Specify which apps use Gateway on iOS devices

For iOS devices, if your organization manages devices using an EMM solution that supports configuring per-app VPN, you can configure devices to recognize Gateway as a VPN provider and configure per-app VPN to specify which apps send data through the Gateway tunnel.

To set up per-app tunnel options, you must have permissions for VPN management and app management on iOS devices activated using your EMM solution. To specify which apps use the Gateway tunnel in BlackBerry UEM do these actions:

  1. In the UEM management console, add the apps that you want to send data through Gateway to UEM and assign them to users.

    Only apps that are assigned to users use the Gateway tunnel. Do not assign the default browser or the Aurora Protect Mobile app to users or the device will be unable to establish a tunnel with Gateway.

    For devices with the "User privacy" and "User privacy - User enrollment" activation types, only assigned internal apps and apps licensed through the Apple Volume Purchase Program use the tunnel.

  2. Create an activation profile that assigns one of theseactivation types:
    • MDM controls
    • User privacy - User enrollment
    • User privacy with VPN management and app management enabled
  3. Create a VPN profile and include thesesettings:
    Setting Description

    Connection type

    Custom

    VPN bundle ID

    com.blackberry.protect

    Server

    This setting specifies the FQDN or IP address of a VPN server. The value must be 127.0.0.1.

    Authentication type

    Password

    Password

    Leave this field blank

    Enable per-app VPN

    Selected

    Domain settings

    Specify the domains that can establish a connection through the Gateway tunnel. If you specify a domain, assigned apps use the tunnel only for connections to the specified domain. You can specify domains for Safari, Calendar, Contacts, Mail, and domains listed in the apple-app-site-association file. You can also specify domains that never use the tunnel.

    For devices with the "User privacy" and "User privacy - User enrollment" activation types, if you specify a domain that is not a child of the root domain specified in the Server field, the device ignores the entire VPN profile, not just the invalid domain.

    Allow apps to connect automatically
    Select this option to specify that the app can start the connection automatically.
    Note: Connections through the Gateway tunnel can start only if Gateway is enabled in the Aurora Protect Mobile app on the device.

    Traffic tunneling

    IP layer
  4. Assign profiles to users and instruct them to activate devices.