Operation Manual

ManualsBrandsApple ManualsOtheriOS Implementierung

Chapter 4 Infrastructure and integration 43

Certicate payloads

•

Server CA Certicate: If the IKEv2 tunnel authentication method is to use certicates, the IKEv2

server sends its server certicate to the iOS device, which validates server identity. In order

for the iOS device to validate the server certicate, it needs the server’s Certicate Authority

(the issuer of the server certicate) certicate. The server CA certicate may have already been

installed onto the device previously. Otherwise, your organization can include the server CA

certicate by creating a certicate payload for the server CA certicate.

•

Client CA Certicate(s): If the IKEv2 tunnel authentication method is to use certicates or EAP-

TLS, the iOS device sends its client certicates to the IKEv2 server, which validates the client

identity. The client may have one or two client certicates, depending on the deployment

model selected. Your organization needs to include the client certicate(s) by creating

certicate payload(s) for the client certicate(s). At the same time, for the IKEv2 server to

validate the client identity, the IKEv2 server needs to have the client’s Certicate Authority

(the issuer of the client certicates) certicate installed.

•

Always-on VPN IKEv2 Certicate Support: Currently, Always-on VPN IKEv2 supports only

RSA certicates.

Always-on VPN payload

The following apply to the Always-on VPN payload.

•

The Always-on VPN payload can be installed only on supervised iOS devices

•

A conguration prole can contain only one Always-on VPN payload

•

Only one Always-on VPN conguration prole can be installed on an iOS device at a time

Connect Automatically in iOS

Always-on VPN provides an optional “UIToggleEnabled” key to let your organization enable a

“Connect Automatically” toggle in the VPN Settings. If this key isn’t specied in the prole or is

set to 0, Always-on VPN attempts to bring up one or two VPN tunnels. If this key is set to 1, the

toggle is presented in the VPN Settings pane and the user has the choice to turn on/o VPN

tunneling. If the user chooses to turn o VPN tunneling, no tunnel is established and the device

drops all IP trac. This is useful in the case when there’s no IP reachability and the user still wants

to make phone calls. The user can turn o VPN tunneling to avoid unnecessary attempts to bring

up a VPN tunnel.

Per-interface tunnel conguration array

At least one tunnel conguration is required (that is, applied to the cellular interface for cellular-

only devices, or applied to both cellular and Wi-Fi interfaces) in the TunnelCongurations array.

At most, two tunnel congurations can be included (one for cellular interfaces and one for Wi-Fi

interfaces).

Captive Trac Exceptions

Always-on VPN only supports Captive AutoLogon (automatic logging on to supported Captive

networks with pre-assigned credentials, such as credentials derived from SIM).

Always-on VPN also provides control over Captive handling by supporting the following:

•

AllowCaptiveWebSheet: A key to allow trac from built-in Captive WebSheet App to pass

outside the tunnel. WebSheet App is a browser that handles Captive logon if no third-party

Captive App is present. Your organization should consider the security risk of using this key,

because the WebSheet is a functional browser capable of rendering any content from the

responding Captive server. Allowing trac for WebSheet makes the device vulnerable to

misbehaving or malicious Captive servers.

100% resize factor