iOS Per-app-VPN with built-in client

Question

Created Mar ’22

Replies 2

Boosts 0

Views 2.2k

Participants 2

Hi all!

I've been digging into per-app VPN configurations for a little while now, but I'm still a little confused. Hopefully someone on here can help!

For context, I've got a normal system-client IKEv2 VPN currently, which I set up and installed manually via a .mobileconfig configuration profile (not with MDM, just browsing to the file on the phone). Works great!

I'd now like to turn that into a per-app VPN, specifically one using the SafariDomains key. ie: I'd like the VPN to tunnel my Safari traffic, but not anything else.

I was hoping this would be a simple matter of adding the per-app VPN rules to the config, and setting a om.apple.vpn.managed.applayer PayloadType, and pushing the config over MDM.

Before delving into that, I read a little more, and now I'm starting to think based on what I've seen, that the per-app configurations actually are only intended for people building their own apps on NEPacketTunnelProvider and the like. And the configuration profile that's pushed via MDM, must reference a custom app VPN provider, rather than using the built-in system VPN client.

Is that correct?

Is anyone doing per-app VPN with just MDM and the built-in IKEv2 VPN client on iOS? Or do I need to build out a custom client side too?

Thanks!

Boost

Answer 1

Systems Engineer OP

Apple

Mar ’22

I am not an expert on managed device configurations, but I can weigh in here with the information that I do have.

A VPN configuration profile that is created and installed on a device or pushed down from an MDM server can be used to run a system VPN configuration or a custom VPN created with NEPacketTunnelProvider. See the Connection Type field in Apple Configurator. If you set it to Custom SSL it will then ask you for Provider Bundle Identifier, but then if you leave it set to IKEv2 it will just ask for basic configuration information.

In the case of a Per-App VPN, this profile type is for configuring a system VPN that uses one of the built in IPSec or IKEv2 transports. It will allow you to configure Per-App VPN without a custom NEPacketTunnelProvider. See the discussion:

This profile defines per-app VPN behavior and only applies to VPN services of type VPN, IPsec, and IKEv2.

Note that based on (r. 31220551) if NETestAppMapping is present in the Info.plist of a custom NEPacketTunnelProvider it will override the SafariDomains in the configuration profile. So you will need to use one or the other if this ends up being the case.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

paulhunkin OP

Mar ’22

Thanks for the reply Matt -- much appreciated!

OK, so it sounds like MDM+SafariDomains+built-in-IKE2 should work. I'll give it another try tomorrow, quite likely I was just doing something dumb.

I'll follow up with how I get on.

0