Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Use the interactive explorer to search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
The payload that configures a per-app VPN.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
VPNUUID VPNUUID A globally unique identifier for this VPN configuration. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
Cellular Slice UUID CellularSliceUUID A string representing the data network name (DNN) or app category identifying a Cellular Slice. The device forces the VPN tunnel to use the specified Cellular Slice. | string | optional | — | ✓Yes | iOS (18.0+) |
SafariDomains SafariDomains An array with entries that must each specify a domain that triggers the VPN connection in Safari. Each entry is in the format `www.apple.com`. 1 subkey | array | optional | — | ✗No | |
└─ SafariDomainsItem SafariDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
MailDomains MailDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Mail. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `Mail` or `ExchangeActiveSync` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ MailDomainsItem MailDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
CalendarDomains CalendarDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Calendar. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CalDAV` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ CalendarDomainsItem CalendarDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
ContactsDomains ContactsDomains Deprecated (iOS 13.4) An array with entries that must each specify a domain that triggers this VPN connection in Contacts. Each entry is in the format `www.apple.com`.
This property is deprecated in iOS 13.4 and later; use the `VPNUUID` property of the `CardDAV` payload instead. 1 subkey | array | optional | — | ✓Yes | iOS (13.0 - 13.4)macOS (10.15+) |
└─ ContactsDomainsItem ContactsDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
AssociatedDomains AssociatedDomains An array with entries that must each specify a domain that triggers this VPN. The domains must also be part of the `apple-app-site-association` file, as described in `Supporting associated domains`.
Available in iOS 14 and later, and macOS 11 and later. 1 subkey | array | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ AssociatedDomainsItem AssociatedDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
ExcludedDomains ExcludedDomains An array with entries that each specify a domain that doesn't trigger this VPN for connections to the domain.
Available in iOS 14 and later, and macOS 11 and later. 1 subkey | array | optional | — | ✓Yes | iOS (14.0+)macOS (11.0+) |
└─ ExcludedDomainsItem ExcludedDomainsItem A domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
OnDemandMatchAppEnabled OnDemandMatchAppEnabled If `true`, automatically connects the VPN when associated apps for this per-app VPN service initiate network communication. Otherwise, the user must initiate the connection manually before those apps can initiate network communication. If this key isn't present, the value of the `OnDemandEnabled` key determines the status of per-app VPN On Demand. | boolean | optional | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
SMBDomains SMBDomains An array of SMB domains that's accessible through this VPN connection.
Available in iOS 13 and later. 1 subkey | array | optional | — | ✓Yes | iOS (13.0+) |
└─ SMBDomainsItem SMBDomainsItem An SMB domain. | string | required | — | ✓Yes | iOS (7.0+)macOS (10.9+)visionOS (1.1+)watchOS (10.0+) |
