Chapter 4 Infrastructure and integration 43
Certicate payloads
•
Server CA Certicate: If the IKEv2 tunnel authentication method is to use certicates, the IKEv2
server sends its server certicate to the iOS device, which validates server identity. In order
for the iOS device to validate the server certicate, it needs the server’s Certicate Authority
(the issuer of the server certicate) certicate. The server CA certicate may have already been
installed onto the device previously. Otherwise, your organization can include the server CA
certicate by creating a certicate payload for the server CA certicate.
•
Client CA Certicate(s): If the IKEv2 tunnel authentication method is to use certicates or EAP-
TLS, the iOS device sends its client certicates to the IKEv2 server, which validates the client
identity. The client may have one or two client certicates, depending on the deployment
model selected. Your organization needs to include the client certicate(s) by creating
certicate payload(s) for the client certicate(s). At the same time, for the IKEv2 server to
validate the client identity, the IKEv2 server needs to have the client’s Certicate Authority
(the issuer of the client certicates) certicate installed.
•
Always-on VPN IKEv2 Certicate Support: Currently, Always-on VPN IKEv2 supports only
RSA certicates.
Always-on VPN payload
The following apply to the Always-on VPN payload.
•
The Always-on VPN payload can be installed only on supervised iOS devices
•
A conguration prole can contain only one Always-on VPN payload
•
Only one Always-on VPN conguration prole can be installed on an iOS device at a time
Connect Automatically in iOS
Always-on VPN provides an optional “UIToggleEnabled” key to let your organization enable a
“Connect Automatically” toggle in the VPN Settings. If this key isn’t specied in the prole or is
set to 0, Always-on VPN attempts to bring up one or two VPN tunnels. If this key is set to 1, the
toggle is presented in the VPN Settings pane and the user has the choice to turn on/o VPN
tunneling. If the user chooses to turn o VPN tunneling, no tunnel is established and the device
drops all IP trac. This is useful in the case when there’s no IP reachability and the user still wants
to make phone calls. The user can turn o VPN tunneling to avoid unnecessary attempts to bring
up a VPN tunnel.
Per-interface tunnel conguration array
At least one tunnel conguration is required (that is, applied to the cellular interface for cellular-
only devices, or applied to both cellular and Wi-Fi interfaces) in the TunnelCongurations array.
At most, two tunnel congurations can be included (one for cellular interfaces and one for Wi-Fi
interfaces).
Captive Trac Exceptions
Always-on VPN only supports Captive AutoLogon (automatic logging on to supported Captive
networks with pre-assigned credentials, such as credentials derived from SIM).
Always-on VPN also provides control over Captive handling by supporting the following:
•
AllowCaptiveWebSheet: A key to allow trac from built-in Captive WebSheet App to pass
outside the tunnel. WebSheet App is a browser that handles Captive logon if no third-party
Captive App is present. Your organization should consider the security risk of using this key,
because the WebSheet is a functional browser capable of rendering any content from the
responding Captive server. Allowing trac for WebSheet makes the device vulnerable to
misbehaving or malicious Captive servers.
100% resize factor
