apps whose connections
      occur outside the VPN.
    subkeys:
    - key: ApplicationExceptionElement
      title: A ApplicationException Element
      type: <dictionary>
      subkeys:
      - key: BundleIdentifier
        title: Bundle Identifier
        type: <string>
        presence: required
        content: The app's bundle identifier.
      - key: LimitToProtocols
        title: LimitToProtocols
        type: <array>
        presence: optional
        content: Limit the exception to only the specified list of protocols, with
          support for 'UDP' only.
        subkeys:
        - key: LimitToProtocolElement
          title: LimitToProtocol Element
          type: <string>
          rangelist:
          - UDP
  - key: AllowCaptiveWebSheet
    title: Allow Captive Web Sheet
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', allows traffic from Captive Web Sheet outside the VPN tunnel.
  - key: AllowAllCaptiveNetworkPlugins
    title: Allow All Captive Network Plugins
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: If '1', allows traffic from all captive networking apps outside the VPN
      tunnel to perform captive network handling.
  - key: AllowedCaptiveNetworkPlugins
    title: AllowedCaptiveNetworkPlugins
    type: <array>
    presence: optional
    content: The array of captive networking apps whose traffic is allowed outside
      the VPN tunnel, to perform captive network handling. Used only when 'AllowAllCaptiveNetworkPlugins
      'is 'false'.
    subkeys:
    - key: AllowedCaptiveNetworkPluginElement
      title: An AllowedCaptiveNetworkPlugin Element
      type: <dictionary>
      subkeys:
      - key: BundleIdentifier
        title: Bundle Identifier
        type: <string>
        presence: required
        content: The bundle identifier for the app that's allowed on the captive network.
- key: TransparentProxy
  title: TransparentProxy
  supportedOS:
    iOS:
      introduced: n/a
    macOS:
      introduced: '14.0'
    tvOS:
      introduced: n/a
    visionOS:
      introduced: n/a
  type: <dictionary>
  presence: optional
  content: The dictionary to use when 'VPNType' is 'TransparentProxy'. Available in
    macOS 14 and later.
  subkeys:
  - key: AuthenticationMethod
    title: Authentication Method
    type: <string>
    presence: optional
    rangelist:
    - Password
    - Certificate
    - Password+Certificate
    default: Password
    content: |-
      The type of authentication method to use: 'Password', 'Certificate', or 'Password+Certificate'.
      Available in macOS 14 and later.
  - key: DisconnectOnIdle
    title: Enable Disconnect on Idle
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', the VPN disconnects automatically disconnect after a period defined by 'DisconnectOnIdleTimer'.
      Available in macOS 14 and later.
  - key: DisconnectOnIdleTimer
    title: Disconnect on Idle time
    type: <integer>
    presence: optional
    content: |-
      The number of seconds before the VPN disconnects. This value is only used if 'DisconnectOnIdle' is '1'.
      Available in macOS 14 and later.
  - key: EnforceRoutes
    title: Enforce Routes
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', then all the VPN's non-default routes take precedence over any locally-defined routes. If 'IncludeAllNetworks' is '1', the system ignores the value of 'EnforceRoutes'.
      Available in macOS 14 and later.
  - key: OnDemandEnabled
    title: Enable VPN On Demand
    type: <integer>
    presence: optional
    rangelist:
    - 0
    - 1
    default: 0
    content: |-
      If '1', the system brings up the VPN on demand.
      Available in macOS 14 and later.
  - key: OnDemandRules
    title: On Demand Rules
    type: <array>
    presence: optional
    content: |-
      Determines when and how the system uses an OnDemand VPN.
      Available in macOS 14 and later.
    subkeytype: OnDemandRulesElement
    subkeys: *id004
  - key: PayloadCertificateUUID
    title: PayloadCertificateUUID
    type: <string>
    presence: optional
    content: |-
      The UUID of the identity certificate as the account credential. If 'AuthenticationMethod' is 'Certificate', and extended authentication (EAP) isn't used, this certificate is sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS.
      Available in macOS 14 and later.
  - key: Password
    title: Account Password
    type: <string>
    presence: optional
    content: |-
      The password to use for the account credentials. Only used if 'AuthenticationMethod' is 'Password'.
      Available in macOS 14 and later.
  - key: ProviderBundleIdentifier
    title: Provider Bundle Identifier
    type: <string>
    presence: optional
    content: |-
      If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required.
      Available in macOS 14 and later.
  - key: ProviderDesignatedRequirement
    title: Provider Designated Requirement
    type: <string>
    presence: optional
    content: |-
      If the VPN provider is implemented as a System Extension, then this field is required.
      Available in macOS 14 and later.
  - key: ProviderType
    type: <string>
    presence: optional
    rangelist:
    - packet-tunnel
    - app-proxy
    default: packet-tunnel
    content: |-
      If the value of this key is 'app-proxy', the VPN service tunnels traffic at the application layer. If the value of this key is 'packet-tunnel', the VPN service tunnels traffic at the IP layer.
      Available in macOS 14 and later.
  - key: Order
    title: Order
    type: <integer>
    presence: optional
    content: |-
      A positive integer.
      Available in macOS 14 and later.