The payload that configures a VPN.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
Type VPNType The type of the VPN, which defines which settings are appropriate for this VPN payload.
If the type is `VPN` or `TransparentProxy`, then the system requires a value for `VPNSubType`.
`TransparentProxy` is only available in macOS. `L2TP` and `IPSec` aren't available in tvOS. `AlwaysOn` is only available on iOS and Apple Watch pairing isn't supported with `AlwaysOn`. For a previously paired Apple Watch, all phone-watch communications cease when `AlwaysOn` is enabled. Not available in watchOS. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
VPN Subtype VPNSubType An identifier for a vendor-specified configuration dictionary when the value for `VPNType` is `VPN`.
If `VPNType` is `VPN`, the system requires this field. If the configuration targets a VPN solution that uses a VPN plugin, then this field contains the bundle identifier of the plugin. Here are some examples:
- Cisco AnyConnect: `com.cisco.anyconnect.applevpn.plugin`
- Juniper SSL: `net.juniper.sslvpn`
- F5 SSL: `com.f5.F5-Edge-Client.vpnplugin`
- SonicWALL Mobile Connect: `com.sonicwall.SonicWALL-SSLVPN.vpnplugin`
- ``Aruba VIA: `com.arubanetworks.aruba-via.vpnplugin`
If the configuration targets a VPN solution that uses a network extension provider, then this field contains the bundle identifier of the app that contains the provider. Contact the VPN solution vendor for the value of the identifier.
If `VPNType` is `IKEv2`, then the `VPNSubType` field is optional and reserved for future use. If it's specified, it needs to contain an empty string.
Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
User Defined Name UserDefinedName The description of the VPN connection that the system displays on the device. Not available in watchOS. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
Vendor Configuration Dictionary VendorConfig The vendor-specific configuration dictionary, which the system reads only when `VPNSubType` has a value. Not available in watchOS. 4 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Realm Realm The Kerberos realm name, which needs to be properly capitalized. Valid only for Juniper SSL and Pulse Secure. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Role Role The role to select when connecting to the server. Valid only for Juniper SSL and Pulse Secure. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Group Group The group to connect to on the head end. Valid for Cisco AnyConnect and Cisco Legacy AnyConnect. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Login Group or Domain LoginGroupOrDomain The login group or domain. Valid only for SonicWALL Mobile Connect. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
VPN VPN The dictionary to use when `VPNType` is `VPN`. 22 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Account Username AuthName The VPN account username. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Account Password AuthPassword The VPN account password. Only use this if `AuthenticationMethod` is set to `Password`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ RemoteAddress RemoteAddress The IP address or hostname of the VPN server. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Authentication Method AuthenticationMethod The authentication method to use. | string | optional | Password | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Certificate UUID PayloadCertificateUUID The UUID of the certificate payload within the same profile to use for account credentials. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Bundle Identifier ProviderBundleIdentifier The bundle identifier for the VPN provider. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Designated Requirement ProviderDesignatedRequirement If the VPN provider is implemented as a system extension, this field is required. Not available in watchOS. | string | optional | — | ✓Yes | macOS (10.15+) |
└─ Enable Disconnect on Idle DisconnectOnIdle If `1`, disconnects after an on-demand connection idles. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Disconnect on Idle time DisconnectOnIdleTimer The length of time to wait, in seconds, before disconnecting an on-demand connection. In watchOS, the maximum allowed value is `15`. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ProviderType ProviderType The type of VPN service. If the value is `app-proxy`, the service tunnels traffic at the app level. If the value is `packet-tunnel`, the service tunnels traffic at the IP layer. Not available in watchOS. | string | optional | packet-tunnel | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Include All Networks IncludeAllNetworks If `1``, routes all traffic through the VPN, with some exclusions. Several of the exclusions can be controlled with the `ExcludeLocalNetworks`, `ExcludeCellularServices`, `ExcludeAPNs` and `ExcludeDeviceCommunication` properties. The following traffic is always excluded from the tunnel:
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
- Traffic necessary for connecting to captive networks.
- Certain cellular services traffic that is not routable over the internet and is instead directly routed to the cellular network. See the ExcludeCellularServices property for more details.
- Network communication with a companion device such as a watchOS device.
Not available in watchOS. | integer | optional | 0 | ✓Yes | iOS (14.0+)macOS (10.15+) |
└─ Enforce Routes EnforceRoutes If `1`, all the VPN's non-default routes take precedence over any locally defined routes.
If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`.
Available in iOS 14.2 and later, and macOS 11 and later. Not available in watchOS. | integer | optional | 0 | ✓Yes | iOS (14.2+)macOS (11.0+) |
└─ Exclude Local Networks ExcludeLocalNetworks If `1` and `IncludeAllNetworks` is `1`, routes all local network traffic outside the VPN. Not available in watchOS. | integer | optional | — | ✓Yes | iOS (14.2+)macOS (10.15+) |
└─ Exclude Cellular Services ExcludeCellularServices If `1` and `IncludeAllNetworks` is `1`, then the system excludes internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular services traffic directly to the carrier network, bypassing the internet. Such cellular services traffic is always excluded from the tunnel. Not available in watchOS. | integer | optional | 1 | ✓Yes | iOS (16.4+)macOS (13.3+) |
└─ Exclude APNs ExcludeAPNs If `1` and `IncludeAllNetworks` is `1`, then the system excludes the network traffic for the Apple Push Notification service (APNs) from the tunnel. Not available in watchOS. | integer | optional | 1 | ✓Yes | iOS (16.4+)macOS (13.3+) |
└─ Exclude Device Communication ExcludeDeviceCommunication If set to `1` and `IncludeAllNetworks` is set to `1`, the device excludes network traffic used for communicating with devices connected via USB or Wi-Fi from the tunnel. | integer | optional | 1 | ✓Yes | iOS (17.4+)macOS (14.4+)visionOS (1.1+) |
└─ Enable VPN On Demand OnDemandEnabled If `1`, enables VPN On Demand. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Prevent users from toggling VPN On Demand OnDemandUserOverrideDisabled If `1`, the Connect On Demand toggle in Settings is disabled for this configuration. Available in iOS 14 and later. Not available in watchOS. | integer | optional | 0 | ✓Yes | iOS (14.0+) |
└─ On Demand Match Domains Always OnDemandMatchDomainsAlways Deprecated (iOS 7.0) A list of domain names. The system treats associated domain names as though they're associated with the `OnDemandMatchDomainsOnRetry` key. This behavior can be overridden by `OnDemandRules`.
In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries.
Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain Always Element MatchDomainAlwaysElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Match Domains Never OnDemandMatchDomainsNever Deprecated (iOS 7.0) A list of domain names. If the host name ends with one of these domain names, the system doesn't start the VPN automatically. The system uses this value to exclude a subdomain within an included domain.
In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries.
Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain Never Element MatchDomainNeverElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Match Domains On Retry OnDemandMatchDomainsOnRetry Deprecated (iOS 7.0) A list of domain names. If the host name ends with one of these domain names and a DNS query for that domain name fails, the system starts the VPN automatically.
In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries.
Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain On Retry Element MatchDomainOnRetryElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Rules OnDemandRules An array of dictionaries defining On Demand Rules. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ On Demand Rules Element OnDemandRulesElement 7 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ On Demand Action Action The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
Only the `Disconnect` action is available on watchOS 10 and later. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Action Parameters ActionParameters An array of dictionaries that provides rules similar to the `OnDemandRules` dictionary, but evaluated on each connection instead of when the network changes. This value is only for use with dictionaries in which the `Action` value is `EvaluateConnection`. The system evaluates these dictionaries in order and the first dictionary that matches determines the behavior. Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Domain Match DNSDomainMatch An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Server Address Match DNSServerAddressMatch An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ Interface Type Match InterfaceTypeMatch An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ SSID Match SSIDMatch An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ URL String Probe URLStringProbe A URL to probe. This rule matches when this URL is successfully fetched (returns a `200` HTTP status code) without redirection. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
IPv4 Settings IPv4 The dictionary that contains IPv4 settings. Not available in watchOS. 1 subkey | dictionary | optional | — | ✗No | |
└─ Override Primary Connection OverridePrimary If `1`, the system sends all network traffic over VPN. Only applies to Cisco IPsec and L2TP VPN types. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
PPP PPP The dictionary to use when `VPNType` is `L2TP` or `PTPP`. Not available in watchOS. 11 subkeys | dictionary | optional | — | ✗No | |
└─ Account Username AuthName The VPN account user name. This key is for use with L2TP and PPTP networks. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Account Password AuthPassword If `TokenCard` is `1`, use this password for authentication. This key is for use with L2TP and PPTP networks. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Use Token Card TokenCard If `1`, uses a token card such as an RSA SecurID card for connecting. This key is for use with L2TP networks. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Remote Address CommRemoteAddress The IP address or host name of VPN server. This key is for use with L2TP and PPTP networks. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ EAP Plugins AuthEAPPlugins An array of authentication plugins. For use of RSA SecurID, this array should only have one value: `EAP-RSA`. This key is for use with L2TP and PPTP networks. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ EAP Plugin EAPPluginElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ Protocol AuthProtocol An array of authentication protocols. For use of RSA SecurID, this array should have one value, `EAP`. This key is for use with L2TP and PPTP networks. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Auth Protocol AuthProtocolElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ Enable CCPMPPE40 CCPMPPE40Enabled If `1` and `CCPEnabled` is also `1`, enables CCPMPPE128 encryption. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable CCPMPPE128 CCPMPPE128Enabled If `1` and `CCPEnabled` is also `1`, enables CCPMPPE40 encryption. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable CCP CCPEnabled If `1`, enables encryption on the connection. This key is for use with PPTP networks. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable Disconnect on Idle DisconnectOnIdle If `1`, disconnects after an on demand connection idles. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Disconnect on Idle time DisconnectOnIdleTimer The length of time to wait before disconnecting an on demand connection | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
IPSec Settings IPSec The dictionary that contains IPSec settings. Not available in watchOS. 18 subkeys | dictionary | optional | — | ✗No | |
└─ Remote Address RemoteAddress The IP address or host name of the VPN server. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Authentication Method AuthenticationMethod The authentication method for L2TP and Cisco IPSec. | string | optional | SharedSecret | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Username XAuthName The user name for the VPN account for Cisco IPSec. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Password XAuthPassword The VPN account password for Cisco IPSec. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ XAUTH Enabled XAuthEnabled If `1`, enables Xauth for Cisco IPSec VPNs. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ XAUTH Password Encryption XAuthPasswordEncryption A string that either has the value "Prompt" or isn't present. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Local Identifier LocalIdentifier The name of the group. For hybrid authentication, the string needs to end with "hybrid".
Present only for Cisco IPSec if `AuthenticationMethod` is `SharedSecret`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Local Identifier Type LocalIdentifierType Present only if `AuthenticationMethod` is `SharedSecret`. The value is `KeyID`. The system uses this value for L2TP and Cisco IPSec VPNs. | string | optional | KeyID | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Shared Secret SharedSecret The shared secret for this VPN account.
Only use this with L2TP and Cisco IPSec VPNs and if the `AuthenticationMethod` key is to `SharedSecret`. | data | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Certificate UUID PayloadCertificateUUID The UUID of the certificate payload within the same profile to use for the account credentials.
Only use this with Cisco IPSec VPNs and if the `AuthenticationMethod` key is to `Certificate`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Prompt for PIN PromptForVPNPIN If `true`, prompts for a PIN when connecting to Cisco IPSec VPNs. | boolean | optional | false | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable Disconnect on Idle DisconnectOnIdle If `1`, disconnect after an on-demand connection idles. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Disconnect on Idle time DisconnectOnIdleTimer The length of time to wait before disconnecting an on-demand connection. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable VPN On Demand OnDemandEnabled If `1`, enables bringing the VPN connection up on demand. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ On Demand Match Domains Always OnDemandMatchDomainsAlways Deprecated (iOS 7.0) Deprecated. A list of domain names. In iOS 7 and later, if this key is present, the system treats associated domain names as though they're associated with the `OnDemandMatchDomainsOnRetry` key. This behavior can be overridden by `OnDemandRules`. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain Always Element MatchDomainAlwaysElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Match Domains Never OnDemandMatchDomainsNever Deprecated (iOS 7.0) Deprecated. A list of domain names. In iOS 7 and later, this key is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain Never Element MatchDomainNeverElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Match Domains On Retry OnDemandMatchDomainsOnRetry Deprecated (iOS 7.0) Deprecated. A list of domain names. In iOS 7 and later, this field is deprecated (but still supported) in favor of `EvaluateConnection` actions in the `OnDemandRules` dictionaries. 1 subkey | array | optional | — | ✓Yes | iOS (legacy - 7.0) |
└─ └─ Match Domain On Retry Element MatchDomainOnRetryElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ On Demand Rules OnDemandRules The on-demand rules dictionary. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ On Demand Rules Element OnDemandRulesElement 7 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ On Demand Action Action The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
Only the `Disconnect` action is available on watchOS 10 and later. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Action Parameters ActionParameters An array of dictionaries that provides rules similar to the `OnDemandRules` dictionary, but evaluated on each connection instead of when the network changes. This value is only for use with dictionaries in which the `Action` value is `EvaluateConnection`. The system evaluates these dictionaries in order and the first dictionary that matches determines the behavior. Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Domain Match DNSDomainMatch An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Server Address Match DNSServerAddressMatch An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ Interface Type Match InterfaceTypeMatch An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ SSID Match SSIDMatch An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ URL String Probe URLStringProbe A URL to probe. This rule matches when this URL is successfully fetched (returns a `200` HTTP status code) without redirection. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
IKEv2 IKEv2 The dictionary to use when `VPNType` is `IKEv2`. 46 subkeys | dictionary | optional | — | ✓Yes | watchOS (10.0+) |
└─ RemoteAddress RemoteAddress The IP address or host name of the VPN server. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ LocalIdentifier LocalIdentifier Identifier of the IKEv2 client. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ RemoteIdentifier RemoteIdentifier The remote identifier. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ AuthenticationMethod AuthenticationMethod The type of authentication method for the VPN.
To enable EAP-only authentication, set this to `None` and `ExtendedAuthEnabled` to `1`. If this is `None` and the `ExtendedAuthEnabled` key isn't set, the authentication configuration defaults to `SharedSecret`. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Certificate Type CertificateType The type of `PayloadCertificateUUID` to use for IKEv2 machine authentication. If this key is included, the system requires a value for `ServerCertificateIssuerCommonName`. | string | optional | RSA | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ PayloadCertificateUUID PayloadCertificateUUID The UUID of the certificate payload within the same profile to use as the account credential. If the value of `AuthenticationMethod` is `Certificate`, the system sends this certificate out for IKEv2 machine authentication. If extended authentication (EAP) is used, the system sends this certificate out for EAP-TLS authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Account Password Password The password to use for the account credentials. Only used if `AuthenticationMethod` is `Password`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Bundle Identifier ProviderBundleIdentifier If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Designated Requirement ProviderDesignatedRequirement If the VPN provider is implemented as a System Extension, then this field is required. Available in macOS 10.15 and later, tvOS 17 and later, and watchOS 10 and later. | string | optional | — | ✓Yes | macOS (10.15+) |
└─ SharedSecret SharedSecret If `AuthenticationMethod` is `SharedSecret`, this value is used for IKE authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ExtendedAuthEnabled ExtendedAuthEnabled If `1`, enables EAP-only authentication. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ AuthName AuthName The user name to use for authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ AuthPassword AuthPassword The password to use for authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable VPN On Demand OnDemandEnabled If `1`, enables VPN up on demand. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Prevent users from toggling VPN On Demand OnDemandUserOverrideDisabled If `1`, the system disables the Connect On Demand toggle in Settings for this configuration. | integer | optional | 0 | ✓Yes | iOS (14.0+) |
└─ On Demand Rules OnDemandRules A list of rules that determine when and how to use an OnDemand VPN. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ On Demand Rules Element OnDemandRulesElement 7 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ On Demand Action Action The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
Only the `Disconnect` action is available on watchOS 10 and later. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Action Parameters ActionParameters An array of dictionaries that provides rules similar to the `OnDemandRules` dictionary, but evaluated on each connection instead of when the network changes. This value is only for use with dictionaries in which the `Action` value is `EvaluateConnection`. The system evaluates these dictionaries in order and the first dictionary that matches determines the behavior. Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Domain Match DNSDomainMatch An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Server Address Match DNSServerAddressMatch An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ Interface Type Match InterfaceTypeMatch An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ SSID Match SSIDMatch An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ URL String Probe URLStringProbe A URL to probe. This rule matches when this URL is successfully fetched (returns a `200` HTTP status code) without redirection. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Dead Peer Detection Rate DeadPeerDetectionRate One of the following:
- `None`: No keepalive.
- `Low`: Send keepalive every 30 minutes.
- `Medium`: Send keepalive every 10 minutes.
- `High`: Send keepalive every 1 minute.
Not available in watchOS. | string | optional | Medium | ✗No | |
└─ ServerCertificateIssuerCommonName ServerCertificateIssuerCommonName Common Name of the server certificate issuer. If set, this field causes IKE to send a certificate request based on this certificate issuer to the server. This key is required if the `CertificateType` key is included and the `ExtendedAuthEnabled` key is `1`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ServerCertificateCommonName ServerCertificateCommonName The common name of the server certificate. The system uses this name to validate the certificate sent by the IKE server. If not set, the system uses the remote identifier to validate the certificate. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ TLS Minimum Version TLSMinimumVersion The minimum TLS version to use with EAP-TLS authentication. | string | optional | 1.0 | ✓Yes | iOS (11.0+)macOS (10.13+) |
└─ TLS Maximum Version TLSMaximumVersion The maximum TLS version to use with EAP-TLS authentication. | string | optional | 1.2 | ✓Yes | iOS (11.0+)macOS (10.13+) |
└─ Use IPv4 / IPv6 Internal Subnet Attributes UseConfigurationAttributeInternalIPSubnet If `1`, negotiations should use IKEv2 Configuration Attribute `INTERNAL_IP4_SUBNET` and `INTERNAL_IP6_SUBNET`. | integer | optional | 0 | ✓Yes | iOS (9.0+) |
└─ Disable Mobility and Multihoming DisableMOBIKE If `1`, the system disables MOBIKE. | integer | optional | 0 | ✓Yes | iOS (9.0+) |
└─ Disable Redirect DisableRedirect If `1`, the system disables IKEv2 redirect. If not set, the system redirects an IKEv2 connection when it receives a redirect request from the server. | integer | optional | 0 | ✓Yes | iOS (9.0+) |
└─ Enable Disconnect on Idle DisconnectOnIdle If `1`, the VPN disconnects automatically after a period defined by `DisconnectOnIdleTimer`. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Disconnect on Idle time DisconnectOnIdleTimer Only used if `DisconnectOnIdle` is `1`. The number of seconds before the VPN disconnects. On watchOS, maximum allowed value is 15 seconds | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ NAT Keep Alive Offload Enable NATKeepAliveOffloadEnable If `1`, enables NAT keepalive offload for Always On VPN IKEv2 connections. The device sends keepalive packets to maintain NAT mappings for IKEv2 connections that have a NAT on the path. It sends keepalive packets at regular intervals when the device is awake. If `NATKeepAliveOffloadEnable` is `1`, the system offloads keepalive packets to hardware while the device is asleep.
NAT keepalive offload has an impact on the battery life due to the extra workload during sleep. The default interval for the keepalive offload packets is 20 seconds over Wi-Fi and 110 seconds over Cellular interface. The default NAT keepalive works well on networks with small NAT mapping timeouts but imposes a potential battery impact. If a network has larger NAT mapping timeouts, larger keepalive intervals may be safely used to minimize battery impact. Modify the keepalive interval through the `NATKeepAliveInterval` key. | integer | optional | 1 | ✓Yes | iOS (9.0+) |
└─ NAT Keepalive Interval NATKeepAliveInterval The NAT Keepalive interval for Always On VPN IKEv2 connections. This value controls the interval that the device sends keepalive offload packets. The minimum value is 20 seconds. If no key is specified, the default is 20 seconds over Wi-Fi and 110 seconds over a cellular interface. | integer | optional | 20 | ✓Yes | iOS (9.0+) |
└─ Enable perfect forward secrecy EnablePFS If `1`, enables Perfect Forward Secrecy (PFS) for IKEv2 Connections. | integer | optional | 0 | ✓Yes | iOS (9.0+) |
└─ Enable certificate revocation check EnableCertificateRevocationCheck If `1`, the system performs a certificate revocation check for IKEv2 connections. This is a best-effort revocation check and server response timeouts won't cause it to fail. | integer | optional | 0 | ✓Yes | iOS (9.0+) |
└─ Enable fallback EnableFallback If `1`, the system enables a tunnel over cellular data to carry traffic that's eligible for Wi-Fi Assist and also requires VPN.
Enabling fallback requires that the server support multiple tunnels for a single user.
This field is available in iOS 13 and later, and tvOS 17 and later. Not available in watchOS. | integer | optional | 0 | ✓Yes | iOS (13.0+) |
└─ Maximum Transmission Unit MTU The Maximum Transmission Unit (MTU) specifies the maximum size in bytes of each packet that the system sends over the IKEv2 VPN interface. Available in iOS 14 and later, and macOS 11 and later. Range: 1280 - 1400 | integer | optional | 1280 | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ ProviderType ProviderType If the value of this key is `app-proxy`, the VPN service tunnels traffic at the application layer. If the value of this key is `packet-tunnel`, the VPN service tunnels traffic at the IP layer. | string | optional | packet-tunnel | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Include All Networks IncludeAllNetworks If `1`, then the system routes all network traffic through the VPN, with some controllable exclusions, such as `ExcludeLocalNetworks`, `ExcludeCellularServices`, and `ExcludeAPNs` properties. The system always excludes the following traffic from the tunnel:
- Traffic necessary for connecting and maintaining the device's network connection, such as DHCP.
- Traffic necessary for connecting to captive networks.
- Certain cellular services traffic that's not routable over the internet and is instead directly routed to the cellular network. See the `ExcludeCellularServices` field for more information.
- Network communication with a companion device such as a watchOS device. | integer | optional | 0 | ✓Yes | iOS (14.0+)macOS (10.15+) |
└─ Enforce Routes EnforceRoutes If `1`, all the VPN's non-default routes take precedence over any locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores `EnforceRoutes`. | integer | optional | 0 | ✓Yes | iOS (14.2+)macOS (11.0+) |
└─ Exclude Local Networks ExcludeLocalNetworks If `1` and either `IncludeAllNetworks` or `EnforceRoutes` are `1`, then the system routes local network traffic outside of the VPN. The default for this value is `0` on macOS and `1` on iOS. | integer | optional | — | ✓Yes | iOS (14.2+)macOS (10.15+) |
└─ Exclude Cellular Services ExcludeCellularServices If `1` and `IncludeAllNetworks` is `1`, the system excludes internet-routable network traffic for cellular services (VoLTE, Wi-Fi Calling, IMS, MMS, Visual Voicemail, etc.) from the tunnel. Note that some cellular carriers route cellular services traffic directly to the carrier network, bypassing the internet. Such cellular services traffic is always excluded from the tunnel. | integer | optional | 1 | ✓Yes | iOS (16.4+)macOS (13.3+) |
└─ Exclude APNs ExcludeAPNs If `1` and `IncludeAllNetworks` is `1`, the system excludes network traffic for the Apple Push Notification service (APNs) from the tunnel. | integer | optional | 1 | ✓Yes | iOS (16.4+)macOS (13.3+) |
└─ Exclude Device Communication ExcludeDeviceCommunication If set to `1` and `IncludeAllNetworks` is set to `1`, the device excludes network traffic used for communicating with devices connected via USB or Wi-Fi from the tunnel. | integer | optional | 1 | ✓Yes | iOS (17.4+)macOS (14.4+)visionOS (1.1+) |
└─ Post-quantum Pre-shared Key PPK The Post-quantum Pre-shared key (PPK) the device uses for this VPN. This key is is used with VPN servers that support RFC 8784. If this key is present `PPKIdentifier` must also be present. | data | optional | — | ✓Yes | iOS (18.0+)macOS (15.0+)tvOS (18.0+)visionOS (2.0+)watchOS (11.0+) |
└─ Post-quantum Pre-shared Key Identifier PPKIdentifier The identifier for the Post-quantum Pre-shared key (PPK) the device uses for this VPN. This key is is used with VPN servers that support RFC 8784. If this key is present `PPK` must also be present. | string | optional | — | ✓Yes | iOS (18.0+)macOS (15.0+)tvOS (18.0+)visionOS (2.0+)watchOS (11.0+) |
└─ Post-quantum Pre-shared Key Mandatory PPKMandatory If set to `1`, the VPN doesn't establish a connection if the server doesn't support RFC 8784 or doesn't accept the PPK identifier specified in `PPKIdentifier`. The device ignores this key if `PPK` and `PPKIdentifier` are not present. | integer | optional | 1 | ✓Yes | iOS (18.0+)macOS (15.0+)tvOS (18.0+)visionOS (2.0+)watchOS (11.0+) |
└─ Allow Post-quantum Key Exchange Fallback AllowPostQuantumKeyExchangeFallback If set to `0`, the VPN doesn't establish a connection if the server does not support or doesn't allow post-quantum key exchanges. Thd device ignores this key if `PostQuantumKeyExchangeMethods` is not present in `IKESecurityAssociationParameters` or `ChildSecurityAssociationParameters`. | integer | optional | 0 | ✓Yes | iOS (26.0+)macOS (26.0+)tvOS (26.0+)visionOS (26.0+)watchOS (26.0+) |
└─ Enforce Strict Algorithm Selection EnforceStrictAlgorithmSelection If set to `1`, the device doesn't allow DES, 3DES, and Diffie-Hellman groups less than 14. Also the device requires the encryption algorithm specified for the IKE SA to be at least as cryptographically strong as the algorithm specified for the child SA. The device rejects this profile payload if these requirements are not met. | integer | optional | 0 | ✓Yes | iOS (18.5+)macOS (15.5+)tvOS (18.5+)visionOS (2.5+)watchOS (11.5+) |
└─ IKESecurityAssociationParameters IKESecurityAssociationParameters These parameters apply to Child Security Association unless `ChildSecurityAssociationParameters` is specified. 5 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ EncryptionAlgorithm EncryptionAlgorithm The encryption algorithm.
In watchOS and tvOS, the default value is `AES-256-GCM`.
`DES` and `3DES` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | string | optional | AES-256 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ IntegrityAlgorithm IntegrityAlgorithm The integrity algorithm.
`SHA1-96` and `SHA1-160` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | string | optional | SHA2-256 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ DiffieHellmanGroup DiffieHellmanGroup The Diffie-Hellman group.
For `AlwaysOn` VPN in iOS 14.2 and later, the minimum allowed value is `14`.
`1`, `2`, and `5` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | integer | optional | 14 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Post-quantum Key Exchange Methods PostQuantumKeyExchangeMethods An array of strings representing postquantum key exchange methods the device uses during SA establishment and rekey. You can specify up to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370. 1 subkey | array | optional | — | ✓Yes | iOS (26.0+)macOS (26.0+)tvOS (16.0+)visionOS (26.0+)watchOS (26.0+) |
└─ └─ └─ Post-quantum Key Exchange Method PostQuantumKeyExchangeMethod | integer | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ LifeTimeInMinutes LifeTimeInMinutes The SA lifetime (rekey interval) in minutes. Range: 10 - 1440 | integer | optional | 1440 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ChildSecurityAssociationParameters ChildSecurityAssociationParameters The `ChildSecurityAssociationParameters` dictionaries. 5 subkeys | dictionary | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ EncryptionAlgorithm EncryptionAlgorithm The encryption algorithm.
In watchOS and tvOS, the default value is `AES-256-GCM`.
`DES` and `3DES` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | string | optional | AES-256 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ IntegrityAlgorithm IntegrityAlgorithm The integrity algorithm.
`SHA1-96` and `SHA1-160` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | string | optional | SHA2-256 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ DiffieHellmanGroup DiffieHellmanGroup The Diffie-Hellman group.
For `AlwaysOn` VPN in iOS 14.2 and later, the minimum allowed value is `14`.
`1`, `2`, and `5` are available only in iOS, macOS, and visionOS prior to iOS 26, macOS 26, and visionOS 26. | integer | optional | 14 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Post-quantum Key Exchange Methods PostQuantumKeyExchangeMethods An array of strings representing postquantum key exchange methods the device uses during SA establishment and rekey. You can specify up to seven items, which correspond to ADDKE1 - ADDKE7 from RFC 9370. 1 subkey | array | optional | — | ✓Yes | iOS (26.0+)macOS (26.0+)tvOS (16.0+)visionOS (26.0+)watchOS (26.0+) |
└─ └─ └─ Post-quantum Key Exchange Method PostQuantumKeyExchangeMethod | integer | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ LifeTimeInMinutes LifeTimeInMinutes The SA lifetime (rekey interval) in minutes. Range: 10 - 1440 | integer | optional | 1440 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
DNS DNS A dictionary to use for all VPN types. 9 subkeys | dictionary | optional | — | ✓Yes | watchOS (10.0+) |
└─ DNS Protocol DNSProtocol The transport protocol to communicate with the DNS server. | string | required | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ Server URL ServerURL The URI template of a DNS-over-HTTPS server, as defined in RFC 8484, which needs to use the `https://` scheme. The system uses the hostname or address in the URL to validate the server certificate. If `ServerAddresses` isn't specified, the system uses the hostname or address in the URL to determine the server addresses. This key is required if the `DNSProtocol` is `HTTPS`. | string | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ Server Name ServerName The hostname of a DNS-over-TLS server to validate the server certificate, as defined in RFC 7858. If `ServerAddresses` isn't specified, the system uses the hostname to determine the server addresses. This key is required if the `DNSProtocol` is `TLS`. | string | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ DNS Server Addresses ServerAddresses The array of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses. 1 subkey | array | required | — | ✓Yes | iOS (10.0+)macOS (10.12+) |
└─ └─ Server Address Element ServerAddressesElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ DNS Search Domains SearchDomains The list of domain strings used to fully qualify single-label host names. 1 subkey | array | optional | — | ✓Yes | iOS (10.0+)macOS (10.12+) |
└─ └─ Search Domains Element SearchDomainsElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ Domain Name DomainName The primary domain of the tunnel. | string | optional | — | ✓Yes | iOS (10.0+)macOS (10.12+) |
└─ Supplemental Match Domains SupplementalMatchDomains The list of domain strings used to determine which DNS queries use the DNS resolver settings in `ServerAddresses`. The system uses this key to create a split DNS configuration where it resolves only hosts in certain domains using the tunnel's DNS resolver. The system uses the default resolver for hosts that aren't in one of the domains in this list.
If `SupplementalMatchDomains` contains the empty string it becomes the default domain.
Split-tunnel configurations can direct all DNS queries to the VPN DNS servers before the primary DNS servers. If the VPN tunnel becomes the network's default route, the servers listed in `ServerAddresses` become the default resolver and the system ignores the `SupplementalMatchDomains` list. 1 subkey | array | optional | — | ✓Yes | iOS (10.0+)macOS (10.12+) |
└─ └─ Supplemental Match Domains Element SupplementalMatchDomainsElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ Supplemental Match Domains No Search SupplementalMatchDomainsNoSearch If `0`, append the domains in the `SupplementalMatchDomains` list to the resolver's list of search domains. | integer | optional | 0 | ✓Yes | iOS (10.0+)macOS (10.12+) |
└─ DNS Certificate UUID PayloadCertificateUUID That UUID that points to an identity certificate payload. The system uses this identity to authenticate the user to the DNS resolver. | string | optional | — | ✓Yes | iOS (16.0+)macOS (13.0+) |
Proxies Proxies The dictionary to use to configure `Proxies` for use with `VPN`. 12 subkeys | dictionary | optional | — | ✓Yes | watchOS (10.0+) |
└─ Proxy AutoConfig Enable ProxyAutoConfigEnable If `true`, enables automatic proxy configuration. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Proxy Auto Discovery Enable ProxyAutoDiscoveryEnable If `true`, enables proxy auto discovery. | integer | optional | 1 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Proxy Server URL ProxyAutoConfigURLString The URL to the location of the proxy auto-configuration file. Used only when `ProxyAutoConfigEnable` is `true`. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Supplemental Match Domains SupplementalMatchDomains An array of domains that defines which hosts use proxy settings for hosts. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ Supplemental Match Domains Element SupplementalMatchDomainsElement | string | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ Enable HTTP HTTPEnable If `1`, enables proxy for HTTP traffic. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTP Proxy HTTPProxy The host name of the HTTP proxy. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTP Port HTTPPort The port number of the HTTP proxy. This field is required if `HTTPProxy` is specified. Range: 0 - 65535 | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTP ProxyUsername HTTPProxyUsername The user name used for authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTP ProxyPassword HTTPProxyPassword The password used for authentication. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable HTTPS HTTPSEnable If `true`, enables proxy for HTTPS traffic. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTPS Proxy HTTPSProxy The host name of the HTTPS proxy. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ HTTPS Port HTTPSPort The port number of the HTTPS proxy. This field is required if `HTTPSProxy` is specified. Range: 0 - 65535 | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
AlwaysOn AlwaysOn The dictionary to use when `VPNType` is `AlwaysOn`. Not available in tvOS or watchOS. 7 subkeys | dictionary | optional | — | ✓Yes | iOS (8.0+) |
└─ UI Toggle Enabled UIToggleEnabled If `1`, allows the user to disable the VPN configuration. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ TunnelConfigurations TunnelConfigurations An array that contains an arbitrary number of tunnel configurations. 1 subkey | array | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ A TunnelConfiguration Element TunnelConfigurationElement 2 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ Protocol Type ProtocolType The type of connection, which needs to be `IKEv2`. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Interfaces Interfaces The interfaces to apply this configuration to. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ ServiceExceptions ServiceExceptions An array that contains an arbitrary number of service exceptions. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ A ServiceException Element ServiceExceptionElement 2 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ Service Name ServiceName The name of a service that's exempt from Always On VPN.
`CellularServices` is available in iOS 11.3 and later; it exempts `VoLTE`, `IMS` and `MMS`. WiFiCalling is exempted in iOS 13.4 and later.
`DeviceCommunication` is available in iOS 17.4 and later; it exempts network traffic used for communicating with devices connected via USB or Wi-Fi. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Action Action The action to take with network connections from the named service. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ApplicationExceptions ApplicationExceptions An array that contains an arbitrary number of apps whose connections occur outside the VPN. 1 subkey | array | optional | — | ✓Yes | iOS (13.6+) |
└─ └─ A ApplicationException Element ApplicationExceptionElement 2 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ Bundle Identifier BundleIdentifier The app's bundle identifier. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ LimitToProtocols LimitToProtocols Limit the exception to only the specified list of protocols, with support for `UDP` only. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ Allow Captive Web Sheet AllowCaptiveWebSheet If `1`, allows traffic from Captive Web Sheet outside the VPN tunnel. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Allow All Captive Network Plugins AllowAllCaptiveNetworkPlugins If `1`, allows traffic from all captive networking apps outside the VPN tunnel to perform captive network handling. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ AllowedCaptiveNetworkPlugins AllowedCaptiveNetworkPlugins The array of captive networking apps whose traffic is allowed outside the VPN tunnel, to perform captive network handling. Used only when `AllowAllCaptiveNetworkPlugins` is `false`. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ An AllowedCaptiveNetworkPlugin Element AllowedCaptiveNetworkPluginElement 1 subkey | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ Bundle Identifier BundleIdentifier The bundle identifier for the app that's allowed on the captive network. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
TransparentProxy TransparentProxy The dictionary to use when `VPNType` is `TransparentProxy`. Available in macOS 14 and later. 12 subkeys | dictionary | optional | — | ✓Yes | macOS (14.0+) |
└─ Authentication Method AuthenticationMethod The type of authentication method to use: `Password`, `Certificate`, or `Password+Certificate`.
Available in macOS 14 and later. | string | optional | Password | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable Disconnect on Idle DisconnectOnIdle If `1`, the VPN disconnects automatically disconnect after a period defined by `DisconnectOnIdleTimer`.
Available in macOS 14 and later. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Disconnect on Idle time DisconnectOnIdleTimer The number of seconds before the VPN disconnects. This value is only used if `DisconnectOnIdle` is `1`.
Available in macOS 14 and later. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enforce Routes EnforceRoutes If `1`, then all the VPN's non-default routes take precedence over any locally-defined routes. If `IncludeAllNetworks` is `1`, the system ignores the value of `EnforceRoutes`.
Available in macOS 14 and later. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Enable VPN On Demand OnDemandEnabled If `1`, the system brings up the VPN on demand.
Available in macOS 14 and later. | integer | optional | 0 | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ On Demand Rules OnDemandRules Determines when and how the system uses an OnDemand VPN.
Available in macOS 14 and later. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ On Demand Rules Element OnDemandRulesElement 7 subkeys | dictionary | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | |
└─ └─ └─ On Demand Action Action The action to take if this dictionary matches the current network. Possible values are:
- `Allow`: Deprecated. Allow VPN On Demand to connect if triggered.
- `Connect`: Unconditionally initiate a VPN connection on the next network attempt.
- `Disconnect`: Tear down the VPN connection and don't reconnect on demand as long as this dictionary matches.
- `EvaluateConnection`: Evaluate the ActionParameters array for each connection attempt.
- `Ignore`: Leave any existing VPN connection up, but don't reconnect on demand as long as this dictionary matches.
Only the `Disconnect` action is available on watchOS 10 and later. | string | required | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ Action Parameters ActionParameters An array of dictionaries that provides rules similar to the `OnDemandRules` dictionary, but evaluated on each connection instead of when the network changes. This value is only for use with dictionaries in which the `Action` value is `EvaluateConnection`. The system evaluates these dictionaries in order and the first dictionary that matches determines the behavior. Not available in watchOS. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Domain Match DNSDomainMatch An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list.
The system supports a wildcard (`*`) prefix. For example, `*.example.com` matches against either `mydomain.example.com` or `yourdomain.example.com`. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ DNS Server Address Match DNSServerAddressMatch An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array.
The system supports matching with a single wildcard. For example, `17.*` matches any DNS server in the `17.0.0.0/8` subnet. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ Interface Type Match InterfaceTypeMatch An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ SSID Match SSIDMatch An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails.
Omit this key and the corresponding array to match against any SSID. 1 subkey | array | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 1 subkey (deeply nested - 1 subkey). See Apple's documentation for the complete structure. | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) | ||
└─ └─ └─ URL String Probe URLStringProbe A URL to probe. This rule matches when this URL is successfully fetched (returns a `200` HTTP status code) without redirection. Not available in watchOS. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ PayloadCertificateUUID PayloadCertificateUUID The UUID of the identity certificate as the account credential. If `AuthenticationMethod` is `Certificate`, and extended authentication (EAP) isn't used, this certificate is sent out for IKE client authentication. If extended authentication is used, this certificate can be used for EAP-TLS.
Available in macOS 14 and later. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Account Password Password The password to use for the account credentials. Only used if `AuthenticationMethod` is `Password`.
Available in macOS 14 and later. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Bundle Identifier ProviderBundleIdentifier If the VPNSubType field contains the bundle identifier of an app that contains multiple VPN providers of the same type (app-proxy or packet-tunnel), then the system uses this field to choose which provider to use for this configuration. If the VPN provider is implemented as a System Extension, then this field is required.
Available in macOS 14 and later. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Provider Designated Requirement ProviderDesignatedRequirement If the VPN provider is implemented as a System Extension, then this field is required.
Available in macOS 14 and later. | string | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ ProviderType ProviderType If the value of this key is `app-proxy`, the VPN service tunnels traffic at the application layer. If the value of this key is `packet-tunnel`, the VPN service tunnels traffic at the IP layer.
Available in macOS 14 and later. | string | optional | packet-tunnel | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
└─ Order Order A positive integer.
Available in macOS 14 and later. | integer | optional | — | ✓Yes | iOS (4.0+)macOS (10.7+)tvOS (17.0+)visionOS (1.0+) |
