Contents

AppLayerVPN

The payload that configures a per-app VPN.

Declaration

object AppLayerVPN

Properties

NameTypeDescription
AssociatedDomains[string]

An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the apple-app-site-association file, as described in Supporting associated domains.

Available in iOS 14 and later, and macOS 11 and later.

CalendarDomains[string]

An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format www.apple.com.

This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the CalDAV payload instead.

CellularSliceUUIDstring

A string representing the data network name (DNN) or app category identifying a Cellular Slice. The device forces the VPN tunnel to use the specified Cellular Slice.

ContactsDomains[string]

An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format www.apple.com.

This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the CardDAV payload instead.

ExcludedDomains[string]

An array with entries that each specify a domain that doesn’t trigger this VPN for connections to the domain.

Available in iOS 14 and later, and macOS 11 and later.

MailDomains[string]

An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format www.apple.com.

This property is deprecated in iOS 13.4 and later; use the VPNUUID property of the Mail or ExchangeActiveSync payload instead.

OnDemandMatchAppEnabledboolean

If true, automatically connects the VPN when associated apps for this per-app VPN service initiate network communication. Otherwise, the user must initiate the connection manually before those apps can initiate network communication. If this key isn’t present, the value of the OnDemandEnabled key determines the status of per-app VPN On Demand.

SafariDomains[string]

An array with entries that must each specify a domain that triggers the VPN connection in Safari. Each entry is in the format www.apple.com.

SMBDomains[string]

An array of SMB domains that’s accessible through this VPN connection.

Available in iOS 13 and later.

VPNUUID Requiredstring

A globally unique identifier for this VPN configuration.

Discussion

Specify com.apple.vpn.managed.applayer as the payload type.

This profile defines per-app VPN behavior and applies only to VPN services of type VPN, IPsec, and IKEv2. All the properties of VPN apply to the top level of this profile as well.

Profile availability

Device channel

iOS, macOS, Shared iPad, visionOS, watchOS

User channel

macOS

Allow manual install

iOS, macOS, visionOS

Requires supervision

watchOS

Requires user-approved MDM

NA

Allowed in user enrollment

iOS, macOS, visionOS

Allow multiple payloads

iOS, macOS, Shared iPad, visionOS, watchOS

Profile example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>IPSec</key>
            <dict>
                <key>AuthenticationMethod</key>
                <string>SharedSecret</string>
                <key>OnDemandEnabled</key>
                <integer>0</integer>
                <key>PromptForVPNPIN</key>
                <false/>
            </dict>
            <key>IPv4</key>
            <dict>
                <key>OverridePrimary</key>
                <integer>0</integer>
            </dict>
            <key>OnDemandMatchAppEnabled</key>
            <true/>
            <key>Proxies</key>
            <dict/>
            <key>SafariDomains</key>
            <array>
                <string>foo.server.com</string>
                <string>*.server.com</string>
            </array>
            <key>MailDomains</key>
            <array>
                <string>foo.server.com</string>
                <string>*.server.com</string>
            </array>
            <key>CalendarDomains</key>
            <array>
                <string>foo.server.com</string>
                <string>*.server.com</string>
            </array>
            <key>ContactsDomains</key>
            <array>
                <string>foo.server.com</string>
                <string>*.server.com</string>
            </array>
            <key>UserDefinedName</key>
            <string>Per-App VPN</string>
            <key>VPN</key>
            <dict>
                <key>AuthName</key>
                <string>example</string>
                <key>AuthPassword</key>
                <string>password</string>
                <key>AuthenticationMethod</key>
                <string>Certificate</string>
                <key>DisconnectOnIdle</key>
                <integer>0</integer>
                <key>OnDemandMatchAppEnabled</key>
                <true/>
                <key>PayloadCertificateUUID</key>
                <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string>
                <key>RemoteAddress</key>
                <string>example.server.com</string>
            </dict>
            <key>VPNSubType</key>
            <string>com.server.server-example.vpnplugin</string>
            <key>VPNType</key>
            <string>VPN</string>
            <key>VPNUUID</key>
            <string>9F658A35-2B0F-4D5E-872D-61A9130FE882</string>
            <key>VendorConfig</key>
            <dict>
                <key>PerAppVpn</key>
                <string>true</string>
            </dict>
            <key>PayloadIdentifier</key>
            <string>com.example.myapplayervpnpayload</string>
            <key>PayloadType</key>
            <string>com.apple.vpn.managed.applayer</string>
            <key>PayloadUUID</key>
            <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
        <dict>
            <key>Password</key>
            <string>password</string>
            <key>PayloadCertificateFileName</key>
            <string>identity.p12</string>
            <key>PayloadContent</key>
            <data>
            MIIL2QIBAzCCC58GCSqGSIb3DQEHAaCCC5AEgguMMIILiDCCBj8GC
            SqGSIb3DQEHBqCCBjAwggYsAgEAMIIGJQYJKoZIhvcNAQcBMBwGCi
            qGSIb3DQEMAQYwDgQIqckvWPHWFRUCAggAgIIF+N4kXpz9g4BBBmU
            T/e+KS5OjAlhPyjtLfXvoKVo0G2MOF4cVrMXr3inoOUc+dOTYEN8y
            7Rt2ls3XzDZCHXikDYFGg8fz7sDgNMJGwsZFdkCqxo0OJcDdJY0e3
            GQZr6MfJlkADFBrJW8rTV2TPiClxUatTjEQBRUlEU0Z6x83f1LzoX
            Xkkn5PFsd002Bjg2eVwe4bA9i2EbFbA2XVDXJ0AOnegV0GOXGJRfM
            4UWQZdR5mnLICTOzLAFi+k+MfkhBG3tTyiisRcSpDhxCWMIIVCjsR
            6TfDFt0PDi4OfmVqPyeRro2Kf8DjE6iZmc2rdin3d3YLOJAkixK/6
            gTMeCBXqv1IMDbIlOzOtM4dNopxZttzmuDg+vUWiworJVBnHfYMT0
            Vtimxv2ER7CAGNWD4pxhetR1iiBnaLQI1lU4DfcPpPxvL9uUx9PDX
            AqAN6uAXoE4Sc0z5Dym73j6T6tb8mNB0Pf2TSxrm2af0bMTTPqEM2
            6i0fqCGhLeU5eB2fq9ED5X6+JjB15Kns4bNVvetS+5HOC59UGBFSS
            9i3vj4SzLqIJ4zFbjltkTl/uWDr4BA3kydIbkD/RNqKlvGEjV3e59
            Y87H4LlN/xwAsM86ht8juR1IhzT6+fj4i2qXdrHRAWTovB6OtPMML
            aAgiRgZqwxnx8UXEG3q6RkMqbhph7O4j3HNgKAW+Z72J/b39ZS0Yv
            ghIfGFsHsrypD4BNqvHaYxJhT3ORscW+M05oQ0vn+hBMs5mPq3mJu
            3Lj2j8xA42Q+XAgZM8w+eCwgYx2AxtOYJuC+mOYTWpb1E7m5Kwx6m
            gANXVurmhEL0KbzzgAg/FMW8EkI9+rZNXpo0wjxCsqSA8NFsAuCHl
            gwJ+A5ifE19gOQqmZ6c4xtHRtxBQ/MO977UKJ8+gV/o/r+DVi5yQ/
            /4CSZkMgdb+kzoWVB/5wzOZrJKqCQJ/+3P0KEk3utamMy8Nq0ubyB
            7r5f6pGcIqQ/gyYqLVFszTYKgwqea22jydboJRXW6fiDXFvI42K3f
            9lQUw7BfwpKaCWo2/bEzYpAz0/EfVKnpQoyfMnnbE/ev8U2VLuiZ5
            1DnLtsK6hS+rxQiH9yx7K+IQgGuj5ARuyQnwWgKrK6rna3b1GP8Fp
            pVH/E+XR4k9q7aY8lyyDaz6kZ+78SveVNtbDE8ClhyVmqVWC67B7A
            G7jq/61ovb1auN2nuY9QyTUKrEtVPmfoZmdE8rn7qkZUm/sQAQLB8
            E4bA1w7dlC6ENFKdHLsXNmow+nUuf+gumiD7T32pDtknVl4guQzbP
            BXzTS3J6UyvkSA+TXGpzpbV47BFOeAgQMD1BX06vlIqqLkkaKu5hd
            LdajmGKbZaL2RHgMsGIE0eRRN9725GNIH0PtytkqieuOdfft2D8Ug
            CFtY/KJM9GystQDV6NggbgcHIFsLct8m+QqJRs3UlBKtqCs1pbySS
            8gdHERyFG/zC5T9yft/tLva0b/YDetq/YzwcZqbfcde/LimuQYe9z
            RtQqVlYjpZctCJnIleIn1QtLNuf0GVVrFkHGz7zWhxU1VB8C0+jsB
            Mz2BP9DZar3Gx4GVyizAf6i9DvyxlY0qjIo2cSAa9XvfVqrtCCPc5
            mu8c+oMlurUljmvcVKOsNsAPW6iB5o22mPFjr3quq1oNgBpmZ2Z7d
            VmOEQww99Bi7FyHCe2Ti5IDXSzBklfeiYNyCgZnEjLbzEXMPK0sN2
            oFHwcdU6OWKfz5MjS4aMm7sUOULUAuP8xy7VArlyb14NVIzhJc5fu
            RYc+vH+K+wHtpcQeNqdBftVd5SllVEgJTKqfSxZbPEC6u0skczudD
            tCR4zHSvYbR1gvVAcpQ+XGBgNVqUCwwM+ctroWpKmYJ3YrwXtGf+T
            KWV99IJLso7MtKBKUFQWXNOQBRgMFQuJ4i3hztaupTEQVuka3qhco
            cak3R242G3P1prlvQNmi6HI3t4jFND+z5DzrsgW11fc/pOgEM6UpB
            Al6WZrSKN+5rJEmGq8tB+GHQ0cELhaNlDgBtqkvcisdf/49VkU6aH
            qJWafQ3HCkwggVBBgkqhkiG9w0BBwGgggUyBIIFLjCCBSowggUmBg
            sqhkiG9w0BDAoBAqCCBO4wggTqMBwGCiqGSIb3DQEMAQMwDgQIrOA
            9tf9ADYICAggABIIEyBZLrSiXbZV1TOqk+2KsrCLj915uIgLakWDP
            YE/f+Puxok/RW/ohdOEV2555WQxR4ip1edvCzKYGYomGLDqimo/c8
            /I0WEjlY7aOgxTz1Vd5MtFFYxRMlSpB+v9/hoR63VwH8VD9gHL3Xy
            8Dg/L0QsdUZ6UTjKD9Apl6L7FgmTczoalM1NBtuy4mMYtkzznZMmD
            mgRsONa/nLB8XcCIoIycHA/qDtDDquNplPsFsoXqvUHsWhidP5jW0
            2fg3WdT9TDPWiJ8qRhvii0LlNAGhjreH5/tClKiTj4ez+o8vmEn0O
            s37jgtzutJYN2h5w2CnsgxGV6Ks2lxkowFx0WL3PHELIN7yWp9z9U
            yY/OItkVLuJNxqk4+LkqIrL8M1aunp+c8CV1oT2sjg7uPQjm6ppoX
            UmhpmY9UBBNhXVeN+ww6mAOCnz9XhwBW9vMTMf3vBjCl68ce4vTCX
            qX7O8DHcPNQ1qhVl/3OlUnJQkqyuwBmd7PCDJuPcC1uNEnfQ9QvB1
            AQFzXeJkW3R0oQDM3uVLKcNN32XID0pD/Dq3DY2hA2XW8nP4Ihf4M
            3eirDu/s9CfmEJ0tDSlEBOYmwyFvsQqzFTtQ6I1yF7CzMCxmBHgmM
            iq5j5zgwIGylWr2vgLT5zP9QFULxoR/CqiQxjXnOtrEjAR2EH4IpD
            bd1nB+WXJdOLBQwWK9eNU1zLAiLP5wAHFVD1wJ4ULxxparWgyzPlM
            pIjsVHgsosrOjZKCGHTiza5VE7Ww+0KeWDzoAz1gwsaqAosTy0Joa
            PosbVLMPYXAvePR6Tz98vLUkGhIrZAFUxVSfUqKCCD9WhZ5gdAtPL
            by88p2iJG/Vzd6Y1JwDbe1l80GuxDf/z0Z+mhErx6Y/teBIcGENsS
            ysohOu65/i/3Ezu4CfKBdxKYx61BSBRrDHBqcb3Q3SUjI+Btg3iJ3
            ao26ZR+7Pb4qxCkrn5aEf+oHsUqNS2zpxXo4MEy0S0Tnn4KYCvtkW
            m6/mHuWgqC/IYnFmDff4T+rngkgRQKqJ9eCbOMjqZCTY+UwvNHGxd
            upnmHmiDDChB025QJJjCvSQbGA5p1FeKGUkfFb37VX0KpzoB0D7Us
            KMu2lQxhCyS92dHd94ytlBFhMsFmduiz69IU1EosIEHqE2LiRjcAa
            ZKPxOurKP7r+MwvUNbxSYfARrib9oWgj2YS+W27mZ5IAiGvPchuIM
            5yZ2uWgzOQdKhr5z8WUt2YF7g5hkcOwFY8krrMElqXEudAJv0CdW0
            dbQYg3mR4gbcNSgsg7w/iPlkRI/XIoxmlokjkO+wiZ1BJsE9kwSzU
            olGKL9c/YPVGmtQjFS47DA/HmaELwZBUZl1ZCZ6EGrIeZQ6Dr/ZkK
            XDpS2yOMAn3h3IKHT52dxO+Efb6YdELU7Bm8D3gL5TwvbjBcKDaf4
            GiZMTyGdw+ZH795Yuoj/F2HciMwqDTmrt/OFV5APjbZLx6FJrbC0r
            AtrgGy54AMVDZMJnzZuc8SGgl8AN1u51zEr3b+KCGDunOYoLQZhs7
            0IYDSOZmEBLFVUGNUgeG3p2At1OAnwpblRLg+Xw21JXNlk3KUYicK
            uJaNkGRmKGxGhG4lFZhi/JZiwuBvCrPZd3CjUzDJ0JZPZDHgkAf7Y
            5XOwdkrTElMCMGCSqGSIb3DQEJFTEWBBQAFBOqYFJlbkBoqPfCMK5
            F1BXODDAxMCEwCQYFKw4DAhoFAAQUhxd6YPi7JKB/24dSls9gKO/D
            HVoECHap2RUyKvQTAgIIAA==
            </data>
            <key>PayloadIdentifier</key>
            <string>com.example.mypkcs12payload</string>
            <key>PayloadType</key>
            <string>com.apple.security.pkcs12</string>
            <key>PayloadUUID</key>
            <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>App-Layer VPN</string>
    <key>PayloadIdentifier</key>
    <string>com.example.myprofile.applayervpn</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>D95CCE2A-F0A7-4687-B03E-5784F3F0F575</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

See Also

VPN