Chapter 4 Infrastructure and integration 38
•
ASA Address Mask: Make sure all device address pool masks are either not set, or set to
255.255.255.255. For example:
asa(config-webvpn)# ip local pool vpn_users 10.0.0.1-10.0.0.254 mask
255.255.255.255
.
If you use the recommended address mask, some routes assumed by the VPN conguration
might be ignored. To avoid this, make sure your routing table contains all necessary routes and
make sure the subnet addresses are accessible before deployment.
•
Application Version: The client software version is sent to the server, letting the server accept
or reject connections based on the device’s software version.
•
Banner: The banner (if congured on the server) is displayed on the device and the user
must accept it or disconnect.
•
Split Tunnel: Supported.
•
Split DNS: Supported.
•
Default Domain: Supported.
Per App VPN
With iOS and OS X, VPN connections can be established on a per-app basis. This provides more
granular control over what data goes through VPN. With device-wide VPN, all data travels
through the private network regardless of its origin. This ability to segregate trac at the
app level allows the separation of personal data and organizational data. As more and more
personally owned devices are being used within organizations, Per App VPN provides secure
networking for internal-use apps, while preserving the privacy of personal device activity.
Per App VPN lets each app that’s managed by MDM communicate with the private network
using a secure tunnel, while excluding other non-managed apps on the Apple devices from
using the private network. Managed apps can be congured with dierent VPN connections to
further safeguard data. For example, a sales quote app could use an entirely dierent data center
than an accounts payable app, while the user’s personal web browsing trac uses the public
Internet. This ability to segregate trac at the app layer provides separation of personal data and
data belonging to the organization.
In order to use Per App VPN, an app must be managed by MDM and use standard networking
APIs. After enabling Per App VPN for any VPN connection, you need to associate that connection
with the apps that will use it to secure the network trac for those apps. This is done with the
App-to-Per App VPN mapping payload in a conguration prole. Per App VPN is congured
with an MDM conguration that species which apps and Safari domains are allowed to use
the settings.
For information about Per App VPN support, contact third-party SSL or VPN vendors.
VPN On Demand
Overview
VPN On Demand lets Apple devices automatically establish a connection without user action.
The VPN connection is started on an as-needed basis, based on rules dened in a conguration
prole. VPN On Demand requires requires certicate-based authentication.
100% resize factor
