Configuring VPN on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To connect an iOS MDM device to a virtual private network (VPN) and protect data while connected to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a Per App VPN connection.

To configure a VPN connection on a user's iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the VPN card, click Settings.

   The VPN window opens.

5. Enable the settings using the VPN toggle switch.
6. Click Add.

   The Add VPN configuration window opens.

7. On the General settings tab, in the Network section, configure the following settings:
   1. In the Network name field, enter the name of the VPN tunnel.
   2. In the Protocol drop-down list, select the type of the VPN connection.
      • L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of the iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
      • IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
      • IPSec. The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
      • Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall version 8.0(3).1 or later. To configure a VPN connection, install the Cisco AnyConnect app from the App Store on the iOS MDM device.
      • Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, version 6.4 or later with the Juniper Networks IVE package version 7.0 or later. To configure a VPN connection, install the JUNOS app from the App Store on the iOS MDM device.
      • F5 SSL. The connection supports the F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure a VPN connection, install the F5 BIG-IP Edge Client app from the App Store on the iOS MDM device.
      • SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices version 10.5.4 or later, SonicWALL SRA devices version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, and E-Class NSA with SonicOS version 5.8.1.0 or later. To configure a VPN connection, install the SonicWALL Mobile Connect app from the App Store on the iOS MDM device.
      • Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from the App Store on the iOS MDM device.
      • Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
   3. In the Server address field, enter the network name or IP address of the VPN server.
8. Configure the settings for the VPN connection according to the selected type of virtual private network.
   • L2TP
     • Settings in the Authentication section:
       • Authentication type

         Two-factor authentication of an iOS MDM device user using an RSA SecurID token or password-based authentication.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Shared secret

         Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Other section:
       • Send all traffic via VPN

         Transmission of all outbound traffic via the VPN connection if a different network service is used (example: AirPort or Ethernet).

         If the check box is selected, all traffic is sent via the VPN connection.

         If the check box is cleared, outbound traffic is transmitted without requiring the use of the VPN connection.

         This check box is cleared by default.

   • IPSec
     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Shared secret

         Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

       • Group name

         Name of the group of iOS MDM devices that connect to the VPN via L2TP and IPSec (Cisco) protocols. If the Use hybrid authentication check box is selected, the group name must end with "[hybrid]" (for example: "mycompany [hybrid]").

       • Use hybrid authentication

         Use of hybrid authentication when the user connects to a VPN. The VPN server uses a certificate for authentication, and the iOS MDM device user enters a public key for authentication via the IPSec (Cisco) protocol.

         If the check box is selected, hybrid authentication is used when the user connects to a VPN.

         If the check box is cleared, the hybrid authentication is not used.

         This check box is cleared by default.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Prompt for PIN

         The application checks whether the system password is set when the mobile device is turned on.

         If the check box is selected, Kaspersky Mobile Devices Protection and Management checks if the system password is set on the device. If no system password is set on the device, the user has to set it. The password should be set in accordance with the settings configured by the administrator.

         If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not require a system password.

         This check box is cleared by default.

   • IKEv2
     • Settings in the Network section:
       • Dead peer detection interval

         The frequency at which the IKEv2 VPN client should run the Dead Peer Detection (DPD) algorithm. The following values are available:

         • Not selected. Do not run DPD.
         • Low. Run DPD every 30 minutes.
         • Medium. Run DPD every 10 minutes.
         • High. Run DPD every 1 minute.

         The default value is set to Medium.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Local identifier

         The identifier of the IKEv2 VPN client (iOS MDM device).

       • Remote identifier

         The identifier of the IKEv2 VPN server.

       • Shared secret

         The shared secret used for IKEv2 VPN authentication.

       • Common Name (CN) of server certificate

         This name is used to validate the certificate sent by the IKEv2 VPN server. If this option is not set, the certificate is validated using the remote identifier.

       • Common Name (CN) of server certificate publisher

         If this option is set, IKEv2 sends a certificate request based on this certificate issuer to the server.

       • Authentication certificate

         The certificate used for user authentication.

       • EAP authentication

         The type of EAP authentication used for the VPN IKEv2 connection. The following values are available:

         • Credentials
         • Certificate

         The default value is Credentials.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Minimum TLS version

         The minimum TLS version used for EAP authentication. The following values are available:

         • TLS 1.0
         • TLS 1.1
         • TLS 1.2

         The default value is TLS 1.0.

       • Maximum TLS version

         The maximum TLS version used for EAP authentication. The following values are available:

         • TLS 1.0
         • TLS 1.1
         • TLS 1.2

         The default value is TLS 1.2.

     • Settings in the Security association section:
       • SA parameters

         Determines the object in which the parameters are sent. Possible values:

         • IKEv2
         • Child

         The default value is IKEv2.

       • Encryption algorithm

         Determines the encryption algorithm used for the connection. Possible values:

         • DES
         • 3DES
         • AES-128
         • AES-256
         • AES-128-GCM
         • AES-256-GCM
         • ChaCha20Poly1305

         The default value is AES-256.

       • Integrity algorithm

         Determines the integrity algorithm used for the connection. Possible values:

         • SHA1-96
         • SHA1-160
         • SHA2-256
         • SHA2-384
         • SHA2-512

         The default value is SHA2-256.

       • Diffie-Hellman group

         Determines the Diffie-Hellman group used when setting up the VPN tunnel.

         The default value is 14.

       • SA Lifetime (min)

         The rekey interval in minutes.

     • Settings in the Other section:
       • Disable redirect

         Specifies whether IKEv2 VPN server redirects are disabled.

         If the check box is selected, the IKEv2 VPN connection is not redirected.

         If the check box is cleared, the IKEv2 VPN connection is redirected if a redirect request is received from the server.

         This check box is cleared by default.

       • Disable Mobility and Multi-homing Protocol

         Specifies whether Mobility and Multi-homing Protocol (MOBIKE) is disabled for the IKEv2 VPN connection.

         If the check box is selected, MOBIKE is disabled

         If the check box is cleared, MOBIKE is enabled.

         This check box is cleared by default.

       • Use internal IPv4 and IPv6 subnet attributes

         Specifies whether the IKEv2 VPN client should use the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes sent by the IKEv2 VPN server.

         If the check box is selected, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are used.

         If the check box is cleared, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are not used.

         This check box is cleared by default.

       • Enable a tunnel over cellular data

         Specifies whether fallback is enabled.

         If the check box is selected, the device enables a tunnel over cellular data to carry traffic that is eligible for Wi-Fi Assist and also requires a VPN.

         If the check box is cleared, fallback is disabled.

         This check box is cleared by default.

       • Enable Perfect Forward Secrecy

         Specifies whether Perfect Forward Secrecy (PFS) is enabled for the IKEv2 VPN connection.

         If the check box is selected, PFS is enabled.

         If the check box is cleared, PFS is disabled.

         This check box is cleared by default.

   • Cisco AnyConnect
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Group

         Alias of the tunneling group for Cisco AnyConnect clients connecting to the VPN.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Juniper SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Scope

         Name of the network that includes VPN servers and iOS MDM devices for the VPN connection established using Juniper SSL.

       • Role

         Name of the user role that grants the user access to resources using Juniper SSL. A role can combine several users performing similar functions.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • F5 SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • SonicWALL Mobile Connect
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Domain or group

         Domain name of the SSL VPN server (example: vpn.company.com) or the name of a group of SonicWALL Mobile Connect users.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Aruba VIA
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Custom SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Configuration data section:
       • Key

         Contains a key with additional settings for the Custom SSL connection.

       • Value

         Contains a value with additional settings for the Custom SSL connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

       • Bundle ID

         If the custom VPN configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

9. If necessary, on the Advanced settings tab, in the Proxy server section, configure the settings of the VPN connection via a proxy server:
   1. Select the Use a proxy server check box.
   2. Configure a connection to a proxy server:
      1. If you want to configure the connection automatically:
         • Select Automatic.
         • In the PAC file URL field, specify the URL of the proxy PAC file.
         • To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      2. If you want to configure the connection manually:
         • Select Manual.
         • In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
         • In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
      3. In the Password field, specify the password for the connection to the proxy server.
10. For IKEv2 and IPSec connections, if necessary, set up Per App VPN functionality for supported system apps (Mail, Calendar, Contacts, and Safari).
11. Click Add.

    The new VPN is displayed in the list.

    You can modify or delete VPN in the list using the Edit and Delete buttons at the top of the list.

12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the VPN connection will be configured on the user's iOS MDM device.

Page top