Page tree
Skip to end of metadata
Go to start of metadata

This page describes the Apple On-Demand VPN policy.

Policy Description

  • This policy is not available by default. If you are interested in applying it to any of your iOS applications, contact Customer Support.
  • This policy only works on devices running iOS 8 or higher.
  • Apps using this policy need to have the Personal VPN entitlement enabled.

The Apple On-Demand VPN policy ensures that an app is used on a secure network by adding a VPN configuration on the device that only that app will use, and then requiring the user to log in to that VPN in order to use the app. When the user closes the app or sends it to the background, the VPN disconnects and the user is not prompted to reconnect until the app is opened again or brought to the foreground.

When you apply this policy to an app, you define the VPN configuration profile for that specific app, and can therefore use different VPN profiles depending on the app. For convenience, you can set up a default VPN configuration on the Policies page so that if you want to use the same VPN configuration profile with multiple apps, you will not need to enter the profile information when you apply this policy to each of those apps.

The first time a user opens an app with this policy applied, the app uses Apple's Personal VPN technology to add a VPN configuration to the device. The user is prompted for permission to add the VPN configuration, as shown in The User Experience below. Once added, the VPN configuration is listed on the Settings->General->VPN page of the device. In the following example, the user has installed two apps with the Apple On-Demand VPN policy (Actions and Directory); each app has a separate Personal VPN configuration listed on the VPN page. When either the Actions or Directory app is in use, the status of that app's Personal VPN changes to Connected. 

Personal VPN Entitlement

There is a way to use this policy even if your app was not not built with the Personal VPN enabled. When you sign the app with Apperian it automatically enables the Personal VPN entitlement in the app as long as you sign it with a distribution provisioning profile that has the Personal VPN entitlement enabled.

Even if an app was built with the Personal VPN entitlement enabled, you must still sign it with a provisioning profile that has the Personal VPN entitlement enabled. This is a standard iOS requirement: apps must be signed with provisioning profiles that have entitlements that match the app, otherwise users will not be able to install the app onto their devices.


 Click here here for more information on enabling the Personal VPN entitlement for a provisioning profile...

An entitlement is a single right granted to an app that gives it additional permissions beyond what it would ordinarily have. There are different terms used to enable entitlements depending on where you are working. When creating an App ID in the Apple Developer Portal, you enable app services to identify the entitlements for the app or apps associated with that App ID. Some app services are enabled by default for an explicit App ID that exactly matches the bundle ID. When you create a distribution provisioning profile, you associate it with an App ID; this is what determines which entitlements (or app services) are enabled for the provisioning profile. For more information on enabling app services when creating an App ID, see Manage App Identifiers.

When the Apple On-Demand VPN policy is applied to an app, it is important that it is signed with a provisioning profile associated with an App ID that has the Personal VPN service enabled. Note that it must be an explicit App ID; Apple does not allow you to enable the Personal VPN service for a wildcard App ID.

For more information on entitlements, see App Extensions and Entitlements.

Back to Top

Policy Options

Modify the default profile or enter a new profile to define the VPN configuration that will be added to the device when a user launches an app with this policy applied. These options can be configured as a preset on the Policies page, or per app on the app's Policies tab.


Profile Name

Enter a name for the VPN configuration profile. This name will display on the Settings->General->VPN page of the device when the VPN configuration is added.

Profile DescriptionEnter a brief description of the VPN profile.
VPN ServerEnter the address of the VPN server. The address can be a numeric IP address or a fully-qualified host name.
Pre-shared KeyEnter the IPsec PSK (shared secret) to be used by IKE during the authentication phase.
Key Id/VPN Group

Enter the IPsec identifier or VPN group name.

IKE VersionSelect the IKE (Internet Key Exchange) version: 1 or 2. IKE version 1 or 2 is the protocol used to set up a security association in the IPsec protocol suite.

Back to Top

The User Experience

If a user attempts to open an app with the Apple On-Demand VPN policy applied on a device running iOS 7, Apperian displays the following message and the app closes:

The first time a user attempts to open an app with the Apple On-Demand VPN policy applied on a device running iOS 8 or higher, the user is prompted to allow the app to add a VPN configuration. If the user taps Don't Allow, the app closes. If the user taps Allow, the user is then prompted to:

  1. (If a passcode is enabled on the device) Enter the device passcode or Touch ID.
  2. Enter valid VPN credentials to authenticate the user. 

Once the user has entered valid VPN credentials and connected to the VPN, the app opens. Adding the VPN configuration occurs the first time the app is opened only. After that, the user is immediately prompted to enter VPN credentials whenever he/she launches the app or brings it to the foreground. 

Back to Top