Per App VPN Configuration

Per-app VPN can only be deployed to a managed environment [1,2]. The basic strategy is:

• The MDM system pushes a per-app VPN configuration (with a payload of type

  com.apple.vpn.managed.applayer

  ) to the client. This includes the

  VPNUUID

  property, which uniquely identifies that configuration.

• The MDM system then installs a managed app on to the device and configures that app to use the VPN by setting the

  VPNUUID

  attribute on it [3].

So, with that background, let’s look at your specific questions:

1. Now i want to achieve Per App VPN using MDM. So i am confused that i have to made some changes or do some configuration at my iOS app end to support Per App VPN?

There are two types of per-app VPN:

• Packet tunnel

• App proxy

If you have an existing packet tunnel provider, the OS does not require you to make specific changes to support per-app VPN. However, there may be changes required by your VPN server. For example, it may need you to forward packets to it with appropriate metadata so that it can route the packets (and any responses) correctly.

Your packet tunnel provider can tell that it’s in per-app VPN mode by checking the

routingMethod

.sourceApplication

Your packet tunnel provider can get information about the source application for a specific packet by looking at the

metadata

NEPacket

2. As in some tutorials i saw people are guiding that MDM does not required a client app because it has a client app in device OS (iOS) that do all the MDM work.

Correct. Specifically, there is an MDM client built in to all of our OSes (although, technically, it’s not an app).

So it is correct or not that there is no need of my iOS app (VPN connect app) to start MDM.

Correct. Your app can present a UI to control your VPN but there’s no requirement to do so. Most managed environments use VPN On Demand to start the VPN. And the user can manually start and stop the tunnel in Settings.

3. Third as MDM send push notification to establish a connection between MDM server and device, then how we will send push notification or we send the push notification to the app developed my me and then establish a connection to MDM or this work (Push Notification and establish a connection) is also done by the app installed in OS (iOS).

The latter.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] On iOS. The story on macOS is more nuanced.

[2] There is a way to work with per-app VPN in an unmanaged environment during development, but that only works during development.

[3] I can’t find info about this in the current documentation (r. 58440321) but it is covered in the legacy Mobile Device Management Protocol Reference. Search that doc for

VPNUUID

Hi @eskimo,

Thanks for your support. I have understand the starting 2 points (1 & 2). Can you please clearify the third point also:

"As MDM send push notification to establish a connection between MDM server and device, then how we will send push notification or we send the push notification to the app developed my me and then establish a connection to MDM or this work (Push Notification and establish a connection) is also done by the app installed in OS (iOS)."

I’m not sure what aspect of this you need clarifying. yashipallav asked whether apps can send MDM push notifications directly to the device. The answer to that is no. If you wanted to do something like that, your app would talk to the MDM server, which could then issue MDM updates to the device on the app’s behalf.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"