Overview
This guide covers VPN configuration on macOS for both individual users and enterprise environments — including built-in IKEv2, Cisco AnyConnect, and MDM-deployed VPN profiles.
Built-in IKEv2 VPN (System Settings)
macOS natively supports IKEv2 and L2TP over IPSec via System Settings. Navigate to System Settings → VPN → Add VPN Configuration. Enter the server address, remote ID, and authentication credentials provided by your IT team.
Cisco AnyConnect / Secure Client
Most enterprise environments use Cisco Secure Client (formerly AnyConnect). Install the agency-approved package, then connect using your corporate credentials with MFA approval via Duo or similar. See the AnyConnect article for detailed setup.
Deploy VPN via MDM Profile
For managed Macs, push a VPN payload via a configuration profile. This eliminates the need for end users to manually configure the VPN.
Profile Key Settings
VPNType: IKEv2 (recommended for modern deployments)
AuthenticationMethod: Certificate or SharedSecret
PayloadType: com.apple.vpn.managed
OnDemandEnabled: true — auto-connects when on untrusted networks
VPN Troubleshooting
# Show active network connections
netstat -an | grep ESTABLISHED
# Check VPN interface
ifconfig utun0
# View VPN logs
log show --predicate 'process == "racoon"' --last 30m
# Test connectivity through VPN
curl -s https://ifconfig.mePer-App VPN
macOS supports Per-App VPN, where only specific apps route traffic through the tunnel. Configured via
the PerAppVPN key in a managed VPN profile — useful for routing corporate apps through
the tunnel while keeping personal traffic off it.