© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Images are shown for illustrative purposes only; individual experience may vary. This document is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Apple, the Apple logo, iPhone, iPod touch, and iTunes are trademarks of Apple Inc., registered in the U.S. and other countries. iPad is a trademark of Apple Inc.
ANIRA/AVTS Managed VPN
Capability for iOS® Devices (iPad™,
iPhone®, iPod touch®)
Table of Contents
Introduction ... 3
Benefits, Billing, Limitations and Requirements ... 4
CPOC Steps to Request New Userids for Remote Access Use ... 5
CPOC Steps to Request iOS VPN Access for Existing Userids ... 5
CPOC Communication to End Users... 9
End User VPN Configuration Process Screenshots ... 10
Connecting and Disconnecting from VPN ... 13
Support and Troubleshooting ... 15
Appendix A - Document Version ... 16
The purpose of this document is to provide the customer administrator responsible for ANIRA and AVTS remote access (also known as the CPOC: Customer Point of Contact) with instructions for enabling VPN access for iOS devices such as iPad, iPhone, and iPod touch. The steps involved in providing such access include ordering VPN access and configuring the device. There is no application required from iTunes to configure your iOS device for the ANIRA or AVTS remote access service.
Internet connectivity must be available on the device using cellular 3G/4G/4G LTE or Wi-Fi for the VPN to function. No additional software is required on the iOS device since the VPN software is already present. ANIRA is supported as well as AVTS with the AT&T SIG and Cisco ASA as tunnel servers. Other legacy AVTS tunnel servers are not supported.
The AT&T helpdesk will work with the CPOC as necessary to resolve any issues related to iOS device VPN connection.
Split Tunneling/Dual Access is based on domain names instead of IP network access control lists to control the routing of traffic.
Benefits, Billing, Limitations and Requirements
• Fully Managed VPN Service for iOS devices (iPad/iPhone/iPod) for ANIRA and AVTS customers.
• 24 x 7 helpdesk support available to CPOC
• Simple end user configuration experience as compared to the former non-managed iOS VPN Capability.
• Uses the native iOS IPSec VPN so no extra VPN software install is necessary.
• All authentication methods commonly used with the AGN Client for Windows are supported, except for certificate based authentication.
• Standard ANIRA or AVTS user charges (VPN Management Fee) for accessing VPN over existing Internet access apply. All monthly flat rate plans, including the Unlimited Plans, waive the VPN Management Fee.
• The VPN Management Fee or monthly flat rate plan will be billed no more than once per userid in a given billing period. For example, an existing Windows AGN Client user that has connected already in a given billing period will not incur any additional billing for an iOS VPN connection.
• Standard wireless usage charges will apply per the wireless rate plan.
• VPN will disconnect when device is locked, either via auto-lock or manually pressing lock button.
IT organizations may consider this a security feature.
• Supported VPN gateways are ANIRA VIG, AVTS SIG, and Cisco ASA.
• No more than two VPN profiles (tunnel endpoints) will be configured on the iOS device VPN Settings page regardless of how many tunnel endpoints are available to a user.
• There is no password change capability native in iOS for VPN. Password changes may be handled via the AGN Wi-Fi Client for iOS or customer administrators can use password management tools available in BusinessDirect.
• iPad, iPhone, or iPod touch running iOS 4.0 and higher.
• Safari browser on the device: Accept Cookies must be set to “Always” or “From visited”. This can be set in Settings->Safari.
CPOC Steps to Request New Userids for Remote Access Use
The VPN capability from iOS devices is controlled using remote access userids in the same manner as Windows based AGN Client users. If new userids are needed for remote access they can be ordered business as usual via Direct Registration Facility (DRF) or existing customer processes (for unregistered userids).
CPOC Steps to Request iOS VPN Access for Existing Userids
The VPN capability from iOS devices can be enabled for individual users, groups of users, or for all users of an account.
You will need access to the following applications on Business Direct.
• CPOC Provisioning Request Tool
• Administration Tools for SM Go to https://www.businessdirect.att.com
If either of these applications is not available please contact your account representative to have them added.
Alternatively, the applications to manage the ANIRA and AVTS services can be accessed using your CPOC account credentials at https://globalnetwork.support.att.com/att/att_tools_welogon.html
Select the “CPOC Provisioning Request Tool” from the Inside Tools box.
Click on Remote Acess and select ANIRA or AVTS as appropriate.
To the right of the screen select “All Other Requests” in the Order Forms box.
Fill in the required fields.
In the text box enter “Please enable managed VPN access for iOS devices on the following userids (include account id for clarity as well).”
Submit the request and wait until you receive confirmation the request is complete before proceeding with the next step. Normal turnaround time is a few business days.
CPOC Communication to End Users
After receiving email confirmation that the request described above is complete, the CPOC will
communicate via email or txt message to the end users to begin the VPN setup process on their devices.
Here is suggested wording:
iOS device user,
Click on the following link below to start configuration of the VPN client on your iPad, iPhone, or iPod touch.
After clicking on the link above, you will be prompted to provide your AVTS or ANIRA credentials to start the configuration process. Follow the steps on your device to complete the VPN setup.
If you have any questions or do not know your AVTS or ANIRA credentials, please contact [add appropriate contact information].
End User VPN Configuration Process Screenshots
NOTE: Prior to starting the End User VPN Configuration Process, access Settings>Safari and verify that Accept Cookies is set to "Always" or "From Visited." The configuration download will fail if Accept Cookies is set to “Never.”
Step 1: Go to VPN enrollment page http://mobile.mdm.att.net from the iOS device. Enter your account, userid, and password.
Step2: Select “Install Now” to proceed with the configuration.
NOTE: Step 3 is only necessary if you have a screen lock configured on the iOS device. You may be prompted for your passcode to install a new profile. This would be the device Passcode, not the VPN password noted above. If your device does not have a passcode, move to step 4.
Step 3: Enter your device passcode.
Step 4: This page will appear when the configuration process begins.
Step 5: Press next, no password is needed. This field is not used.
Step 5: Complete
Connecting and Disconnecting from VPN
Follow these steps to connect and disconnect the VPN connection on your iOS device.
Settings VPN Switch button ON to connect or OFF to disconnect.
When the VPN connection is established the VPN icon will appear in the status bar.
If you have multiple VPN configurations, you can switch between them by following these steps.
Settings General Network VPN
Support and Troubleshooting
• Support for the Managed VPN capability is in the English language only. When calling the international helpdesks select the English language as the option to have your call routed appropriately.
• If the VPN connection fails please reach out to your CPOC or IT helpdesk to be sure the password is not expired.
• Passwords that are configured for “force password change at next logon” will not work until the password has been set prior to use with the iOS device. Be sure that any userids created for iOS device VPN users are not configured with “force password change at next logon”.
• If requested by support to take a screen shot of your device, please follow these steps.
o Press and hold the menu button (the main button below the screen).
o While the menu button is held down, press the power/lock button (the switch on the top edge of the device).
NOTE: You have approximately 3 seconds press the power/lock button or your voice control option on your device will appear and you will need to start the process over.
o Your screen will flash white for a second and make a camera shutter noise (if you have the volume turned up) to indicate that the screen shot has been taken.
o Open your photos on you device and select the screen shot from the camera roll.
o E-mail your screen shot to address request by support.
Appendix A - Document Version
• Last updated October 22, 2013