Reply To: Locking down iOS to prevent DNS changes

Forums Service Issues Setups & Configurations Locking down iOS to prevent DNS changes Reply To: Locking down iOS to prevent DNS changes

KingHolly
December 29, 2020 at 11:24 pm

@hamoars
You should be able to see a way to add a VPN configuration within Apple Configurator 2. The trick is creating the VPN in Digital Ocean or something like that and than figuring out what the correct values are that you need to enter into the .mobileconfig file. I had to create the file within Apple Configurator 2 and then edit the file manually within a text editor if I am not mistaken. You can see a sample of my code below. I tried to remove any passwords or unique identifiers within it. This VPN is no longer active however, so there is nothing to connect to. Note that you will need to add the configuration for both the cellular and WiFi connections. You will also need to make sure you have added your certificates to the profile. This might have been the manual copy and paste step that I had to do. Even having the right encryption methods selected is important. This is super finicky, and even once I had it connected right, I would have intermittent connection issues and problems with the Apple Watch. I hope this helps!


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>ConsentText</key>
	<dict>
		<key>default</key>
		<string>Lock and load!</string>
	</dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>AlwaysOn</key>
			<dict>
				<key>AllowAllCaptiveNetworkPlugins</key>
				<true/>
				<key>AllowCaptiveWebSheet</key>
				<true/>
				<key>AllowedCaptiveNetworkPlugins</key>
				<array/>
				<key>ServiceExceptions</key>
				<array>
					<dict>
						<key>Action</key>
						<string>Allow</string>
						<key>ServiceName</key>
						<string>CellularServices</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Allow</string>
						<key>ServiceName</key>
						<string>VoiceMail</string>
					</dict>
					<dict>
						<key>Action</key>
						<string>Allow</string>
						<key>ServiceName</key>
						<string>AirPrint</string>
					</dict>
				</array>
				<key>TunnelConfigurations</key>
				<array>
					<dict>
						<key>AuthenticationMethod</key>
						<string>Certificate</string>
						<key>CertificateType</key>
						<string>ECDSA384</string>
						<key>ChildSecurityAssociationParameters</key>
						<dict>
							<key>DiffieHellmanGroup</key>
							<integer>20</integer>
							<key>EncryptionAlgorithm</key>
							<string>AES-256-GCM</string>
							<key>IntegrityAlgorithm</key>
							<string>SHA2-512</string>
							<key>LifeTimeInMinutes</key>
							<integer>1440</integer>
						</dict>
						<key>DeadPeerDetectionRate</key>
						<string>Medium</string>
						<key>DisableMOBIKE</key>
						<integer>0</integer>
						<key>DisableRedirect</key>
						<false/>
						<key>EnableCertificateRevocationCheck</key>
						<integer>0</integer>
						<key>EnableFallback</key>
						<integer>0</integer>
						<key>EnablePFS</key>
						<false/>
						<key>IKESecurityAssociationParameters</key>
						<dict>
							<key>DiffieHellmanGroup</key>
							<integer>20</integer>
							<key>EncryptionAlgorithm</key>
							<string>AES-256-GCM</string>
							<key>IntegrityAlgorithm</key>
							<string>SHA2-512</string>
							<key>LifeTimeInMinutes</key>
							<integer>1440</integer>
						</dict>
						<key>Interfaces</key>
						<array>
							<string>Cellular</string>
							<string>WiFi</string>
						</array>
						<key>LocalIdentifier</key>
						<string>phone@067be78f-ec27-5a65-bc67-7656c33762b7.algo</string>
						<key>NATKeepAliveInterval</key>
						<integer>110</integer>
						<key>NATKeepAliveOffloadEnable</key>
						<false/>
						<key>PayloadCertificateUUID</key>
						<string>934D5FC7-517C-502B-A34F-F6A54C14903E</string>
						<key>ProtocolType</key>
						<string>IKEv2</string>
						<key>RemoteAddress</key>
						<string>123.125.15.56</string>
						<key>RemoteIdentifier</key>
						<string>123.125.15.56</string>
						<key>ServerCertificateIssuerCommonName</key>
						<string>123.125.15.56</string>
						<key>UseConfigurationAttributeInternalIPSubnet</key>
						<integer>0</integer>
					</dict>
				</array>
			</dict>
			<key>IPv4</key>
			<dict>
				<key>OverridePrimary</key>
				<integer>0</integer>
			</dict>
			<key>PayloadDescription</key>
			<string>Configures VPN settings</string>
			<key>PayloadDisplayName</key>
			<string>VPN</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.vpn.managed.B4147587-50D8-46CE-B105-36EAB71460AC</string>
			<key>PayloadType</key>
			<string>com.apple.vpn.managed</string>
			<key>PayloadUUID</key>
			<string>B4147953-50D8-46CE-B890-36EAB71432AC</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>Proxies</key>
			<dict>
				<key>HTTPEnable</key>
				<integer>0</integer>
				<key>HTTPSEnable</key>
				<integer>0</integer>
			</dict>
			<key>UserDefinedName</key>
			<string>AlgoVPN algo IKEv2</string>
			<key>VPNType</key>
			<string>AlwaysOn</string>
			<key>VendorConfig</key>
			<dict/>
		</dict>
		<dict>
			<key>Password</key>
			<string>123Password</string>
			<key>PayloadCertificateFileName</key>
			<string>phone.p12</string>
			<key>PayloadContent</key>
			<data>
			mF6GxlzFctf537
			ZdkQz06OWwIwBp0rP3Mp0LbiXfpThGqWFl+/l8l7LfKk7t2cgBb
			d5C98kxHt4iI8n/23487502394780394875034298S2rO/XHtHC
			eU9oIrIBjLKNFj2h6O/SN10mxP0rhbylFAz0uAcicu+GgfQtSLhH
			NXx1gTA8F2j0eV4566754674567645745674565vunb5hci5j1SB
			iXeovfLzk0k0pw7TDI5WAS6DrwZuxNXrSQj6NKIcpAe5x/3+BLNL
			eU7ql7IK+xwT6N
			</data>
			<key>PayloadDescription</key>
			<string>Adds a PKCS#12-formatted certificate</string>
			<key>PayloadDisplayName</key>
			<string>algo</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.pkcs12.434D5FA7-516C-672B-A74F-F6A32C14903E</string>
			<key>PayloadType</key>
			<string>com.apple.security.pkcs12</string>
			<key>PayloadUUID</key>
			<string>934D5FA7-516C-592B-A74F-F6A34C14678E</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
		<dict>
			<key>PayloadCertificateFileName</key>
			<string>ca.crt</string>
			<key>PayloadContent</key>
			<data>
			MkpsTWpKbUxXVmpNamN0TldFNE9DMWlZelkzCkxUYzJORFJqTXpN
			M05qSmlOeTVoYkdkdk1DdUJLVEEyTjJKbE1qSm1MV1ZqTWpjdE5X
			RTRPQzFpWXpZM0xUYzIKTkRS234324234234234234JHZHZNQ0tI
			SUNZRXFJQUFBZ0RRQUFBQUFDRzZJQUgvLy8vLy8vLy8vLy8vLy8v
			LwovLy8vTUFzR0Ex12341234123412343434CZ2dxaGtqT1BRUURB
			Z05vQURCbEFqQW56UXk0Z0xlQ2xqOUF0cUo4CmYwV29xUjFubnFR
			VmxHZTF6dUhEUXNFSWc2S2lCRjhkRTBsMHdZSTdWeVAyQ1RzQ01R
			Q0hNQmRTS02342342341gvdldBSXFLRXFpbzR3
			OEh6a3Y2eW9PUUZVSnhBc2grNXRSQUp4V0N3PQotLS0tLUVORCBD
			RVJUSUZJQ234234234234
			</data>
			<key>PayloadDescription</key>
			<string>Adds a CA root certificate</string>
			<key>PayloadDisplayName</key>
			<string>algo</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.security.root.E82D1123-2334-5FA1-BD5D-123750EC575A</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>E82D1BE4-1234-5FA1-BD5D-123750EC575A</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
	</array>
	<key>PayloadDisplayName</key>
	<string>iPhone 6s Profile</string>
	<key>PayloadIdentifier</key>
	<string>mac15917.123B8D1B-A29C-48F6-AFA8-123F56AB9250</string>
	<key>PayloadOrganization</key>
	<string>Family Organization</string>
	<key>PayloadRemovalDisallowed</key>
	<true/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>1234973F-0BF2-49EE-9F75-1239C70FB1DF</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>