Virtual private network (VPN) security (2024)

Table of Contents

Apple Platform Security

Welcome
Intro to Apple platform security
- Hardware security overview
- Apple SoC security
- Secure Enclave
- - Face ID and Touch ID security
  - Magic Keyboard with Touch ID
  - Face ID, Touch ID, passcodes, and passwords
  - Facial matching security
  - Uses for Face ID and Touch ID
  - Secure intent and connections to the Secure Enclave
- Hardware microphone disconnect
- Express Cards with power reserve
- System security overview
- - Boot process for iOS and iPadOS devices
  - Memory safe iBoot implementation
  - - Boot process
    - Boot modes
    - Paired recoveryOS restrictions
    - Startup Disk security policy control
    - LocalPolicy signing-key creation and management
    - Contents of a LocalPolicy file for a Mac with Apple silicon
  - - Boot process
    - Boot modes
    - Startup Security Utility
    - Firmware password protection
    - recoveryOS and diagnostics environments
- Signed system volume security
- Secure software updates
- Operating system integrity
- - Additional macOS system security capabilities
  - System Integrity Protection
  - Trust caches
  - Peripheral processor security
  - Rosetta 2 on a Mac with Apple silicon
  - Direct memory access protections
  - Kernel extensions
  - Option ROM security
  - UEFI firmware security in an Intel-based Mac
- System security for watchOS
- Random number generation
- Apple Security Research Device
- Encryption and Data Protection overview
- Passcodes and passwords
- - Data Protection overview
  - Data Protection
  - Data Protection classes
  - Keybags for Data Protection
  - Protecting keys in alternate boot modes
  - Protecting user data in the face of attack
  - Sealed Key Protection (SKP)
  - Activating data connections securely in iOS and iPadOS
  - Role of Apple File System
  - Keychain data protection
- - Volume encryption with FileVault
  - Managing FileVault
- - Protecting app access to user data
  - Protecting access to user’s health data
- Digital signing and encryption
- App security overview
- - Intro to app security for iOS and iPadOS
  - App code signing process
  - Security of runtime process
  - Supporting extensions
  - App protection and app groups
  - Verifying accessories
- - Intro to app security for macOS
  - App code signing process
  - Gatekeeper and runtime protection
  - Protecting against malware
  - Controlling app access to files
- Secure features in the Notes app
- Secure features in the Shortcuts app
- Services security overview
- - Apple ID security
  - Managed Apple ID security
- - iCloud security overview
  - iCloud encryption
  - Advanced Data Protection for iCloud
  - Security of iCloud Backup
  - Account recovery contact security
  - Legacy Contact security
  - iCloud Private Relay security
- - Passcode security overview
  - Sign in with Apple security
  - Automatic strong passwords
  - Password AutoFill security
  - App access to saved passwords
  - Password security recommendations
  - Password Monitoring
  - Sending passwords
  - Credential provider extensions
  - - iCloud Keychain security overview
    - Secure keychain syncing
    - Secure iCloud Keychain recovery
    - Escrow security for iCloud Keychain
- - Apple Pay security overview
  - Apple Pay component security
  - How Apple Pay keeps users’ purchases protected
  - - Card provisioning security overview
    - Adding credit or debit cards to Apple Pay
  - Payment authorization with Apple Pay
  - Paying with cards using Apple Pay
  - Contactless passes in Apple Pay
  - Rendering cards unusable with Apple Pay
  - Apple Card security
  - Apple Cash security
  - Tap to Pay on iPhone
- - Access using Apple Wallet
  - Access credential types
  - Car key security
  - Adding transit and eMoney cards to Apple Wallet
  - IDs in Apple Wallet
- - iMessage security overview
  - How iMessage sends and receives messages
  - Secure iMessage name and photo sharing
- Secure Apple Messages for Business
- FaceTime security
- - Find My security
  - Locating missing devices
- - Continuity security overview
  - Handoff security
  - iPhone cellular call relay security
  - iPhone Text Message Forwarding security
  - Instant Hotspot security
- Network security overview
- TLS security
- IPv6 security
- VPN security
- - Secure access to wireless networks
  - Wi-Fi privacy
- Bluetooth security
- Ultra Wideband security
- Single sign-on security
- AirDrop security
- Wi-Fi password sharing security
- Firewall security
- Developer kit security overview
- - Communication security
  - Data security
  - Securing routers with HomeKit
  - Camera security
  - Security with Apple TV
- SiriKit security
- DriverKit security
- ReplayKit security
- ARKit security
- Secure device management overview
- Pairing model security
- - MDM security overview
  - Configuration profile enforcement
  - Automated Device Enrollment
  - Activation Lock security
  - Managed Lost Mode and remote wipe
  - Shared iPad security
- Apple Configurator security
- Screen Time security
Glossary
Document revision history
Copyright

Protocols supported

These devices work with VPN servers that support the following protocols and authentication methods:

IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS
SSL-VPN using the appropriate client app from the App Store
See Also
How to Configure a VPN on iPhone or iPad in 2024
L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)
Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)

VPN deployments supported

iOS, iPadOS, and macOS support the following:

VPN On Demand: For networks that use certificate-based authentication. IT policies specify which domains require a VPN connection by using a VPN configuration profile.
Per App VPN: For facilitating VPN connections on a much more granular basis. Mobile device management (MDM) solutions can specify a connection for each managed app and specific domains in Safari. This helps ensure that secure data always goes to and from the corporate network—and that a user’s personal data doesn’t.

iOS and iPadOS support the following:

Always On VPN: For devices managed through an MDM solution and supervised using Apple Configurator for Mac, Apple School Manager, or Apple Business Manager. Always On VPN eliminates the need for users to turn on VPN to enable protection when connecting to cellular and Wi-Fi networks. It also gives an organization full control over device traffic by tunneling all IP traffic back to the organization. The default exchange of parameters and keys for the subsequent encryption, IKEv2, secures traffic transmission with data encryption. The organization can monitor and filter traffic to and from its devices, secure data within its network, and restrict device access to the internet.

See alsoWi-Fi privacyBluetooth securityFirewall security in macOS

Download this guide as a PDF

Helpful?

Thanks for your feedback.