-
Notifications
You must be signed in to change notification settings - Fork 46
/
com.apple.vpn.managed.yaml
1821 lines (1820 loc) · 59.6 KB
/
com.apple.vpn.managed.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
title: VPN
description: Use this section to define settings for VPN access.
payload:
payloadtype: com.apple.vpn.managed
supportedOS:
iOS:
introduced: '4.0'
multiple: true
supervised: false
allowmanualinstall: true
sharedipad:
mode: allowed
devicechannel: true
userchannel: false
userenrollment:
mode: forbidden
macOS:
introduced: '10.7'
multiple: true
devicechannel: true
userchannel: true
requiresdep: false
userapprovedmdm: false
allowmanualinstall: true
userenrollment:
mode: forbidden
tvOS:
introduced: '17.0'
multiple: true
supervised: false
allowmanualinstall: true
visionOS:
introduced: '1.0'
multiple: true
supervised: false
allowmanualinstall: true
userenrollment:
mode: forbidden
watchOS:
introduced: n/a
payloadkeys:
- key: VPNType
title: Type
type: <string>
presence: required
rangelist:
- VPN
- L2TP
- IPSec
- IKEv2
- AlwaysOn
- TransparentProxy
content: |-
The type of the VPN, which defines which settings are appropriate for this VPN payload.
If the type is 'VPN' or 'TransparentProxy', then the system requires a value for 'VPNSubType'.
'TransparentProxy' is only available in macOS. 'L2TP' and 'IPSec' aren't available in tvOS. 'AlwaysOn' is only available on iOS and Apple Watch pairing isn't supported with 'AlwaysOn'. For a previously paired Apple Watch, all phone-watch communications cease when 'AlwaysOn' is enabled. Not available in watchOS.
- key: VPNSubType
title: VPN Subtype
type: <string>
presence: optional
content: |-
An identifier for a vendor-specified configuration dictionary when the value for 'VPNType' is 'VPN'.
If 'VPNType' is 'VPN', the system requires this field. If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
If 'VPNType' is 'IKEv2', then the 'VPNSubType' field is optional and reserved for future use. If it's specified, it needs to contain an empty string.
Not available in watchOS.
- key: UserDefinedName
title: User Defined Name
type: <string>
presence: required
content: The description of the VPN connection that the system displays on the device.
Not available in watchOS.
- key: VendorConfig
title: Vendor Configuration Dictionary
type: <dictionary>
presence: optional
content: The vendor-specific configuration dictionary, which the system reads only
when 'VPNSubType' has a value. Not available in watchOS.
subkeys:
- key: Realm
title: Realm
type: <string>
presence: optional
content: The Kerberos realm name, which needs to be properly capitalized. Valid
only for Juniper SSL and Pulse Secure. Not available in watchOS.
- key: Role
title: Role
type: <string>
presence: optional
content: The role to select when connecting to the server. Valid only for Juniper
SSL and Pulse Secure. Not available in watchOS.
- key: Group
title: Group
type: <string>
presence: optional
content: The group to connect to on the head end. Valid for Cisco AnyConnect and
Cisco Legacy AnyConnect. Not available in watchOS.
- key: LoginGroupOrDomain
title: Login Group or Domain
type: <string>
presence: optional
content: The login group or domain. Valid only for SonicWALL Mobile Connect. Not
available in watchOS.
- key: VPN
title: VPN
type: <dictionary>
presence: optional
content: The VPN dictionary is used when VPNType is VPN.
subkeys:
- key: AuthenticationMethod
title: Authentication Method
type: <string>
presence: optional
rangelist:
- Password
- Certificate
- Password+Certificate
default: Password
content: The authentication method to use.
- key: PayloadCertificateUUID
title: Certificate UUID
type: <string>
presence: optional
content: The UUID of the certificate payload within the same profile to use for
account credentials.
- key: Password
title: Account Password
type: <string>
presence: optional
content: The VPN user password.
- key: ProviderBundleIdentifier
title: Provider Bundle Identifier
type: <string>
presence: optional
content: The bundle identifier for the VPN provider. Not available in watchOS.
- key: ProviderDesignatedRequirement
title: Provider Designated Requirement
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
visionOS:
introduced: n/a
type: <string>
presence: optional
content: If the VPN provider is implemented as a system extension, this field
is required. Not available in watchOS.
- key: DisconnectOnIdle
title: Enable Disconnect on Idle
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', disconnects after an on-demand connection idles.
- key: DisconnectOnIdleTimer
title: Disconnect on Idle time
type: <integer>
presence: optional
content: The length of time to wait, in seconds, before disconnecting an on-demand
connection. In watchOS, the maximum allowed value is '15'.
- key: ProviderType
type: <string>
presence: optional
rangelist:
- packet-tunnel
- app-proxy
default: packet-tunnel
content: The type of VPN service. If the value is 'app-proxy', the service tunnels
traffic at the app level. If the value is 'packet-tunnel', the service tunnels
traffic at the IP layer. Not available in watchOS.
- key: IncludeAllNetworks
title: Include All Networks
supportedOS:
iOS:
introduced: '14.0'
macOS:
introduced: '10.15'
tvOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: |-
If '1', routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the ExcludeLocalNetworks, ExcludeCellularServices, ExcludeAPNs and ExcludeDeviceCommunication properties. See the documentation for those properties. The following traffic is always excluded from the tunnel. Not available in watchOS.
* Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
* Traffic necessary for connecting to captive networks.
* Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
* Network communication with a companion device such as a watchOS device.
- key: EnforceRoutes
title: Enforce Routes
supportedOS:
iOS:
introduced: '14.2'
macOS:
introduced: '11.0'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: |-
If '1', all the VPN's non-default routes take precedence over any locally defined routes.
If 'IncludeAllNetworks' is '1', the system ignores the value of 'EnforceRoutes'.
Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS.
- key: ExcludeLocalNetworks
title: Exclude Local Networks
supportedOS:
iOS:
introduced: '14.2'
macOS:
introduced: '10.15'
tvOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If '1' and 'IncludeAllNetworks' is '1', routes all local network traffic
outside the VPN. Not available in watchOS.
- key: ExcludeCellularServices
title: Exclude Cellular Services
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
tvOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes internet-routable
network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual
Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular
services traffic directly to the carrier network, bypassing the internet. Such
cellular services traffic is always excluded from the tunnel. Not available
in watchOS.
- key: ExcludeAPNs
title: Exclude APNs
supportedOS:
iOS:
introduced: '16.4'
macOS:
introduced: '13.3'
tvOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If '1' and 'IncludeAllNetworks' is '1', then the system excludes the
network traffic for the Apple Push Notification service (APNs) from the tunnel.
Not available in watchOS.
- key: ExcludeDeviceCommunication
title: Exclude Device Communication
supportedOS:
iOS:
introduced: '17.4'
macOS:
introduced: '14.4'
tvOS:
introduced: n/a
visionOS:
introduced: '1.1'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 1
content: If 1 and IncludeAllNetworks is 1, then network traffic used for communicating
with devices connected via USB or Wi-Fi is excluded from the tunnel.
- key: OnDemandEnabled
title: Enable VPN On Demand
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', enables VPN On Demand.
- key: OnDemandUserOverrideDisabled
title: Prevent users from toggling VPN On Demand
supportedOS:
iOS:
introduced: '14.0'
macOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', the Connect On Demand toggle in Settings is disabled for this
configuration. Available in iOS 14 and later. Not available in watchOS.
- key: OnDemandMatchDomainsAlways
title: On Demand Match Domains Always
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: |-
A list of domain names. The system treats associated domain names as though they're associated with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden by 'OnDemandRules'.
In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
Not available in watchOS.
subkeytype: MatchDomainAlwaysElement
subkeys: &id001
- key: MatchDomainAlwaysElement
title: Match Domain Always Element
type: <string>
- key: OnDemandMatchDomainsNever
title: On Demand Match Domains Never
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: |-
A list of domain names. If the host name ends with one of these domain names, the system doesn't start the VPN automatically. The system uses this value to exclude a subdomain within an included domain.
In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
Not available in watchOS.
subkeytype: MatchDomainNeverElement
subkeys: &id002
- key: MatchDomainNeverElement
title: Match Domain Never Element
type: <string>
- key: OnDemandMatchDomainsOnRetry
title: On Demand Match Domains On Retry
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: |-
A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the system starts the VPN automatically.
In iOS 7 and later, this key is deprecated (but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules' dictionaries.
Not available in watchOS.
subkeytype: MatchDomainOnRetryElement
subkeys: &id003
- key: MatchDomainOnRetryElement
title: Match Domain On Retry Element
type: <string>
- key: OnDemandRules
title: On Demand Rules
type: <array>
presence: optional
content: An array of dictionaries defining On Demand Rules.
subkeytype: OnDemandRulesElement
subkeys: &id004
- key: OnDemandRulesElement
title: On Demand Rules Element
type: <dictionary>
subkeys:
- key: Action
title: On Demand Action
type: <string>
presence: required
rangelist:
- Allow
- Connect
- Disconnect
- EvaluateConnection
- Ignore
content: |-
The action to take if this dictionary matches the current network. Possible values are:
* 'Allow': Deprecated. Allow VPN On Demand to connect if triggered.
* 'Connect': Unconditionally initiate a VPN connection on the next network attempt.
* 'Disconnect': Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
* 'EvaluateConnection': Evaluate the ActionParameters array for each connection attempt.
* 'Ignore:' Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
Only the 'Disconnect' action is available on watchOS 10 and later.
- key: ActionParameters
title: Action Parameters
type: <array>
presence: optional
content: An array of dictionaries that provides rules similar to the 'OnDemandRules'
dictionary, but evaluated on each connection instead of when the network
changes. This value is only for use with dictionaries in which the 'Action'
value is 'EvaluateConnection'. The system evaluates these dictionaries in
order and the first dictionary that matches determines the behavior. Not
available in watchOS.
subkeys:
- key: ActionParameter
title: Action Parameter
type: <dictionary>
presence: optional
content: |-
A dictionary that provides rules similar to the OnDemandRules dictionary, but evaluated on each connection instead of when the network changes. These dictionaries are evaluated in order, and the behavior is determined by the first dictionary that matches.
The keys allowed in each dictionary are described below. Note: This array is used only for dictionaries in which EvaluateConnection is the Action value.
subkeys:
- key: Domains
title: Domains
type: <array>
presence: required
content: The domains to apply this evaluation.
subkeys:
- key: DomainsElement
title: Domains Element
type: <string>
- key: DomainAction
title: Domain Action
type: <string>
presence: required
rangelist:
- ConnectIfNeeded
- NeverConnect
content: |-
Defines the VPN behavior for the specified domains. Allowed values are:
* 'ConnectIfNeeded': The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it can't resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
* 'NeverConnect': The specified domains should never trigger a VPN connection attempt.
- key: RequiredDNSServers
title: Required DNS Servers
type: <array>
presence: optional
content: |-
An array of IP addresses of DNS servers to use for resolving the specified domains. These servers don't need to be part of the device's current network configuration. If these DNS servers aren't reachable, the system establishes a VPN connection. These DNS servers need to be either internal DNS servers or trusted external DNS servers.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
subkeys:
- key: RequiredDNSServersElement
title: Required DNS Servers Element
type: <string>
- key: RequiredURLStringProbe
title: Required URL String Probe
type: <string>
presence: optional
content: |-
An HTTP or HTTPS (preferred) URL to probe, using a GET request. If the URL's hostname can't be resolved, if the server is unreachable, or if the server doesn't respond with a 200 HTTP status code, a VPN connection is established in response.
This key is valid only if the value of 'DomainAction' is 'ConnectIfNeeded'.
- key: DNSDomainMatch
title: DNS Domain Match
type: <array>
presence: optional
content: |-
An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard ('*') prefix. For example, '*.example.com' matches against either 'mydomain.example.com' or 'yourdomain.example.com'.
subkeys:
- key: DNSDomainMatchElement
title: DNS Domain Match Element
type: <string>
- key: DNSServerAddressMatch
title: DNS Server Address Match
type: <array>
presence: optional
content: |-
An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, '17.*' matches any DNS server in the '17.0.0.0/8' subnet.
subkeys:
- key: DNSServerAddressMatchElement
title: DNS Server Address Match Element
type: <string>
- key: InterfaceTypeMatch
title: Interface Type Match
type: <string>
presence: optional
rangelist:
- Ethernet
- WiFi
- Cellular
content: An interface type. If specified, this rule matches only if the primary
network interface hardware matches the specified type.
- key: SSIDMatch
title: SSID Match
type: <array>
presence: optional
content: |-
An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID.
subkeys:
- key: SSIDMatchElement
title: SSID Match Element
type: <string>
- key: URLStringProbe
title: URL String Probe
type: <string>
presence: optional
content: A URL to probe. This rule matches when this URL is successfully fetched
(returns a '200' HTTP status code) without redirection. Not available in
watchOS.
- key: IPv4
title: IPv4 Settings
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary that contains IPv4 settings. Not available in watchOS.
subkeys:
- key: OverridePrimary
title: Override Primary Connection
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', the system sends all network traffic over VPN. Only applies to
Cisco IPsec and L2TP VPN types.
- key: PPP
title: PPP
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary to use when 'VPNType' is 'L2TP' or 'PTPP'. Not available
in watchOS.
subkeys:
- key: AuthName
title: Account Username
type: <string>
presence: optional
content: The VPN account user name. This key is for use with L2TP and PPTP networks.
- key: AuthPassword
title: Account Password
type: <string>
presence: optional
content: If 'TokenCard' is '1', use this password for authentication. This key
is for use with L2TP and PPTP networks.
- key: TokenCard
title: Use Token Card
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', uses a token card such as an RSA SecurID card for connecting.
This key is for use with L2TP networks.
- key: CommRemoteAddress
title: Remote Address
type: <string>
presence: optional
content: The IP address or host name of VPN server. This key is for use with L2TP
and PPTP networks.
- key: AuthEAPPlugins
title: EAP Plugins
type: <array>
presence: optional
content: 'An array of authentication plugins. For use of RSA SecurID, this array
should only have one value: ''EAP-RSA''. This key is for use with L2TP and PPTP
networks.'
subkeys:
- key: EAPPluginElement
title: EAP Plugin
type: <string>
rangelist:
- EAP-RSA
- EAP-TLS
- EAP-KRB
repetition:
min: 1
max: 1
- key: AuthProtocol
title: Protocol
type: <array>
presence: optional
content: An array of authentication protocols. For use of RSA SecurID, this array
should have one value, 'EAP'. This key is for use with L2TP and PPTP networks.
subkeys:
- key: AuthProtocolElement
title: Auth Protocol
type: <string>
rangelist:
- EAP
repetition:
min: 1
max: 1
- key: CCPMPPE40Enabled
title: Enable CCPMPPE40
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE128 encryption.
- key: CCPMPPE128Enabled
title: Enable CCPMPPE128
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If '1' and 'CCPEnabled' is also '1', enables CCPMPPE40 encryption.
- key: CCPEnabled
title: Enable CCP
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If '1', enables encryption on the connection. This key is for use with
PPTP networks.
- key: DisconnectOnIdle
title: Enable Disconnect on Idle
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', disconnects after an on demand connection idles.
- key: DisconnectOnIdleTimer
title: Disconnect on Idle time
type: <integer>
presence: optional
content: The length of time to wait before disconnecting an on demand connection
- key: IPSec
title: IPSec Settings
supportedOS:
tvOS:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary that contains IPSec settings. Not available in watchOS.
subkeys:
- key: RemoteAddress
title: Remote Address
type: <string>
presence: optional
content: The IP address or host name of the VPN server.
- key: AuthenticationMethod
title: Authentication Method
type: <string>
presence: optional
rangelist:
- SharedSecret
- Certificate
default: SharedSecret
content: The authentication method for L2TP and Cisco IPSec.
- key: XAuthName
title: Username
type: <string>
presence: optional
content: The user name for the VPN account for Cisco IPSec.
- key: XAuthPassword
title: Password
type: <string>
presence: optional
content: The VPN account password for Cisco IPSec.
- key: XAuthEnabled
title: XAUTH Enabled
type: <integer>
presence: optional
rangelist:
- 0
- 1
content: If '1', enables Xauth for Cisco IPSec VPNs.
- key: XAuthPasswordEncryption
title: XAUTH Password Encryption
type: <string>
presence: optional
rangelist:
- Prompt
content: A string that either has the value “Prompt” or isn't present.
- key: LocalIdentifier
title: Local Identifier
type: <string>
presence: optional
content: |-
The name of the group. For hybrid authentication, the string needs to end with 'hybrid'.
Present only for Cisco IPSec if 'AuthenticationMethod' is 'SharedSecret'.
- key: LocalIdentifierType
title: Local Identifier Type
type: <string>
presence: optional
rangelist:
- KeyID
default: KeyID
content: Present only if 'AuthenticationMethod' is 'SharedSecret'. The value is
'KeyID'. The system uses this value for L2TP and Cisco IPSec VPNs.
- key: SharedSecret
title: Shared Secret
type: <data>
presence: optional
content: |-
The shared secret for this VPN account.
Only use this with L2TP and Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'SharedSecret'.
- key: PayloadCertificateUUID
title: Certificate UUID
type: <string>
presence: optional
content: |-
The UUID of the certificate payload within the same profile to use for the account credentials.
Only use this with Cisco IPSec VPNs and if the 'AuthenticationMethod' key is to 'Certificate'.
- key: PromptForVPNPIN
title: Prompt for PIN
type: <boolean>
presence: optional
default: false
content: If 'true', prompts for a PIN when connecting to Cisco IPSec VPNs.
- key: DisconnectOnIdle
title: Enable Disconnect on Idle
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', disconnect after an on-demand connection idles.
- key: DisconnectOnIdleTimer
title: Disconnect on Idle time
type: <integer>
presence: optional
content: The length of time to wait before disconnecting an on-demand connection.
- key: OnDemandEnabled
title: Enable VPN On Demand
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', enables bringing the VPN connection up on demand.
- key: OnDemandMatchDomainsAlways
title: On Demand Match Domains Always
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: Deprecated. A list of domain names. In iOS 7 and later, if this key is
present, the system treats associated domain names as though they're associated
with the 'OnDemandMatchDomainsOnRetry' key. This behavior can be overridden
by 'OnDemandRules'.
subkeytype: MatchDomainAlwaysElement
subkeys: *id001
- key: OnDemandMatchDomainsNever
title: On Demand Match Domains Never
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated
(but still supported) in favor of 'EvaluateConnection' actions in the 'OnDemandRules'
dictionaries.
subkeytype: MatchDomainNeverElement
subkeys: *id002
- key: OnDemandMatchDomainsOnRetry
title: On Demand Match Domains On Retry
supportedOS:
iOS:
deprecated: '7.0'
type: <array>
presence: optional
content: Deprecated. A list of domain names. In iOS 7 and later, this field is
deprecated (but still supported) in favor of 'EvaluateConnection' actions in
the 'OnDemandRules' dictionaries.
subkeytype: MatchDomainOnRetryElement
subkeys: *id003
- key: OnDemandRules
title: On Demand Rules
type: <array>
presence: optional
content: The on-demand rules dictionary.
subkeytype: OnDemandRulesElement
subkeys: *id004
- key: IKEv2
title: IKEv2
supportedOS:
watchOS:
introduced: '10.0'
type: <dictionary>
presence: optional
content: The dictionary to use when 'VPNType' is 'IKEv2'.
subkeys:
- key: RemoteAddress
title: RemoteAddress
type: <string>
presence: required
content: The IP address or host name of the VPN server.
- key: LocalIdentifier
title: LocalIdentifier
type: <string>
presence: required
content: Identifier of the IKEv2 client.
- key: RemoteIdentifier
title: RemoteIdentifier
type: <string>
presence: required
content: The remote identifier.
- key: AuthenticationMethod
title: AuthenticationMethod
type: <string>
presence: required
rangelist:
- None
- SharedSecret
- Certificate
content: |-
The type of authentication method for the VPN.
To enable EAP-only authentication, set this to 'None' and 'ExtendedAuthEnabled' to '1'. If this is 'None' and the 'ExtendedAuthEnabled' key isn't set, the authentication configuration defaults to 'SharedSecret'.
- key: CertificateType
title: Certificate Type
type: <string>
presence: optional
rangelist:
- RSA
- ECDSA256
- ECDSA384
- ECDSA521
- RSA-PSS
default: RSA
content: The type of 'PayloadCertificateUUID' to use for IKEv2 machine authentication.
If this key is included, the system requires a value for 'ServerCertificateIssuerCommonName'.
- key: PayloadCertificateUUID
title: PayloadCertificateUUID
type: <string>
presence: optional
content: The UUID of the certificate payload within the same profile to use as
the account credential. If the value of 'AuthenticationMethod' is 'Certificate',
the system sends this certificate out for IKEv2 machine authentication. If extended
authentication (EAP) is used, the system sends this certificate out for EAP-TLS
authentication.
- key: Password
title: Account Password
type: <string>
presence: optional
content: The password to use for the account credentials. Only used if 'AuthenticationMethod'
is 'Password'.
- key: ProviderBundleIdentifier
title: Provider Bundle Identifier
type: <string>
presence: optional
content: If the VPNSubType field contains the bundle identifier of an app that
contains multiple VPN providers of the same type (app-proxy or packet-tunnel),
then the system uses this field to choose which provider to use for this configuration.
If the VPN provider is implemented as a System Extension, then this field is
required.
- key: ProviderDesignatedRequirement
title: Provider Designated Requirement
supportedOS:
iOS:
introduced: n/a
macOS:
introduced: '10.15'
visionOS:
introduced: n/a
type: <string>
presence: optional
content: If the VPN provider is implemented as a System Extension, then this field
is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS
10 and later.
- key: SharedSecret
title: SharedSecret
type: <string>
presence: optional
content: If 'AuthenticationMethod' is 'SharedSecret', this value is used for IKE
authentication.
- key: ExtendedAuthEnabled
title: ExtendedAuthEnabled
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', enables EAP-only authentication.
- key: AuthName
title: AuthName
type: <string>
presence: optional
content: The user name to use for authentication.
- key: AuthPassword
title: AuthPassword
type: <string>
presence: optional
content: The password to use for authentication.
- key: OnDemandEnabled
title: Enable VPN On Demand
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', enables VPN up on demand.
- key: OnDemandUserOverrideDisabled
title: Prevent users from toggling VPN On Demand
supportedOS:
iOS:
introduced: '14.0'
macOS:
introduced: n/a
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', the system disables the Connect On Demand toggle in Settings
for this configuration.
- key: OnDemandRules
title: On Demand Rules
type: <array>
presence: optional
content: A list of rules that determine when and how to use an OnDemand VPN.
subkeytype: OnDemandRulesElement
subkeys: *id004
- key: DeadPeerDetectionRate
title: Dead Peer Detection Rate
supportedOS:
watchOS:
introduced: n/a
type: <string>
presence: optional
rangelist:
- None
- Low
- Medium
- High
default: Medium
content: |-
One of the following:
* 'None': No keepalive.
* 'Low': Send keepalive every 30 minutes.
* 'Medium': Send keepalive every 10 minutes.
* 'High': Send keepalive every 1 minute.
Not available in watchOS.
- key: ServerCertificateIssuerCommonName
title: ServerCertificateIssuerCommonName
type: <string>
presence: optional
content: Common Name of the server certificate issuer. If set, this field causes
IKE to send a certificate request based on this certificate issuer to the server.
This key is required if the 'CertificateType' key is included and the 'ExtendedAuthEnabled'
key is '1'.
- key: ServerCertificateCommonName
title: ServerCertificateCommonName
type: <string>
presence: optional
content: The common name of the server certificate. The system uses this name
to validate the certificate sent by the IKE server. If not set, the system uses
the remote identifier to validate the certificate.
- key: TLSMinimumVersion
title: TLS Minimum Version
supportedOS:
iOS:
introduced: '11.0'
macOS:
introduced: '10.13'
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
default: '1.0'
content: The minimum TLS version to use with EAP-TLS authentication.
- key: TLSMaximumVersion
title: TLS Maximum Version
supportedOS:
iOS:
introduced: '11.0'
macOS:
introduced: '10.13'
type: <string>
presence: optional
rangelist:
- '1.0'
- '1.1'
- '1.2'
default: '1.2'
content: The maximum TLS version to use with EAP-TLS authentication.
- key: UseConfigurationAttributeInternalIPSubnet
title: Use IPv4 / IPv6 Internal Subnet Attributes
supportedOS:
iOS:
introduced: '9.0'
type: <integer>
presence: optional
rangelist:
- 0
- 1
default: 0
content: If '1', negotiations should use IKEv2 Configuration Attribute 'INTERNAL_IP4_SUBNET'
and 'INTERNAL_IP6_SUBNET'.
- key: DisableMOBIKE
title: Disable Mobility and Multihoming
supportedOS:
iOS:
introduced: '9.0'
type: <integer>
presence: optional
rangelist: