---
title: AppLayerVPN
framework: devicemanagement
role: symbol
role_heading: Device Management Profile
path: devicemanagement/applayervpn
---

# AppLayerVPN

The payload that configures a per-app VPN.

## Declaration

```data
object AppLayerVPN
```

## Properties

AssociatedDomains: An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the apple-app-site-association file, as described in Supporting associated domains. Available: iOS 14+ | iPadOS 14+ | macOS 11+ | visionOS 1.1+ | watchOS 10+ CalendarDomains: An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format www.apple.com. This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the CalDAV payload instead. Available: iOS 13+ | iPadOS 13+ | macOS 10.15+ Deprecated: iOS 13.4+ | iPadOS 13.4+ CellularSliceUUID: A string representing the data network name (DNN) or app category identifying a Cellular Slice. The device forces the VPN tunnel to use the specified Cellular Slice. Available: iOS 18+ | iPadOS 18+ | watchOS 10+ ContactsDomains: An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format www.apple.com. This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the CardDAV payload instead. Available: iOS 13+ | iPadOS 13+ | macOS 10.15+ Deprecated: iOS 13.4+ | iPadOS 13.4+ ExcludedDomains: An array with entries that each specify a domain that doesn’t trigger this VPN for connections to the domain. Available: iOS 14+ | iPadOS 14+ | macOS 11+ | visionOS 1.1+ | watchOS 10+ MailDomains: An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format www.apple.com. This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the Mail or ExchangeActiveSync payload instead. Available: iOS 13+ | iPadOS 13+ | macOS 10.15+ Deprecated: iOS 13.4+ | iPadOS 13.4+ OnDemandMatchAppEnabled: If true, automatically connects the VPN when associated apps for this per-app VPN service initiate network communication. Otherwise, the user must initiate the connection manually before those apps can initiate network communication. If this key isn’t present, the value of the OnDemandEnabled key determines the status of per-app VPN On Demand. SafariDomains: An array with entries that must each specify a domain that triggers the VPN connection in Safari. Each entry is in the format www.apple.com. Available: iOS 7+ | iPadOS 7+ | macOS 10.9+ | visionOS 1.1+ SMBDomains: An array of SMB domains that’s accessible through this VPN connection. Available: iOS 13+ | iPadOS 13+ | visionOS 1.1+ VPNUUID: A globally unique identifier for this VPN configuration.

## Discussion

Discussion Specify com.apple.vpn.managed.applayer as the payload type. This profile defines per-app VPN behavior and applies only to VPN services of type VPN, IPsec, and IKEv2. All the properties of VPN apply to the top level of this profile as well. Profile availability  |   |   |   |   |   |   |   |  Profile example <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>PayloadContent</key>     <array>         <dict>             <key>IPSec</key>             <dict>                 <key>AuthenticationMethod</key>                 <string>SharedSecret</string>                 <key>OnDemandEnabled</key>                 <integer>0</integer>                 <key>PromptForVPNPIN</key>                 <false/>             </dict>             <key>IPv4</key>             <dict>                 <key>OverridePrimary</key>                 <integer>0</integer>             </dict>             <key>OnDemandMatchAppEnabled</key>             <true/>             <key>Proxies</key>             <dict/>             <key>SafariDomains</key>             <array>                 <string>foo.server.com</string>                 <string>*.server.com</string>             </array>             <key>MailDomains</key>             <array>                 <string>foo.server.com</string>                 <string>*.server.com</string>             </array>             <key>CalendarDomains</key>             <array>                 <string>foo.server.com</string>                 <string>*.server.com</string>             </array>             <key>ContactsDomains</key>             <array>                 <string>foo.server.com</string>                 <string>*.server.com</string>             </array>             <key>UserDefinedName</key>             <string>Per-App VPN</string>             <key>VPN</key>             <dict>                 <key>AuthName</key>                 <string>example</string>                 <key>AuthPassword</key>                 <string>password</string>                 <key>AuthenticationMethod</key>                 <string>Certificate</string>                 <key>DisconnectOnIdle</key>                 <integer>0</integer>                 <key>OnDemandMatchAppEnabled</key>                 <true/>                 <key>PayloadCertificateUUID</key>                 <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string>                 <key>RemoteAddress</key>                 <string>example.server.com</string>             </dict>             <key>VPNSubType</key>             <string>com.server.server-example.vpnplugin</string>             <key>VPNType</key>             <string>VPN</string>             <key>VPNUUID</key>             <string>9F658A35-2B0F-4D5E-872D-61A9130FE882</string>             <key>VendorConfig</key>             <dict>                 <key>PerAppVpn</key>                 <string>true</string>             </dict>             <key>PayloadIdentifier</key>             <string>com.example.myapplayervpnpayload</string>             <key>PayloadType</key>             <string>com.apple.vpn.managed.applayer</string>             <key>PayloadUUID</key>             <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>         <dict>             <key>Password</key>             <string>password</string>             <key>PayloadCertificateFileName</key>             <string>identity.p12</string>             <key>PayloadContent</key>             <data>             MIIL2QIBAzCCC58GCSqGSIb3DQEHAaCCC5AEgguMMIILiDCCBj8GC             SqGSIb3DQEHBqCCBjAwggYsAgEAMIIGJQYJKoZIhvcNAQcBMBwGCi             qGSIb3DQEMAQYwDgQIqckvWPHWFRUCAggAgIIF+N4kXpz9g4BBBmU             T/e+KS5OjAlhPyjtLfXvoKVo0G2MOF4cVrMXr3inoOUc+dOTYEN8y             7Rt2ls3XzDZCHXikDYFGg8fz7sDgNMJGwsZFdkCqxo0OJcDdJY0e3             GQZr6MfJlkADFBrJW8rTV2TPiClxUatTjEQBRUlEU0Z6x83f1LzoX             Xkkn5PFsd002Bjg2eVwe4bA9i2EbFbA2XVDXJ0AOnegV0GOXGJRfM             4UWQZdR5mnLICTOzLAFi+k+MfkhBG3tTyiisRcSpDhxCWMIIVCjsR             6TfDFt0PDi4OfmVqPyeRro2Kf8DjE6iZmc2rdin3d3YLOJAkixK/6             gTMeCBXqv1IMDbIlOzOtM4dNopxZttzmuDg+vUWiworJVBnHfYMT0             Vtimxv2ER7CAGNWD4pxhetR1iiBnaLQI1lU4DfcPpPxvL9uUx9PDX             AqAN6uAXoE4Sc0z5Dym73j6T6tb8mNB0Pf2TSxrm2af0bMTTPqEM2             6i0fqCGhLeU5eB2fq9ED5X6+JjB15Kns4bNVvetS+5HOC59UGBFSS             9i3vj4SzLqIJ4zFbjltkTl/uWDr4BA3kydIbkD/RNqKlvGEjV3e59             Y87H4LlN/xwAsM86ht8juR1IhzT6+fj4i2qXdrHRAWTovB6OtPMML             aAgiRgZqwxnx8UXEG3q6RkMqbhph7O4j3HNgKAW+Z72J/b39ZS0Yv             ghIfGFsHsrypD4BNqvHaYxJhT3ORscW+M05oQ0vn+hBMs5mPq3mJu             3Lj2j8xA42Q+XAgZM8w+eCwgYx2AxtOYJuC+mOYTWpb1E7m5Kwx6m             gANXVurmhEL0KbzzgAg/FMW8EkI9+rZNXpo0wjxCsqSA8NFsAuCHl             gwJ+A5ifE19gOQqmZ6c4xtHRtxBQ/MO977UKJ8+gV/o/r+DVi5yQ/             /4CSZkMgdb+kzoWVB/5wzOZrJKqCQJ/+3P0KEk3utamMy8Nq0ubyB             7r5f6pGcIqQ/gyYqLVFszTYKgwqea22jydboJRXW6fiDXFvI42K3f             9lQUw7BfwpKaCWo2/bEzYpAz0/EfVKnpQoyfMnnbE/ev8U2VLuiZ5             1DnLtsK6hS+rxQiH9yx7K+IQgGuj5ARuyQnwWgKrK6rna3b1GP8Fp             pVH/E+XR4k9q7aY8lyyDaz6kZ+78SveVNtbDE8ClhyVmqVWC67B7A             G7jq/61ovb1auN2nuY9QyTUKrEtVPmfoZmdE8rn7qkZUm/sQAQLB8             E4bA1w7dlC6ENFKdHLsXNmow+nUuf+gumiD7T32pDtknVl4guQzbP             BXzTS3J6UyvkSA+TXGpzpbV47BFOeAgQMD1BX06vlIqqLkkaKu5hd             LdajmGKbZaL2RHgMsGIE0eRRN9725GNIH0PtytkqieuOdfft2D8Ug             CFtY/KJM9GystQDV6NggbgcHIFsLct8m+QqJRs3UlBKtqCs1pbySS             8gdHERyFG/zC5T9yft/tLva0b/YDetq/YzwcZqbfcde/LimuQYe9z             RtQqVlYjpZctCJnIleIn1QtLNuf0GVVrFkHGz7zWhxU1VB8C0+jsB             Mz2BP9DZar3Gx4GVyizAf6i9DvyxlY0qjIo2cSAa9XvfVqrtCCPc5             mu8c+oMlurUljmvcVKOsNsAPW6iB5o22mPFjr3quq1oNgBpmZ2Z7d             VmOEQww99Bi7FyHCe2Ti5IDXSzBklfeiYNyCgZnEjLbzEXMPK0sN2             oFHwcdU6OWKfz5MjS4aMm7sUOULUAuP8xy7VArlyb14NVIzhJc5fu             RYc+vH+K+wHtpcQeNqdBftVd5SllVEgJTKqfSxZbPEC6u0skczudD             tCR4zHSvYbR1gvVAcpQ+XGBgNVqUCwwM+ctroWpKmYJ3YrwXtGf+T             KWV99IJLso7MtKBKUFQWXNOQBRgMFQuJ4i3hztaupTEQVuka3qhco             cak3R242G3P1prlvQNmi6HI3t4jFND+z5DzrsgW11fc/pOgEM6UpB             Al6WZrSKN+5rJEmGq8tB+GHQ0cELhaNlDgBtqkvcisdf/49VkU6aH             qJWafQ3HCkwggVBBgkqhkiG9w0BBwGgggUyBIIFLjCCBSowggUmBg             sqhkiG9w0BDAoBAqCCBO4wggTqMBwGCiqGSIb3DQEMAQMwDgQIrOA             9tf9ADYICAggABIIEyBZLrSiXbZV1TOqk+2KsrCLj915uIgLakWDP             YE/f+Puxok/RW/ohdOEV2555WQxR4ip1edvCzKYGYomGLDqimo/c8             /I0WEjlY7aOgxTz1Vd5MtFFYxRMlSpB+v9/hoR63VwH8VD9gHL3Xy             8Dg/L0QsdUZ6UTjKD9Apl6L7FgmTczoalM1NBtuy4mMYtkzznZMmD             mgRsONa/nLB8XcCIoIycHA/qDtDDquNplPsFsoXqvUHsWhidP5jW0             2fg3WdT9TDPWiJ8qRhvii0LlNAGhjreH5/tClKiTj4ez+o8vmEn0O             s37jgtzutJYN2h5w2CnsgxGV6Ks2lxkowFx0WL3PHELIN7yWp9z9U             yY/OItkVLuJNxqk4+LkqIrL8M1aunp+c8CV1oT2sjg7uPQjm6ppoX             UmhpmY9UBBNhXVeN+ww6mAOCnz9XhwBW9vMTMf3vBjCl68ce4vTCX             qX7O8DHcPNQ1qhVl/3OlUnJQkqyuwBmd7PCDJuPcC1uNEnfQ9QvB1             AQFzXeJkW3R0oQDM3uVLKcNN32XID0pD/Dq3DY2hA2XW8nP4Ihf4M             3eirDu/s9CfmEJ0tDSlEBOYmwyFvsQqzFTtQ6I1yF7CzMCxmBHgmM             iq5j5zgwIGylWr2vgLT5zP9QFULxoR/CqiQxjXnOtrEjAR2EH4IpD             bd1nB+WXJdOLBQwWK9eNU1zLAiLP5wAHFVD1wJ4ULxxparWgyzPlM             pIjsVHgsosrOjZKCGHTiza5VE7Ww+0KeWDzoAz1gwsaqAosTy0Joa             PosbVLMPYXAvePR6Tz98vLUkGhIrZAFUxVSfUqKCCD9WhZ5gdAtPL             by88p2iJG/Vzd6Y1JwDbe1l80GuxDf/z0Z+mhErx6Y/teBIcGENsS             ysohOu65/i/3Ezu4CfKBdxKYx61BSBRrDHBqcb3Q3SUjI+Btg3iJ3             ao26ZR+7Pb4qxCkrn5aEf+oHsUqNS2zpxXo4MEy0S0Tnn4KYCvtkW             m6/mHuWgqC/IYnFmDff4T+rngkgRQKqJ9eCbOMjqZCTY+UwvNHGxd             upnmHmiDDChB025QJJjCvSQbGA5p1FeKGUkfFb37VX0KpzoB0D7Us             KMu2lQxhCyS92dHd94ytlBFhMsFmduiz69IU1EosIEHqE2LiRjcAa             ZKPxOurKP7r+MwvUNbxSYfARrib9oWgj2YS+W27mZ5IAiGvPchuIM             5yZ2uWgzOQdKhr5z8WUt2YF7g5hkcOwFY8krrMElqXEudAJv0CdW0             dbQYg3mR4gbcNSgsg7w/iPlkRI/XIoxmlokjkO+wiZ1BJsE9kwSzU             olGKL9c/YPVGmtQjFS47DA/HmaELwZBUZl1ZCZ6EGrIeZQ6Dr/ZkK             XDpS2yOMAn3h3IKHT52dxO+Efb6YdELU7Bm8D3gL5TwvbjBcKDaf4             GiZMTyGdw+ZH795Yuoj/F2HciMwqDTmrt/OFV5APjbZLx6FJrbC0r             AtrgGy54AMVDZMJnzZuc8SGgl8AN1u51zEr3b+KCGDunOYoLQZhs7             0IYDSOZmEBLFVUGNUgeG3p2At1OAnwpblRLg+Xw21JXNlk3KUYicK             uJaNkGRmKGxGhG4lFZhi/JZiwuBvCrPZd3CjUzDJ0JZPZDHgkAf7Y             5XOwdkrTElMCMGCSqGSIb3DQEJFTEWBBQAFBOqYFJlbkBoqPfCMK5             F1BXODDAxMCEwCQYFKw4DAhoFAAQUhxd6YPi7JKB/24dSls9gKO/D             HVoECHap2RUyKvQTAgIIAA==             </data>             <key>PayloadIdentifier</key>             <string>com.example.mypkcs12payload</string>             <key>PayloadType</key>             <string>com.apple.security.pkcs12</string>             <key>PayloadUUID</key>             <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string>             <key>PayloadVersion</key>             <integer>1</integer>         </dict>     </array>     <key>PayloadDisplayName</key>     <string>App-Layer VPN</string>     <key>PayloadIdentifier</key>     <string>com.example.myprofile.applayervpn</string>     <key>PayloadType</key>     <string>Configuration</string>     <key>PayloadUUID</key>     <string>D95CCE2A-F0A7-4687-B03E-5784F3F0F575</string>     <key>PayloadVersion</key>     <integer>1</integer> </dict> </plist>

## See Also

### VPN

- [AppToAppLayerVPNMapping](devicemanagement/apptoapplayervpnmapping.md)
- [VPN](devicemanagement/vpn.md)