Configuring a virtual private network (VPN)

This section contains information on configuring virtual private network (VPN) settings for secure connection to Wi-Fi networks.

Configuring VPN on Android devices (only Samsung)

To securely connect an Android device to the internet and protect data transfer, you can configure VPN (Virtual Private Network) settings.

Configuration of VPN is possible only for Samsung devices running Android 11 or earlier.

The following requirements must be considered when using a virtual private network:

• The app that uses the VPN connection must be allowed in the Firewall settings.
• VPN settings configured in the policy cannot be applied to system apps. The VPN connection for system apps has to be configured manually.
• Some apps that use a VPN connection need to have additional settings configured at first startup. To configure settings, a VPN connection has to be allowed in app settings.

To configure VPN on a user's mobile device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select Android and go to the Samsung Knox settings section.
4. On the VPN card, click Settings.

   The VPN window opens.

5. Enable the settings using the VPN toggle switch.
6. Specify the following VPN settings:
   • Settings in the Network section:
     • In the Network name field, enter the name of the VPN tunnel.
     • In the Protocol drop-down list, select the VPN connection type:
       • IPSec Xauth PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server using the Xauth authentication utility.
       • L2TP IPSec PSK. A tunneling protocol of the "gateway-to-gateway" type that lets the mobile device user establish a secure connection with the VPN server via the IKE protocol using a preset key. This protocol is selected by default.
       • PPTP. A "point-to-point" tunneling protocol that lets the mobile device user establish a secure connection to the VPN server by creating a special tunnel on a standard unsecured network.
     • In the Server address field, enter the network name or IP address of the VPN server.
   • Settings in the Protocol settings section:
     • In the DNS search domain(s) list, enter the DNS search domain to be automatically added to the DNS server name.

       You can specify several DNS search domains, separating them with blank spaces.

     • In the DNS server(s) field, enter the full domain name or IP address of the DNS server.

       You can specify several DNS servers, separating them with blank spaces.

     • In the Routing field, enter the range of network IP addresses with which data is exchanged via the VPN connection.

       If a range of IP addresses is not specified in the Routing field, all internet traffic will pass through the VPN connection.

7. Additionally, configure the following settings:
   • For the IPSec Xauth PSK and L2TP IPSec PSK protocols:
     • In the IPSec shared key field, enter the password for the preset IPSec security key.
     • In the IPSec ID field, enter the name of the mobile device user.
   • For the L2TP IPSec PSK protocol, specify the password for the L2TP key in the L2TP key field.
   • For the PPTP network, select the Use SSL connection check box so that the app will use the MPPE (Microsoft Point-to-Point Encryption) method of data encryption to secure data transmission when the mobile device connects to the VPN server.
8. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with Kaspersky Security Center.

Configuring VPN on iOS MDM devices

Expand all | Collapse all

These settings apply to supervised devices and devices operating in basic control mode.

To connect an iOS MDM device to a virtual private network (VPN) and protect data while connected to the VPN, configure the VPN connection settings. The IKEv2 and IPSec VPN protocols also let you set up a Per App VPN connection.

To configure a VPN connection on a user's iOS MDM device:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the VPN card, click Settings.

   The VPN window opens.

5. Enable the settings using the VPN toggle switch.
6. Click Add.

   The Add VPN configuration window opens.

7. On the General tab, in the Network section, configure the following settings:
   1. In the Network name field, enter the name of the VPN tunnel.
   2. In the Protocol drop-down list, select the type of the VPN connection.
      • L2TP (Layer 2 Tunneling Protocol). The connection supports authentication of the iOS MDM device user using MS-CHAP v2 passwords, two-factor authentication, and automatic authentication using a public key.
      • IKEv2 (Internet Key Exchange version 2). The connection establishes the Security Association (SA) attribute between two network entities and supports authentication using EAP (Extensible Authentication Protocols), shared secrets, and certificates.
      • IPSec. The connection supports password-based user authentication, two-factor authentication, and automatic authentication using a public key and certificates.
      • Cisco AnyConnect. The connection supports the Cisco Adaptive Security Appliance (ASA) firewall version 8.0(3).1 or later. To configure a VPN connection, install the Cisco AnyConnect app from the App Store on the iOS MDM device.
      • Juniper SSL. The connection supports the Juniper Networks SSL VPN gateway, Series SA, version 6.4 or later with the Juniper Networks IVE package version 7.0 or later. To configure a VPN connection, install the JUNOS app from the App Store on the iOS MDM device.
      • F5 SSL. The connection supports the F5 BIG-IP Edge Gateway, Access Policy Manager, and Fire SSL VPN solutions. To configure a VPN connection, install the F5 BIG-IP Edge Client app from the App Store on the iOS MDM device.
      • SonicWALL Mobile Connect. The connection supports SonicWALL Aventail E-Class Secure Remote Access devices version 10.5.4 or later, SonicWALL SRA devices version 5.5 or later, as well as SonicWALL Next-Generation Firewall devices, including TZ, NSA, and E-Class NSA with SonicOS version 5.8.1.0 or later. To configure a VPN connection, install the SonicWALL Mobile Connect app from the App Store on the iOS MDM device.
      • Aruba VIA. The connection supports Aruba Networks mobile access controllers. To configure them, install the Aruba Networks VIA app from the App Store on the iOS MDM device.
      • Custom SSL. The connection supports authentication of the iOS MDM device user using passwords and certificates and two-factor authentication.
   3. In the Server address field, enter the network name or IP address of the VPN server.
8. Configure the settings for the VPN connection according to the selected type of virtual private network.
   • L2TP
     • Settings in the Authentication section:
       • Authentication type

         Two-factor authentication of an iOS MDM device user using an RSA SecurID token or password-based authentication.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Shared secret

         Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Other section:
       • Send all traffic via VPN

         Transmission of all outbound traffic via the VPN connection if a different network service is used (example: AirPort or Ethernet).

         If the check box is selected, all traffic is sent via the VPN connection.

         If the check box is cleared, outbound traffic is transmitted without requiring the use of the VPN connection.

         This check box is cleared by default.

   • IPSec
     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Shared secret

         Password for a preset IPSec security key for the L2TP and IPSec (Cisco) protocols.

       • Group name

         Name of the group of iOS MDM devices that connect to the VPN via L2TP and IPSec (Cisco) protocols. If the Use hybrid authentication check box is selected, the group name must end with "[hybrid]" (for example: "mycompany [hybrid]").

       • Use hybrid authentication

         Use of hybrid authentication when the user connects to a VPN. The VPN server uses a certificate for authentication, and the iOS MDM device user enters a public key for authentication via the IPSec (Cisco) protocol.

         If the check box is selected, hybrid authentication is used when the user connects to a VPN.

         If the check box is cleared, the hybrid authentication is not used.

         This check box is cleared by default.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Prompt for PIN

         The application checks whether the system password is set when the mobile device is turned on.

         If the check box is selected, Kaspersky Mobile Devices Protection and Management checks if the system password is set on the device. If no system password is set on the device, the user has to set it. The password should be set in accordance with the settings configured by the administrator.

         If the check box is cleared, Kaspersky Mobile Devices Protection and Management does not require a system password.

         This check box is cleared by default.

   • IKEv2
     • Settings in the Network section:
       • Dead peer detection interval

         The frequency at which the IKEv2 VPN client should run the Dead Peer Detection (DPD) algorithm. The following values are available:

         • Not selected. Do not run DPD.
         • Low. Run DPD every 30 minutes.
         • Medium. Run DPD every 10 minutes.
         • High. Run DPD every 1 minute.

         The default value is set to Medium.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Local identifier

         The identifier of the IKEv2 VPN client (iOS MDM device).

       • Remote identifier

         The identifier of the IKEv2 VPN server.

       • Shared secret

         The shared secret used for IKEv2 VPN authentication.

       • Common Name (CN) of server certificate

         This name is used to validate the certificate sent by the IKEv2 VPN server. If this option is not set, the certificate is validated using the remote identifier.

       • Common Name (CN) of server certificate publisher

         If this option is set, IKEv2 sends a certificate request based on this certificate issuer to the server.

       • Authentication certificate

         The certificate used for user authentication.

       • EAP authentication

         The type of EAP authentication used for the VPN IKEv2 connection. The following values are available:

         • Credentials
         • Certificate

         The default value is Credentials.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Minimum TLS version

         The minimum TLS version used for EAP authentication. The following values are available:

         • TLS 1.0
         • TLS 1.1
         • TLS 1.2

         The default value is TLS 1.0.

       • Maximum TLS version

         The maximum TLS version used for EAP authentication. The following values are available:

         • TLS 1.0
         • TLS 1.1
         • TLS 1.2

         The default value is TLS 1.2.

     • Settings in the Security association section:
       • SA parameters

         Determines the object in which the parameters are sent. Possible values:

         • IKEv2
         • Child

         The default value is IKEv2.

       • Encryption algorithm

         Determines the encryption algorithm used for the connection. Possible values:

         • DES
         • 3DES
         • AES-128
         • AES-256
         • AES-128-GCM
         • AES-256-GCM
         • ChaCha20Poly1305

         The default value is AES-256.

       • Integrity algorithm

         Determines the integrity algorithm used for the connection. Possible values:

         • SHA1-96
         • SHA1-160
         • SHA2-256
         • SHA2-384
         • SHA2-512

         The default value is SHA2-256.

       • Diffie-Hellman group

         Determines the Diffie-Hellman group used when setting up the VPN tunnel.

         The default value is 14.

       • SA Lifetime (min)

         The rekey interval in minutes.

     • Settings in the Other section:
       • Disable redirect

         Specifies whether IKEv2 VPN server redirects are disabled.

         If the check box is selected, the IKEv2 VPN connection is not redirected.

         If the check box is cleared, the IKEv2 VPN connection is redirected if a redirect request is received from the server.

         This check box is cleared by default.

       • Disable Mobility and Multi-homing Protocol

         Specifies whether Mobility and Multi-homing Protocol (MOBIKE) is disabled for the IKEv2 VPN connection.

         If the check box is selected, MOBIKE is disabled

         If the check box is cleared, MOBIKE is enabled.

         This check box is cleared by default.

       • Use internal IPv4 and IPv6 subnet attributes

         Specifies whether the IKEv2 VPN client should use the INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET configuration attributes sent by the IKEv2 VPN server.

         If the check box is selected, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are used.

         If the check box is cleared, INTERNAL_IP4_SUBNET and INTERNAL_IP6_SUBNET attributes are not used.

         This check box is cleared by default.

       • Enable a tunnel over cellular data

         Specifies whether fallback is enabled.

         If the check box is selected, the device enables a tunnel over cellular data to carry traffic that is eligible for Wi-Fi Assist and also requires a VPN.

         If the check box is cleared, fallback is disabled.

         This check box is cleared by default.

       • Enable Perfect Forward Secrecy

         Specifies whether Perfect Forward Secrecy (PFS) is enabled for the IKEv2 VPN connection.

         If the check box is selected, PFS is enabled.

         If the check box is cleared, PFS is disabled.

         This check box is cleared by default.

   • Cisco AnyConnect
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Group

         Alias of the tunneling group for Cisco AnyConnect clients connecting to the VPN.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Juniper SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Scope

         Name of the network that includes VPN servers and iOS MDM devices for the VPN connection established using Juniper SSL.

       • Role

         Name of the user role that grants the user access to resources using Juniper SSL. A role can combine several users performing similar functions.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • F5 SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • SonicWALL Mobile Connect
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Domain or group

         Domain name of the SSL VPN server (example: vpn.company.com) or the name of a group of SonicWALL Mobile Connect users.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Aruba VIA
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

     • Settings in the Other section:
       • Send all traffic via VPN

         Routes all traffic via the VPN.

       • Exclude local traffic

         Excludes local traffic from traffic routed via the VPN connection.

         This check box is available if the Send all traffic via VPN check box is selected.

   • Custom SSL
     • Settings in the Network section:
       • Idle time before disconnection (min)

         The time to wait before disconnecting an on-demand connection.

     • Settings in the Configuration data section:
       • Key

         Contains a key with additional settings for the Custom SSL connection.

       • Value

         Contains a value with additional settings for the Custom SSL connection.

     • Settings in the Authentication section:
       • Authentication method

         The method of authenticating iOS MDM device users on the virtual private network.

       • Account name

         The account name for authorization on the VPN server.

       • Password

         The password of the account for authentication on the virtual private network.

       • Authentication certificate

         The certificate used for user authentication.

       • Bundle ID

         If the custom VPN configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.

     • Settings in the Domains section:
       • Enable VPN when connecting to specified domains

         The domains for which the VPN connection will be enabled.

9. If necessary, on the Advanced tab, in the Proxy server section, configure the settings of the VPN connection via a proxy server:
   1. Select the Use a proxy server check box.
   2. Configure a connection to a proxy server:
      1. If you want to configure the connection automatically:
         • Select Automatic.
         • In the PAC file URL field, specify the URL of the proxy PAC file.
         • To allow the user to connect the mobile device to a wireless network without using a proxy server when the PAC file cannot be accessed, select the Allow direct connection if PAC file cannot be accessed check box.
      2. If you want to configure the connection manually:
         • Select Manual.
         • In the Proxy server address and Proxy server port fields, enter the IP address or DNS name of the proxy server and port number.
         • In the User name field, select a macro that will be used as a user name for the connection to the proxy server.
      3. In the Password field, specify the password for the connection to the proxy server.
10. For IKEv2 and IPSec connections, if necessary, set up Per App VPN functionality for supported system apps (Mail, Calendar, Contacts, and Safari).
11. Click Add.

    The new VPN is displayed in the list.

    You can modify or delete VPN in the list using the Edit and Delete buttons at the top of the list.

12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, the VPN connection will be configured on the user's iOS MDM device.

Configuring Per App VPN on iOS MDM devices

These settings apply to supervised devices and devices operating in basic control mode.

The Per App VPN functionality allows a device to establish a VPN connection when supported system apps are launched. This functionality is available for IKEv2 and IPSec connections.

The following system apps support Per App VPN connections:

• Mail
• Calendar
• Contacts
• Safari
• Messages

To enable the Per App VPN functionality:

1. Perform the initial setup of the VPN connection.
2. On the Advanced tab, in the Per App VPN section, select the Enable Per App VPN check box.
3. Set up Per App VPN for supported system apps in the corresponding settings of the policy.

Mail

To specify the Per App VPN configuration for the Mail app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Email card, click Settings.

   The Email window opens.

5. Enable the settings using the Email toggle switch.
6. Click Add.

   The Add email account window opens.

7. Configure a mailbox.
8. On the Advanced tab, in the Per App VPN section, select the Enable Per App VPN check box.
9. Select a configuration from the Per App VPN configuration drop-down list.
10. Click Save.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Mail app.

Calendar

To specify the Per App VPN configuration for the Calendar app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Calendar card, click Settings.

   The Calendar window opens.

5. Enable the settings using the Calendar toggle switch.
6. Click Add.

   The Add CalDAV account window opens.

7. Add a calendar account.
8. In the Per App VPN section, select the Enable Per App VPN check box.
9. Select a configuration from the Per App VPN configuration drop-down list.
10. Click Add.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Calendar app.

Calendar subscriptions

A list of subscriptions to calendars of other CalDAV users, iCal calendars, and other published calendars.

To specify the Per App VPN configuration for calendar subscriptions:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Calendar subscriptions card, click Settings.

   The Calendar subscriptions window opens.

5. Enable the settings using the Calendar subscriptions toggle switch.
6. Click Add.

   The Add calendar subscription window opens.

7. Add a calendar subscription.
8. In the Per App VPN section, select the Enable Per App VPN check box.
9. Select a configuration from the Per App VPN configuration drop-down list.
10. Click Add.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for calendar subscriptions.

Contacts

To specify the Per App VPN configuration for the Contacts app:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Contacts card, click Settings.

   The Contacts window opens.

5. Enable the settings using the Contacts toggle switch.
6. Click Add.

   The Add CardDAV account window opens.

7. Add a contacts account.
8. In the Per App VPN section, select the Enable Per App VPN check box.
9. Select a configuration from the Per App VPN configuration drop-down list.
10. Click Add.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the Contacts app.

Safari

To specify the Per App VPN configuration for Safari:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the Per App VPN for Safari card, click Settings.

   The Per App VPN for Safari window opens.

5. Enable the settings using the Per App VPN for Safari toggle switch.
6. Click Add.

   The Add a website domain window opens.

7. Select a configuration from the Per App VPN configuration drop-down list.
8. In the Domain name field, specify the website domain that will trigger the VPN connection in Safari. The domain must be in the www.example.com format.
9. Click Add.

   The new domain appears in the Safari website domains list.

   You can modify or delete Safari website domains in the list using the Edit and Delete buttons at the top of the list.

10. Click OK.
11. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for Safari website domains.

LDAP

An LDAP account provides access to corporate data and contacts in the standard iOS apps: Contacts, Messages, and Mail.

To specify the Per App VPN configuration for an LDAP account:

1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies & profiles. In the list of group policies that opens, click the name of the policy that you want to configure.
2. In the policy properties window, select Application settings.
3. Select iOS and go to the Device configuration section.
4. On the LDAP card, click Settings.

   The LDAP window opens.

5. Enable the settings using the LDAP toggle switch.
6. Click Add.

   The Add LDAP account window opens.

7. Add an LDAP account.
8. In the Per App VPN section, select the Enable Per App VPN check box.
9. Select a configuration from the Per App VPN configuration drop-down list.
10. Click Add.
11. Click OK.
12. Click Save to save the changes you have made.

Mobile device settings are changed after the next device synchronization with the iOS MDM Server.

As a result, once the policy is applied, Per App VPN is configured for the LDAP account.