Chapter 4 Infrastructure and integration 41
To create a prole that works on both iOS 7 and earlier releases, use the new EvaluateConnection
keys in addition to the OnDemandMatchDomain arrays. Earlier versions of iOS that don’t
recognize EvaluateConnection use the old arrays; iOS 7 or later uses EvaluateConnection.
Old conguration proles that specify the Allow action should work on iOS 7 or later, with the
exception of OnDemandMatchDomainsAlways domains.
Always-on VPN
Overview
Always-on VPN gives your organization full control over device trac by tunneling all IP trac
back to the organization. The default tunneling protocol, IKEv2, secures trac transmission with
data encryption. Your organizations can now monitor and lter trac to and from its devices,
secure data within its network, and restrict device access to the Internet.
Always-on VPN activation requires device supervision. Once the Always-on VPN prole is installed
on a device, Always-on VPN automatically activates with no user interaction. Always-on VPN stays
activated (including across reboots) until the Always-on VPN prole is uninstalled.
With Always-on VPN activated on the device, the VPN tunnel bring-up and teardown is tied to
the interface IP state. When the interface gains IP network reachability, tunnel establishment is
attempted. When the interface IP state goes down, the tunnel is torn down. Always-on VPN also
supports per-interface tunnels. For iOS devices, there’ll be one tunnel for each active IP interface
(that is, one tunnel for the cellular interface, and one tunnel for the Wi-Fi interface). As long as
the VPN tunnel or tunnels are up, all IP trac is tunneled. All trac includes all IP-routed trac
and all IP-scoped trac (that is, trac from rst-party apps such as FaceTime and Messages).
If the tunnel or tunnels aren’t up, all IP trac is dropped.
All trac tunneled from a device will reach a VPN server. You can apply optional ltering and/or
monitoring treatments before forwarding the trac to its destination within your organization’s
network or the Internet. Similarly, trac to the device will be routed to your organization’s VPN
server, where ltering and/or monitoring treatments may be applied before being forwarded to
the device.
Deployment scenarios
iOS devices runs in single-user mode. There’s no distinction between device identity and user
identity. When an iOS device establishes a IKEv2 tunnel to the IKEv2 server, the server perceives
the iOS device as a single peer entity. Traditionally, there is one tunnel between a pair of iOS
devices and a VPN server. Since Always-on VPN introduces per-interface tunnels, there may be
multiple simultaneous tunnels established between a single iOS device and the IKEv2 server,
depending on the deployment model.
Always-on VPN conguration supports the following deployment models, fullling dierent
solution requirements.
Cellular-only devices
If your organization choses to deploy Always-on VPN on cellular-only iOS devices (Wi-Fi interface
permanently taken out or deactivated), one IKEv2 tunnel is established over the cellular IP
interface between each device and the IKEv2 server. This is the same as the traditional VPN
model. The iOS device acts as one IKEv2 client, with one identify (i.e. one client certicate or one
user and password) establishing one IKEv2 tunnel with the IKEv2 server.
100% resize factor
