The payload that configures a per-app VPN.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
VPNUUID VPNUUID A globally unique identifier for this VPN configuration. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
Cellular Slice UUID CellularSliceUUID A string representing the data network name (DNN) or app category identifying a Cellular Slice. The device forces the VPN tunnel to use the specified Cellular Slice. | string | optional | — | ✓Yes | iOS (18.0+) |
SafariDomains SafariDomains An array with entries that must each specify a domain that triggers the VPN connection in Safari. Each entry is in the format `www.apple.com`. 1 subkey | array | optional | — | ✗No | |
└─ SafariDomainsItem SafariDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
MailDomains MailDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `Mail` or `ExchangeActiveSync` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ MailDomainsItem MailDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
CalendarDomains CalendarDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CalDAV` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ CalendarDomainsItem CalendarDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
ContactsDomains ContactsDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CardDAV` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ ContactsDomainsItem ContactsDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
AssociatedDomains AssociatedDomains An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the `apple-app-site-association` file, as described in `Supporting associated domains`.
Available in iOS 14 and later, and macOS 11 and later. 1 subkey | array | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ AssociatedDomainsItem AssociatedDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
ExcludedDomains ExcludedDomains An array with entries that each specify a domain that doesn't trigger this VPN for connections to the domain.
Available in iOS 14 and later, and macOS 11 and later. 1 subkey | array | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ ExcludedDomainsItem ExcludedDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
OnDemandMatchAppEnabled OnDemandMatchAppEnabled If `true`, automatically connects the VPN when associated apps for this per-app VPN service initiate network communication. Otherwise, the user must initiate the connection manually before those apps can initiate network communication. If this key isn't present, the value of the `OnDemandEnabled` key determines the status of per-app VPN On Demand. | boolean | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
SMBDomains SMBDomains An array of SMB domains that's accessible through this VPN connection.
Available in iOS 13 and later. 1 subkey | array | optional | — | ✓Yes | iOS (13.0+) |
└─ SMBDomainsItem SMBDomainsItem An SMB domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
