iOS Configuration Profile VPN on demand working on iOS8 but not on iOS9 dev beta
Question
I have an iOS Configuration Profile with IPSec VPN configured on it. The OnDemand option works great on iOS8.
When testing the profile on iOS9 (getting it ready for the upcoming release) I have encountered an issue with the OnDemand configuration. It simply does not connect When I try to get to some of the domains on safari. Connecting to the VPN manually DOES work
this is the ondemand part of my mobileconfig:
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
<string>duckduckgo.com</string>
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://vpn.test.mydomain.com</string>
</dict>
</array>
</dict>
</array>
....
....
After trying out a lot of configurations for the iOS9 i also manage to make the VPN to connect OnDemand always, without any action except the profile installation, but that is not the behaviour I was looking for.
This is the configuration for allowing on demand always:
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
<string>duckduckgo.com</string>
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://vpn.test.mydomain.com<</string>
</dict>
</array>
</dict>
</array>
I think it's beacause the "connect" value for the "action" key does not check for ActionParameters and just connects to the VPN server automatically.
My hope is that I am missing some small new feature that apple didn't yet update in their official docs for the configurations .
Any suggestions to fix the profile for iOS9 would be appreciated. Thanks.
2 answers
solution1
0 2015-09-22 09:01:19
iOS 9 and onDemand is broken. What used to work for iOS 8 does NOT work for iOS 9, despite there being no mention of it in the release notes.
I would suggest that you sign up as a developer to get access to 9.1
solution2
0 ACCPTED 2015-09-27 11:44:48
After a lot of research I have found a configuration that makes ondemand feature work on iOS9. This is the one that works for me:
pay attention to the RequiredURLStringProbe key. It should be a url that is inaccessible outside of the VPN network.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
anyDomainForOnDemand.com
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://a.url.accecable.only.from.vpn</string>
</dict>
</array>
</dict>
</array>
....
....
....
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.