iOS 14 Per-app VPN does not work for MailDomains,CalendarDomains and ContactsDomains.

Question

Created Mar ’21

Replies 4

Boosts 0

Views 2.4k

Participants 3

Hi,

We have a profile to set the VPN configuration of the device. It is a BYOD device with per app vpn setting:

https://developer.apple.com/documentation/devicemanagement/applayervpn

We add following keys to our profile:
"SafariDomains", "CalendarDomains", "ContactsDomains" and "MailDomains".

The "SafariDomains" works and shown in the VPN profile settings in the device(in "Included Apps" section), with the given domains. However, all other features(came with iOS 13 MailDomains and etc.) does not wok

The domains we use are internal domains, so the DNS of the system is set within "VPN" connection. When we access the sites via Safari VPN works fine and we can access them, when we try Mail apps or try adding account via Settings then it fails.

We tried both "packet-tunnel" and "app-proxy" as ProviderType in the AppLayerVPN.VPN settings but it still did not work.

When we set the VPN on the whole device then the mail app and accounts can be fetched, so we do not think that it is VPN server related.

What are we missing here?

Any help or advice is appreciated.

Thanks

Our example profile:

Code Block <dict>
	<key>IKEv2</key>
	<dict>
		<key>AuthenticationMethod</key>
		<string>Certificate</string>
		<key>ChildSecurityAssociationParameters</key>
		<dict>
			<key>DiffieHellmanGroup</key>
			<integer>14</integer>
			<key>EncryptionAlgorithm</key>
			<string>3DES</string>
			<key>IntegrityAlgorithm</key>
			<string>SHA1-96</string>
			<key>LifeTimeInMinutes</key>
			<integer>1440</integer>
		</dict>
		<key>DeadPeerDetectionRate</key>
		<string>Medium</string>
		<key>DisableMOBIKE</key>
		<integer>0</integer>
		<key>DisableRedirect</key>
		<integer>0</integer>
		<key>EnableCertificateRevocationCheck</key>
		<integer>0</integer>
		<key>EnablePFS</key>
		<integer>1</integer>
		<key>IKESecurityAssociationParameters</key>
		<dict>
			<key>DiffieHellmanGroup</key>
			<integer>14</integer>
			<key>EncryptionAlgorithm</key>
			<string>3DES</string>
			<key>IntegrityAlgorithm</key>
			<string>SHA1-96</string>
			<key>LifeTimeInMinutes</key>
			<integer>1440</integer>
		</dict>
		<key>OnDemandEnabled</key>
		<integer>1</integer>
		<key>LocalIdentifier</key>
		<string>user@example.com</string>
		<key>PayloadCertificateUUID</key>
		<string>5c0c7855-a8d9-4c86-8a21efec8335105a</string>
		<key>RemoteAddress</key>
		<string>vpn.example.com</string>
		<key>RemoteIdentifier</key>
		<string>vpn.example.com</string>
		<key>UseConfigurationAttributeInternalIPSubnet</key>
		<integer>0</integer>
	</dict>
	<key>IPv4</key>
	<dict>
		<key>OverridePrimary</key>
		<integer>1</integer>
	</dict>
	<key>VPNUUID</key>
	<string>4dfdca51-aea1-461b-9a76-d24e8a2f9c07</string>
	<key>OnDemandMatchAppEnabled</key>
	<true/>
	<key>SafariDomains</key>
	<array>
		<string>internal.lan</string>
	</array>
	<key>CalendarDomains</key>
	<array>
		<string>internal.lan</string>
		<string>outlook.internal.lan</string>
	</array>
	<key>ContactsDomains</key>
	<array>
		<string>internal.lan</string>
		<string>outlook.internal.lan</string>
	</array>
	<key>MailDomains</key>
	<array>
		<string>internal.lan</string>
		<string>outlook.internal.lan</string>
	</array>
	<key>PayloadDescription</key>
	<string>Configures VPN settings</string>
	<key>PayloadDisplayName</key>
	<string>VPN</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.vpn.managed.applayer.ebec689e-6c37-4344-a590-09fe4a22f436</string>
	<key>PayloadType</key>
	<string>com.apple.vpn.managed.applayer</string>
	<key>PayloadUUID</key>
	<string>ebec689e-6c37-4344-a590-09fe4a22f436</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
	<key>Proxies</key>
	<dict>
		<key>HTTPEnable</key>
		<integer>0</integer>
		<key>HTTPSEnable</key>
		<integer>0</integer>
	</dict>
	<key>UserDefinedName</key>
	<string>MDM VPN</string>
	<key>VPNType</key>
	<string>IKEv2</string>
	<key>VPN</key>
	<dict>
		<key>ProviderType</key>
		<string>packet-tunnel</string>
	</dict>
</dict>

Complete Profile

Boost

Answer 1

Device Management Engineer OP

Apple

Mar ’21

If you're installing this profile via a user enrollment, you're running into a limitation on the MailDomains, ContactsDomains and CaledarDomains keys described here. In short, the second level domain of those keys must match the second level domain of the VPN server, and that's not true in your example.

If that doesn't apply to your case, there isn't enough information here to diagnose the issue. I suggest filing feedback at https://feedbackassistant.apple.com/. Please install the VPN (Network Extension) and Managed Configuration (MDM) profiles from https://developer.apple.com/bug-reporting/profiles-and-logs/, reproduce the issue, take a sysdiagnose as described on that same page, and attach the sysdiagnose to the feedback.

There's an alternate way to configure VPN for those accounts which may be easier for you to configure and may work around the issue you're encountering. It's called per-account VPN, and it's introduced here.

0

Answer 2

bormo OP

Mar ’21

The domains are changed and real domains conform to this limitation.

We have created a feedback with sysdiagnose, however there was not any contact regarding the issue. You can see the details below:

Feedback Details:

FB9045082 (iOS VPN profile Mail domains is not working but accessing it via Safari Domains work(The problem diagnosed at 17:36 in sysdiagnose))

0

Answer 3

bormo OP

Mar ’21

More Detailed Feedback:

FB9055378 (iOS 14 Per-app VPN does not work for MailDomains (Sysdiagnose Time range: 13:31-13:33))

0

Answer 4

mattv1234 OP

Oct ’21

Possibly old news but for the record. According to AppLayer VPN MDM spec MailDomains has been deprecated in 13.4.

The suggestion is to "use the VPNUUIDproperty of the Mail or ExchangeActiveSync payload instead."

0