Chapter 4 Infrastructure and integration 35
iOS and OS X also support industry-standard technologies such as IPv6, proxy servers, and split-
tunneling, providing a rich VPN experience when connecting to corporate networks. And iOS
and OS X work with a variety of authentication methods including password, two-factor token,
digital certicates, and for OS X, Kerberos. To streamline the connection in environments where
certicate-based authentication is used, iOS and OS X feature VPN On Demand, which initiates a
VPN session when it’s needed in order to connect to specied domains.
With iOS 7 or later and OS X Yosemite or later, individual apps can be congured to use a VPN
connection independent from other apps. This ensures that corporate data always ows over a
VPN connection, and other data, such as an employee’s personal apps from the App Store, does
not. For details, see Per App VPN.
iOS also features Always-on VPN, when an iOS device must connect to a known, approved VPN
before connecting to any other network services. You can congure Always-on VPN for both
cellular and Wi-Fi congurations. For example, using Always-on VPN, an iOS device must connect
to a known and approved VPN before connecting to any other network services such as mail,
web, or messages. This feature depends on your VPN provider supporting this conguration,
and is available only for supervised devices. For information, see the Always-on VPN Overview.
Supported protocols and authentication methods
iOS and OS X support the following protocols and authentication methods:
•
L2TP over IPSec: User authentication by MS-CHAP v2 password, two-factor token, certicate,
machine authentication by shared secret or certicate.
•
SSL VPN: User authentication by password, two-factor token, certicates using a third-party
VPN client.
•
Cisco IPSec: User authentication by password, two-factor token, machine authentication by
shared secret and certicates.
•
IKEv2: Certicates (RSA-only), EAP-TLS, EAP-MSCHAPv2. (iOS-only)
•
PPTP: User authentication by MS-CHAP v2 password, certicate, and two-factor token.
OS X can also use Kerberos machine authentication by shared secret or certicate with L2TP over
IPSec and with PPTP.
SSL VPN clients
Several SSL VPN providers have created apps to help congure iOS devices for use with their
solutions. To congure a device for a specic solution, install the companion app from the
App Store and, optionally, provide a conguration prole with the necessary settings.
SSL VPN solutions include:
•
AirWatch SSL VPN: For information, see the AirWatch website.
•
Aruba Networks SSL VPN: iOS supports Aruba Networks Mobility Controller. For conguration,
install the Aruba Networks VIA app, available on the App Store.
For contact information, see the Aruba Networks website.
•
Check Point Mobile SSL VPN: iOS supports the Check Point Security Gateway with a full Layer-3
VPN tunnel. Install the Check Point Mobile app, available on the App Store.
•
Cisco AnyConnect SSL VPN: iOS supports Cisco Adaptive Security Appliance (ASA) running
suggested software release 8.2.5 or later. Install the Cisco AnyConnect app, available on the
App Store.
•
F5 SSL VPN: iOS supports F5 BIG-IP Edge Gateway, Access Policy Manager, and FirePass SSL VPN
solutions. Install the F5 BIG-IP Edge Client app, available on the App Store.
100% resize factor
