VPN settings

Use this payload to enter the VPN settings for connecting to your network. Settings you specify in the configuration profile can’t be modified by the user.

Note: Use the VPN payload for all configuration profiles. For more information, see About profiles and payloads and Payload best practices.

Basic settings

To configure Aruba VIA, Check Point Mobile VPN, Cisco AnyConnect, F5 SSL, Juniper SSL, or SonicWALL Mobile Connect, choose the appropriate item from the Connection Type pop-up menu. Make sure that the Realm and Role (Juniper) or Group (Cisco) values match those specified on the VPN server. Users must install both the configuration profile and the appropriate authentication app. F5 BIG-IP Edge Client, Junos Pulse, Cisco AnyConnect, and Aruba Network VIA apps are available on the App Store.

For other SSL VPN solutions, contact your vendor and ask if they have an app in the App Store. If they do, choose Custom SSL from the Connection Type pop-up menu, then enter the configuration information provided by the vendor. Make sure the Identifier field matches the identifier specified by your vendor’s VPN app and is in reverse DNS format (for example, com.example.myvpn). Your users must install both the vendor’s app and the configuration profile to connect to your network.

Choose IKEv2 (iOS only) and select Always-on VPN if you want to configure a payload so that devices must have an active VPN connection in order to connect to any network. You can configure Always-on VPN for cellular and Wi-Fi separately, or together.

Some VPN and Wi-Fi settings, such as 802.1X parameters, can be set only by a configuration profile.

For information about supported VPN protocols, authentication methods, and IKEv2, see the VPN overview of the iOS Deployment Reference.

The following items are available for configuration regardless of which connection type you choose.

After you choose a connection type, other settings for the connection become available.



Connection Name

The display name of the connection on the device.

Connection Type

The method used to establish a VPN connection. After choosing one of these VPN methods, the options after Server and Account change to match that particular method.


The host name or IP address of the VPN gateway server.


The user account required for authenticating the connection.

User Authentication (all connection types except IPSec Cisco)

The method of user authentication. Available types for L2TP and PPTP are:

  • Password (the password can be entered)

  • RSA SecurID

  • IPSec (Cisco)

  • Certificate (OS X only)

  • Kerberos (OS X only)

  • CryptoCard (OS X only)

Other types of VPN connection methods use a variety of user authentication settings

Machine Authentication

The type of authentication required. For L2TP, choose Shared Secret or Certificate, and provide the appropriate setting information. Other types of VPN connection methods use a variety of machine authentication settings.

Encryption Level (PPTP only)

The level of encryption used for the connection. It can be set to None, Automatic, or Maximum (128-bit).

Send All Traffic (L2TP and PPTP only)

Forces all network traffic over the VPN connection.

Proxy Setup

iOS and OS X support manual VPN proxy and automatic proxy configuration using PAC or WPAD. To specify a VPN proxy, choose an option from the Proxy Setup pop-up menu.

For PAC-based auto-proxy configurations, choose Automatic from the pop-up menu and enter the URL of a PAC file.

For Web Proxy Autodiscovery (WPAD) configurations, choose Automatic from the pop-up menu. Leave the Proxy Server URL field empty. The device requests the WPAD file using DHCP and DNS.

An identity is required for some VPN configurations. Depending on the VPN configuration, a VPN payload may require that the associated certificate payload contain the certificate associated with the identity.

VPN On Demand

On devices with L2TP certificate-based configurations, you can turn on VPN On Demand so a VPN connection is established when accessing specific domains.

You need to configure a domain or host matching pattern, and determine an action that happens when there’s a match.

The action applies to all matching addresses. Addresses are compared using simple string matching, starting from the end and working backward. The address “.example.com” matches “support.example.com” and “sales.example.com,” but doesn’t match “www.private-example.com.” However, if you specify the match domain as “example.com”—notice there isn’t a period at the beginning—it matches “www.private-example.com” and all the others.

On Demand action



Initiates a VPN connection for any address that matches the specified domain.


Doesn’t initiate a VPN connection for addresses that match the specified domain, but if VPN is active, it can be used.

Establish if needed

Initiates a VPN connection for addresses that match the specified domain, after a failed DNS lookup occurs.

LDAP connections don’t initiate a VPN connection; if the VPN hasn’t been established by another app, such as Safari, the LDAP lookup fails.

After two minutes of inactivity, the device closes a VPN session initiated by VPN On Demand. If the connection is initiated manually using Settings, only the VPN server’s timeout applies.

VPN proxy

iOS supports manual VPN proxy and automatic proxy configuration using PAC or WPAD. To specify a VPN proxy, choose an option from the Proxy Setup pop-up menu.



PAC-based auto-proxy configuration

Choose Automatic from the pop-up menu, then enter the URL of a PAC file—for example, http://www.example.com/filename.pac.

Web Proxy Autodiscovery (WPAD) configuration

Choose Automatic from the pop-up menu. If you leave the Proxy Server URL field empty, the device requests the wpad.dat file using DHCP (using a 252 entry) or DNS (using an A Record with the name WPAD).

You can add VPN configurations by clicking the add payload button.


With OS X, you can use the following variables in the Simple Certificate Enrollment Protocol (SCEP) AuthName and XAuthName fields. These variables are resolved on the device during installation. You can combine these variables with static text, such as Mac.%HardwareUUID%, to create a compound name.




Active Directory computer ID


Active Directory domain


Active Directory forest name


Active Directory GUID


Active Directory DNS Name


Active Directory Kerberos ID


The computer’s name, as set in System Preferences > Sharing


The computer’s unique identifier


The computer’s DNS name, such as mac1.example.com


The computer’s local network name, such as Mac1.local


The computer’s Ethernet (en0) MAC address


The computer’s serial number