IPSec (Cisco)

Enter a short phrase that identifies this VPN setting.

For macOS only. Select one of the following distribution options:

•Device channel - the configuration is effective for all users on a device. This is the typical option.

•User channel - the configuration is effective only for the currently registered user on a device.

Enter the IP address, hostname, or URL for the VPN server.

Specify the user name to use (required.) The default value is $USERID$. Include at least one of the following variables:

$USERID$, $EMAIL$, $SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$

You can use combinations such as the following:

•$USERID$:$EMAIL$

•$USERID$_$EMAIL$

Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username.

Shared Secret / Group Name authentication.

Specify the name of the group to use. If Hybrid Authentication is used, the string must end with “[hybrid]”.

Shared Secret / Group Name authentication.

Re-enter the shared secret to confirm.

Shared Secret / Group Name authentication.

Specify whether the user should be prompted for a password when connecting.

Specify the password to use. The default value is $PASSWORD$. Use this field to specify a custom format, such as $PASSWORD$_$USERID$.

Include at least one of the following variables:

$USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$

You can use combinations such as $EMAIL$:$PASSWORD$

Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password.

Per-app VPN is supported on iOS devices version 9.0 or supported newer versions.

Select Yes to create a per-app VPN setting. An additional license may be required for this feature.

The Provider Type field displays.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

•add the app in the App Catalog.

•edit an in-house app or an App Store app in the App Catalog.

When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list.

See the Ivanti EPMM Apps@Work Guide for information about how to add or edit iOS apps.

Select Manual. To configure a or Automatic proxy, go to Proxy - Automatic.

Enter the port number for the proxy server.

Type - Select Static or Variable for the type of authentication to be used for the proxy server.

If the authentication type is Static, enter the password for the proxy server. Confirm the password in the field below.

If the authentication type is Variable, the default variable selected is $PASSWORD$.

Specify the user name to use (required.) The default value is $USERID$. Include at least one of the following variables:

$USERID$, $EMAIL$, $SAM_ACCOUNT_NAME$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$

You can use combinations such as the following:

•$USERID$:$EMAIL$

•$USERID$_$EMAIL$

Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant username.

Shared Secret / Group Name authentication.

Specify the name of the group to use. If Hybrid Authentication is used, the string must end with “[hybrid]”.

Shared Secret / Group Name authentication.

Re-enter the shared secret to confirm.

Shared Secret / Group Name authentication.

Specify whether the user should be prompted for a password when connecting.

Specify the password to use. The default value is $PASSWORD$. Use this field to specify a custom format, such as $PASSWORD$_$USERID$.

Include at least one of the following variables:

$USERID$, $EMAIL$, $PASSWORD$, $USER_CUSTOM1$, $USER_CUSTOM2$, $USER_CUSTOM3$, $USER_CUSTOM4$, $CUSTOM_DEVICE_Attributename$, $CUSTOM_USER_Attributename$, $NULL$

You can use combinations such as $EMAIL$:$PASSWORD$

Enter $NULL$ if you want the field presented to the user to be blank. Users will need to fill in the relevant password.

Per-app VPN is supported on iOS devices version 9.0 or supported newer versions.

Select Yes to create a per-app VPN setting. An additional license may be required for this feature.

The Provider Type field displays.

You cannot delete a per-app VPN setting that is being used by an app. Remove the per-app VPN setting from the app before you delete the setting.

You can enable per-app VPN for an app when you:

•add the app in the App Catalog.

•edit an in-house app or an App Store app in the App Catalog.

When multiple labels are assigned to associate the selected VPN configurations in the Per-App VPN section, then VPN prioritization will happen in the order of the selected list.

See the Ivanti EPMM Apps@Work Guide for information about how to add or edit iOS apps.

Select Automatic. To configure a Manual proxy, go to Proxy - Manual

The VPN will only proxy for the domain and domain suffixes specified here (.com and .org are examples of top-level domain suffixes). Domain suffixes can be used to match multiple domains. For example, .com would include all .com domains, and example.com would include all domains ending in example.com, such as pages.example.com and mysite.example.com. Wildcards are not supported.

Click Add+ to add a domain.

Select the authentication method to use: Shared Secret / Group Name or Certificate.

Shared Secret / Group Name authentication.

The shared secret passcode. This is not the user’s password; the shared secret must be specified to initiate a connection.

Shared Secret / Group Name authentication.

Select to specify hybrid authentication, i.e., server provides a certificate and the client provides a pre-shared key.

Specifies that IPsec XAuth authentication is enabled. Select this option if your VPN requires two-factor authentication, resulting in a prompt for the password. This option is enabled by default.

Select to enable VPN On Demand.

On Demand rules are associated with an array of dictionaries that define the network match criteria identifying a particular network location.

VPN On Demand matches the dictionaries in the On Demand Rules against properties of your current network connection to determine whether domain-based rules should be used in determining whether to connect, then handles the connection as follows:

•If domain-based matching is enabled for a matching On Demand Rule dictionary, then for each dictionary in that dictionary’s connection evaluation array, VPN On Demand compares the requested domain against the domains listed in the Domains array.

•If domain-based matching is not enabled, the specified behavior (Connect, Disconnect, Allow, or Ignore) is used if the dictionary otherwise matches.

VPN On Demand rules are applied when the device's primary network interface changes, for example when the device switches to a different Wi-Fi network.

•A matching rule is not required. The Default Rule is applied if a matching rule is not defined.

•If you select Evaluate Connection, a matching rule is not required.

•You can create up to 10 On Demand matching rules.

•For each matching rule you can create up to 50 Type and Value pairs.