How do we build the .mobileconfig for per-App VPN?

After reviewing WWDC video (WWDC 2015 - Session 717 - OS X, iOS) and looking at other ways to understand the problem, there is still lack of guidance and/or missing tool to create the proper tags to create per-App VPN.


Despite it being less than ideal, the VPN Server is using PPTP . I will eventually have a suite of custom enterprise apps that will all use the VPN connection.

So.....I will need to setup the VPN and the vpn.managed.applayer.


We have a MDM solution to push the config files and the options in it are more numerous than to the Apple Configurator 2. In fact, there is a section for "App Configuration" and I have tried to add the Per-App Payload but it is not being recognized by the iOS Device(s).


I have also reveiwed the configuration file in the video...the schema is differnt than that of the ones gernated by the Apple tools.


Here is my effort XML is is incorrect. Can anyone provide a sample that works with the tools?


(I hope Eskimo can help here)

============================================================


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.XXXXXX.XXXX</string>

<key>PayloadRemovalDisallowed</key>

<false/>

<key>PayloadScope</key>

<string>System</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>XXXXXXXXXXXXXXXXX</string>

<key>PayloadOrganization</key>

<string>MyCompany</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadDisplayName</key>

<string>Config</string>

<key>PayloadDescription</key>

<string>Mobile Configuration</string>

<key>PayloadContent</key>

<array>

<dict>

<key>PayloadType</key>

<string>com.apple.vpn.managed</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>PayloadIdentifier</key>

<string>com.apple.mdm.XXXXXX</string>

<key>PayloadUUID</key>

<string>XXXXXXXXXXXX</string>

<key>PayloadEnabled</key>

<true/>

<key>PayloadDisplayName</key>

<string>VPN</string>

<key>VPNType</key>

<string>PPTP</string>

<key>PPP</key>

<dict>

<key>OnDemandEnabled</key>

<integer>1</integer>

<key>CCPEnabled</key>

<integer>1</integer>

<key>CCPMPPE40Enabled</key>

<integer>1</integer>

<key>CCPMPPE128Enabled</key>

<integer>1</integer>

<key>CommRemoteAddress</key>

<string>8.8.8.8</string>

<key>AuthName</key>

<string>username</string>

<key>OnDemandMode</key>

<string>Agressive</string>

<key>OnDemandMatchDomainsAlways</key>

<array/>

<key>OnDemandMatchDomainsNever</key>

<array/>

<key>OnDemandMatchDomainsOnRetry</key>

<array>

<string>*curexomed.local</string>

</array>

<key>AuthenticationMethod</key>

<string>Password</string>

<key>AuthPassword</key>

<string>pasword/string>

</dict>

<key>IPSec</key>

<dict>

<key>OnDemandEnabled</key>

<integer>0</integer>

</dict>

<key>Proxies</key>

<dict/>

<key>AlwaysOn</key>

<dict>

<key>TunnelConfigurations</key>

<array>

<dict>

<key>ProtocolType</key>

<string>IKEv2</string>

<key>Interfaces</key>

<array>

<string>Cellular</string>

</array>

<key>AuthenticationMethod</key>

<string>SharedSecret</string>

<key>DeadPeerDetectionRate</key>

<string>Medium</string>

<key>CertificateType</key>

<string>RSA</string>

</dict>

<dict>

<key>ProtocolType</key>

<string>IKEv2</string>

<key>Interfaces</key>

<array>

<string>WiFi</string>

</array>

<key>AuthenticationMethod</key>

<string>SharedSecret</string>

<key>DeadPeerDetectionRate</key>

<string>Medium</string>

<key>CertificateType</key>

<string>RSA</string>

</dict>

</array>

</dict>

<key>UserDefinedName</key>

<string>Caompany VPN</string>

<key>IPv4</key>

<dict>

<key>OverridePrimary</key>

<integer>1</integer>

</dict>

</dict>

</array>

</dict>

</plist>

Up vote post of grunt coder Down vote post of grunt coder
4.9k views
Posted by
grunt coder
Reply
Add a Comment

Replies

I'm sure you've figured this out by now so I'd like to ask if you have any info to share.. I am new to trying to get an IKEv2 VPN "Always on" connection up and running. I'd also like a few apps to be able to bypass the tunnel. Any help is greatly appreciated.

Posted by
jdevsd
Up vote reply of jdevsd Down vote reply of jdevsd

  • Post is four years old. But maybe some can use it. I use this profile on my iPhone.

    Michel075
Add a Comment 

<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>

		<!-- VPN: Manual -->
		<dict>
			<key>UserDefinedName</key>
			<string>VPN: Manual</string>
			<key>PayloadDisplayName</key>
			<string>VPN: Manual</string>
			<key>PayloadDescription</key>
			<string>Manual VPN connection</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>VPNType</key>
			<string>IPSec</string>
			<key>IPSec</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>LocalIdentifierType</key>
				<string>KeyID</string>
				<key>RemoteAddress</key>
				<string>HOSTNAME-OR-IP-ADRESS</string>
				<key>SharedSecret</key>
				<data>
				YOUR SHARED SECRET
				</data>
				<key>XAuthEnabled</key>
				<integer>1</integer>
				<key>XAuthName</key>
				<string>USERNAME</string>
				<key>XAuthPassword</key>
				<string>PASSWORD</string>
			</dict>
		</dict>

		<!-- VPN: Always except trusted WiFi networks -->
		<dict>
			<key>UserDefinedName</key>
			<string>VPN: Cellular and WiFi</string>
			<key>PayloadDisplayName</key>
			<string>VPN: Cellular and WiFi</string>
			<key>PayloadDescription</key>
			<string>Always VPN connection except @ trusted wifi networks</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>VPNType</key>
			<string>IPSec</string>
			<key>IPSec</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>LocalIdentifierType</key>
				<string>KeyID</string>
				<key>RemoteAddress</key>
				<string>HOSTNAME OR IP-ADRESS</string>
				<key>SharedSecret</key>
				<data>
				YOUR SHARED SECRET
				</data>
				<key>XAuthEnabled</key>
				<integer>1</integer>
				<key>XAuthName</key>
				<string>USERNAME</string>
				<key>XAuthPassword</key>
				<string>PASSWORD</string>
			</dict>
			<key>OnDemandEnabled</key>
      		<integer>1</integer>
      		<key>OnDemandRules</key>
      		<array>
        		<dict>
          			<key>InterfaceTypeMatch</key>
          			<string>WiFi</string>
          			<key>SSIDMatch</key>
          			<array>
            			<string>HOMEWIFI@2.4G</string>
            			<string>HOMEWIFI@5G</string>
            			<string>WORKWIFI@2.4G</string>
            			<string>WORKWIFI@5G</string>
          			</array>
          			<key>Action</key>
          			<string>Disconnect</string>
        		</dict>
        		<dict>
          			<key>InterfaceTypeMatch</key>
          			<string>WiFi</string>
          			<key>Action</key>
          			<string>Connect</string>
        		</dict>
        		<dict>
          			<!-- VPN Default state -->
          			<key>Action</key>
          			<string>Connect</string>
        		</dict>
      		</array>
      		<key>OverridePrimary</key>
      		<true/>
      		<key>IPv4</key>
      		<dict>
        		<key>OverridePrimary</key>
        		<integer>1</integer>
      		</dict>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
		</dict>

		<!-- VPN: Always -->
		<dict>
			<key>UserDefinedName</key>
			<string>VPN: Always</string>
			<key>PayloadDisplayName</key>
			<string>VPN: Always</string>
			<key>PayloadDescription</key>
			<string>Always a VPN connection</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.XXXX</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>XXXX</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>VPNType</key>
			<string>IPSec</string>
			<key>IPSec</key>
			<dict>
				<key>AuthenticationMethod</key>
				<string>SharedSecret</string>
				<key>LocalIdentifierType</key>
				<string>KeyID</string>
				<key>RemoteAddress</key>
				<string>HOSTNAME OR IP-ADRESS</string>
				<key>SharedSecret</key>
				<data>
				YOUR SHARED SECRET
				</data>
				<key>XAuthEnabled</key>
				<integer>1</integer>
				<key>XAuthName</key>
				<string>USERNAME</string>
				<key>XAuthPassword</key>
				<string>PASSWORD</string>
			</dict>
			<key>OnDemandEnabled</key>
      		<integer>1</integer>
      		<key>OnDemandRules</key>
      		<array>
        		<dict>
          			<!-- VPN Default state -->
          			<key>Action</key>
          			<string>Connect</string>
        		</dict>
      		</array>
      		<key>OverridePrimary</key>
      		<true/>
      		<key>IPv4</key>
      		<dict>
        		<key>OverridePrimary</key>
        		<integer>1</integer>
      		</dict>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
		</dict>		


	</array>
	<key>PayloadDisplayName</key>
	<string>VPN Configurations</string>
	<key>PayloadIdentifier</key>
	<string>MacBook16-Pro.XXXX</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>XXXX</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
Posted by
Michel075
Up vote reply of Michel075 Down vote reply of Michel075
Add a Comment