Explore the full catalogue of Apple Mobile Device Management (MDM) and Declarative Device Management (DDM) policies for macOS and iOS. Use the interactive explorer to search, filter, and reference policy keys for use with Microsoft Intune, Jamf, or any standards-compliant MDM solution.
The payload that configures per-app VPN settings.
| Setting | Type | Required | Default | Manual Install | Supported OS |
|---|---|---|---|---|---|
AppLayerVPNMapping AppLayerVPNMapping The array of VPN mapping dictionaries. 1 subkey | array | required | — | ✓Yes | macOS (10.9+) |
└─ AppLayerVPNMappingItem AppLayerVPNMappingItem A dictionary defining a per-app VPN relationship. 6 subkeys | dictionary | — | ✓Yes | macOS (10.9+) | |
└─ └─ Identifier Identifier The bundle identifier of the app using the per-app VPN. | string | required | — | ✓Yes | macOS (10.9+) |
└─ └─ VPNUUID VPNUUID The identifier of the per-app VPN payload, which defines the per-app VPN that the app uses. See the `VPNUUID` key of the `AppLayerVPN` payload. | string | required | — | ✓Yes | macOS (10.9+) |
└─ └─ DesignatedRequirement DesignatedRequirement The code signature designated requirement of the app using the per-app VPN. | string | required | — | ✓Yes | macOS (10.10+) |
└─ └─ SigningIdentifier SigningIdentifier The code signature signing identifier of the app using the per-app VPN. | string | required | — | ✓Yes | macOS (10.10+) |
└─ └─ Path Path The file-system path of the executable using the per-app VPN. | string | optional | — | ✓Yes | macOS (10.15+) |
└─ └─ MatchTools MatchTools An array of dictionaries. Each dictionary specifies a per-app VPN rule. Use this property to restrict this per-app VPN rule to only match the app's spawned _helper tool_ network traffic.
For example, to match network traffic that the `curl` command generates when run from the Terminal.app, create an app mapping payload for Terminal.app and set the payload's `MatchTools` key to an array that contains a dictionary that matches the `curl` command-line tool.
If you don't specify the `MatchTools` key, this per-app VPN rule matches all network traffic that the matching app and its spawned helper tools generate. 1 subkey | array | optional | — | ✓Yes | macOS (10.15.4+) |
└─ └─ └─ MatchToolsItem MatchToolsItem Specifies a per-app VPN rule to match network traffic that the app's spawned command-line tool generates. 3 subkeys | dictionary | — | ✓Yes | macOS (10.9+) | |
└─ └─ └─ └─ [Structure continues recursively] ↻ This structure continues with 3 subkeys (deeply nested - 3 subkeys). See Apple's documentation for the complete structure. | — | ✓Yes | macOS (10.9+) |
