Chapter 4 Infrastructure and integration 42
Cellular and Wi-Fi devices
If your organization chooses to deploy Always-on VPN for iOS devices with both cellular and
Wi-Fi interfaces, two simultaneous IKEv2 tunnels will be established from the device. There are
two scenarios using cellular and Wi-Fi devices:
•
Cellular tunnel and Wi-Fi tunnel terminating on separate IKEv2 servers
Always-on VPN per-interface tunnel conguration keys allow your organization to congure
devices establishing a cellular tunnel to one IKEv2 server and Wi-Fi tunnel to a second IKEv2
server. One benet of this model is that a device can use the same client identify (that is, client
certicate or user/password) for both tunnels since the tunnels terminate on dierent servers.
With dierent servers, your organization also has greater exibility on per-interface-type trac
(cellular trac vs Wi-Fi trac) segregation and control. The drawback is that your organization
has to maintain two dierent IKEv2 servers with identical client authentication policies.
•
Cellular tunnel and Wi-Fi tunnel terminating on same IKEv2 servers
Always-on VPN per-interface tunnel conguration also lets your organization congure a
device to establish the cellular tunnel and the Wi-Fi tunnel to the same IKEv2 server.
Client identity usage:
•
One client identity per device: Your organization can congure the same client identity (that
is, one client certicate or one user/password pair) for both a cellular tunnel and Wi-Fi
tunnel, if the IKEv2 server supports multiple tunnels per client. The benet is that you can
avoid the extra client identity per device and the extra conguration/resource burden on
the server. The drawback is that as a device moves in and out of networks, new tunnels get
established and old tunnels become stale. Depending on the server implementation, the
server may not be able to clean up stale tunnels eciently and accurately. Your organization
must implement a strategy for stale tunnel cleanup on the server.
•
Two client identities per device: Your organization can congure two client identities (that is,
two client certicates or two user/password pairs), one for a cellular tunnel and one for a
Wi-Fi tunnel. The IKEv2 server sees two dierent clients establishing their own tunnel. The
benet of this model is that it works with most server implementations, since many servers
dierentiate tunnels by their client identities and only allow one tunnel per client. The
drawback of this model is doubled client identity management and doubled conguration
and resource management on the server.
Always-on VPN conguration prole
An Always-on VPN conguration prole can be composed either manually, using one of the
Apple conguration prole editors such as Prole Manager, Apple Congurator, or a third-party
MDM vendor. For more information, see Prole Manager Help or Apple Congurator Help.
User interaction keys
To keep users from deactivating the Always-on VPN feature, disallow removal of the Always-on
VPN prole by setting the top-level prole key “PayloadRemovalDisallowed” to true.
To keep users from altering Always-on VPN feature behavior by installing other conguration
proles, disallow UI prole installation by setting the allowUICongurationProleInstallation
key to false under the com.apple.applicationaccess payload. Your organization can implement
additional restrictions using other supported keys under the same payload.
100% resize factor
