VPN

Use the VPN settings to configure traditional system-wide VPNs based on L2TP, PPTP, and IPsec. These settings do not apply to per-app VPN settings.

The following table describes the connection parameters that are required to enforce a secure VPN connection on macOS devices:
Policy setting Description
Connection Type The type of VPN connection. MaaS360® supports the following connection types:
  • L2TP
  • PPTP
  • Cisco (IPsec)
  • Cisco AnyConnect
  • Juniper SSL
  • F5 SSL
  • SonicWall Mobile Connect
  • Aruba VIA®
  • Custom SSL
  • IKEv2
VPN Connection Name The unique name of the VPN connection that is displayed on the device.
Host Name of the VPN Server The host name of the VPN server.
Remote Identifier The remote identifier that identifies the IKEv2 server. The supported formats are FQDN, User FQDN, Address, or ASN1DN.
Local Identifier The local identifier that is used by the mobile device. The supported formats are FQDN, User FQDN, Address, or ASN1DN.
VPN User Account The username of the VPN account. You can provide wildcards such as %domain%%username%, or use %username%.
User Authentication Type The type of authentication that is used to connect to the VPN server:
  • Password: You must provide a password if you use L2TP or PPTP.
  • RSA SecurID: For L2TP authentication, users can use an RSA SecurID token card to connect to the network.
  • Certificate
    • Identity Certificate
    • VPN On demand: Always establish for URLs: Enter comma-separated URLs. For example, .com, .example.com. A VPN connection is always initiated for domains or host names that match the URLs.
    • VPN On demand: Never establish for URLs: Enter comma-separated URLs. For example, .com, .example.com. A VPN connection is not initiated for the address that matches these domains or host names. The existing VPN connection continues.
    • VPN On demand: Establish if needed for URLs: Enter comma-separated URLs. For example, .com, .example.com. A VPN connection is initiated for the address that matches these domains or host names only if the DNS lookup fails.
Machine Authentication Type The machine uses a shared secret, CSE authentication, or an identity certificate for authentication.
Enable EAP The EAP-only authentication is enabled for the device. This setting is used for IKEv2.
TLS Min. Version The minimum TLS version that is used by EAP-TLS authentication. The supported values are 1.0, 1.1, or 1.2. If no value is specified, the default minimum is 1.0.
TLS Max. Version The maximum TLS version that is used by EAP-TLS authentication. The supported values are 1.0, 1.1, or 1.2. If no value is specified, the default maximum is 1.2.
Dead Peer Detection Rate The detection interval for the connection.
Disable redirects The IKEv2 redirection is disabled for the device. Otherwise, the connection is redirected if a redirect request is received from the server. The default value is off.
Disable Mobility and Multihoming IKEv2 Mobility and Multihoming (MOBIKE) is disabled for the device.
Enable certificate revocation check The certificate revocation check is enabled for IKEv2 connections. This is a best-effort revocation check; server response timeouts do not cause the certificate check to fail.
Use IPv4 / IPv5 Internal Subnet Attributes The negotiations use IKEv2 configuration.
Enable perfect forward secrecy Perfect Forward Secrecy (PFS) is enabled for IKEv2 connections.
Encryption Algorithm The encryption algorithm that is required for child Security Association.
Integrity Algorithm The integrity algorithm that is required for child Security Association.
Diffie-Hellman Group The Diffie-Hellman Group number.
Lifetime in Minutes The SA lifetime (rekey interval) in minutes. Valid values are 10 through 1440.
Always-on VPN (supervised only)
  • Allow user to disable automatic connection: Users can disable an automatic connection to the VPN.
  • Enable NAT keepalive while the device is asleep: The NAT keepalive offload is enabled for Always-on VPN IKEv2 connections. Keepalive packets are sent by the device to maintain NAT mappings for IKEv2 connections that have a NAT on the path. Keepalive packets are sent at regular intervals when the device is in wake mode. Keepalive packets are offloaded to hardware when a device is in sleep mode. NAT keepalive offloads impact battery life since extra workload is added when a device is in sleep mode.
  • NAT Keepalive interval for Cellular Interfaces (in secs): The NAT keepalive interval for Always-on VPN IKEv2 connections. This value controls the interval for keepalive offload packets that are sent by the device. The minimum value is 20 seconds. If no key is specified, the default is 20 seconds for wifi and 110 seconds for a cellular interface.
  • NAT Keepalive interval for WiFi Interfaces (in secs)
  • Exception for Voice Mail: The voice mail system service is exempt from Always-on VPN.
  • Exception for AirPrint: The AirPrint system service is exempt from Always-on VPN.
  • Allow traffic from captive web sheet outside the VPN tunnel: Network traffic is allowed from the captive web sheet outside the VPN tunnel.
  • Allow traffic from all captive networking apps outside VPN tunnel: Network traffic is allowed from all captive networking apps outside the VPN tunnel.
  • Captive Networking App Bundle Identifiers: Network traffic from these apps is allowed outside the VPN tunnel. Enter comma-separated App Bundle IDs.
Shared Secret The shared secret (password) that is used for authentication. This setting is used for L2TP or Cisco IPsec.
Send All Traffic All network traffic is sent through the VPN.
Proxy Type If you choose the manual proxy type, you must provide the proxy server address including the proxy server port and optionally, a username and password. If you choose the auto proxy type, enter a Proxy (PAC) URL.
Encryption Level Encryption is enabled on the connection.