I have an iOS Configuration Profile with IPSec VPN configured on it. The OnDemand option works great on iOS8.
When testing the profile on iOS9 (getting it ready for the upcoming release) I have encountered an issue with the OnDemand configuration. It simply does not connect When I try to get to some of the domains on safari. Connecting to the VPN manually DOES work
this is the ondemand part of my mobileconfig:
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
<string>duckduckgo.com</string>
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://vpn.test.mydomain.com</string>
</dict>
</array>
</dict>
</array>
....
....
After trying out a lot of configurations for the iOS9 i also manage to make the VPN to connect OnDemand always, without any action except the profile installation, but that is not the behaviour I was looking for.
This is the configuration for allowing on demand always:
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Connect</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
<string>duckduckgo.com</string>
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://vpn.test.mydomain.com<</string>
</dict>
</array>
</dict>
</array>
I think it's beacause the "connect" value for the "action" key does not check for ActionParameters and just connects to the VPN server automatically.
My hope is that I am missing some small new feature that apple didn't yet update in their official docs for the configurations.
Any suggestions to fix the profile for iOS9 would be appreciated. Thanks.
After a lot of research I have found a configuration that makes ondemand feature work on iOS9. This is the one that works for me:
pay attention to the RequiredURLStringProbe key. It should be a url that is inaccessible outside of the VPN network.
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>IPSec</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>OnDemandEnabled</key>
<integer>1</integer>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>EvaluateConnection</string>
<key>ActionParameters</key>
<array>
<dict>
<key>Domains</key>
<array>
anyDomainForOnDemand.com
</array>
<key>DomainAction</key>
<string>ConnectIfNeeded</string>
<key>RequiredURLStringProbe</key>
<string>https://a.url.accecable.only.from.vpn</string>
</dict>
</array>
</dict>
</array>
....
....
....