Skip to main content

Apple VPN Policy

Updated yesterday

The Apple VPN Policy allows administrators to configure and deploy VPN settings to managed macOS, iOS, and iPadOS devices.
VPN (Virtual Private Network) ensures secure, encrypted access to internal corporate resources, enhances privacy, and enforces secure network usage across all managed endpoints.

This policy is ideal for organizations that require remote access security, Zero Trust enforcement, traffic routing control, or device-based network compliance.

Requirements

  • macOS 10.7+

  • iOS 4.0+

  • iPadOS 4.0+

Overview

With the Apple VPN Policy, administrators can preconfigure VPN profiles so users do not need to manually set up VPN settings on their devices.
The policy supports key VPN parameters such as:

  • VPN type

  • DNS settings

  • Proxy configuration

  • Tunnel behavior (e.g., send all traffic over VPN)

Once deployed, devices automatically connect using the defined VPN settings, ensuring consistency and security across the organization.

Configurable Settings

User Defined Name

A custom name for the VPN connection as it appears on the user’s device.

  • Required

  • Example: Company VPN, HQ Gateway

VPN Type

Specifies the type of VPN being configured.

  • Required

  • The selected VPN type determines the required additional fields.

  • If VPN is selected, then VPNSubType must also be provided.

Common VPN types include:

  • IKEv2

  • L2TP over IPSec

  • Cisco AnyConnect (via subtype)

  • Custom/third-party VPN apps

DNS Settings

DNS settings allow the VPN tunnel to control domain resolution, internal hostname visibility, and split-tunneling behavior.

Domain Name

Primary domain name for the VPN tunnel.
Example: corp.company.com

Search Domains

A list of domains the system appends when resolving short hostnames.
Example entries:

  • internal.company.com

  • lab.local

Press Enter to add multiple values.

Server Addresses

The DNS servers used while connected to VPN.

  • Required

  • Accepts IPv4 or IPv6 addresses
    Example: 10.0.0.53, fd00:abcd::1

Supplemental Match Domains

Used to determine which DNS queries should be sent through the VPN’s DNS servers rather than the device’s default resolver.

  • Supports split DNS behavior

  • Allows granular routing of specific internal domains

Example:

  • dev.company.com

  • services.company.com

Append Supplemental Match Domains to Search Domains

If True, domains in SupplementalMatchDomains are added to the search domain list.

  • Default: False

VPN Routing Options

Sending All Traffic Over VPN

Controls whether all IP traffic must pass through the VPN tunnel.

  • True → Enforces full-tunnel VPN (maximum security)

  • False → Allows split-tunneling (only internal traffic uses VPN)

This setting directly impacts performance and security posture.

Proxy Settings

These settings define proxy behavior for devices when connected to the VPN tunnel.

HTTP Proxy

If True, enables an HTTP proxy for traffic entering the VPN.

Supported proxy configurations typically include:

  • Proxy host

  • Proxy port

  • Authentication options (varies by VPN type)

HTTPS Proxy

If True, enables an HTTPS proxy for encrypted web traffic.

This setting is used by organizations that enforce:

  • SSL inspection

  • Zero-Trust brokers

  • Secure web gateways

Best Practices

  • Set Send All Traffic Over VPN = True for high-security environments requiring full traffic inspection.

  • Use Supplemental Match Domains for hybrid cloud or split-DNS networks.

  • Combine VPN policies with:

    • Apple Wi-Fi Policy

    • Apple Firewall Policy

    • Apple Security Policy

  • Use descriptive names for easier troubleshooting.

  • Test VPN profiles with a pilot group before broad deployment.

How to Configure

  1. Open the Swif Admin Console

  2. Go to Policies → Create New Policy

  3. Select Apple VPN Policy

  4. Fill in:

    • User Defined Name

    • VPN Type

    • DNS settings

    • Proxy settings (optional)

    • Tunnel configuration

  5. Assign the policy to devices or device groups

  6. Save and apply

Devices will load the VPN configuration during their next MDM sync.

Troubleshooting

VPN is not appearing on the device

  • Ensure all required fields are filled

  • Confirm the device meets OS version requirements

  • Reboot device to force configuration refresh

DNS is not routing through VPN

  • Verify ServerAddresses is populated

  • Confirm SupplementalMatchDomains is configured correctly

  • Check if split-tunneling is disabled (full-tunnel mode overrides split DNS)

Proxy is not taking effect

  • Ensure proxy settings are supported by the selected VPN type

  • Confirm that VPN client apps (if third-party) support MDM-configured proxy values

Related Articles
Configuring a RADIUS Policy for macOS (with SCEP)
Configuring a Policy for Windows VPN with RADIUS + SCEP
Android-Specific MDM Policies Available in Swif.ai
Android VPN App Policy
Windows VPN Policy
Did this answer your question?