When iOS17 was announced at WWDC ’23 back in June, Apple included some footnotes about Private Cellular Networks features they were adding to iOS17 and had already added to iPadOS17. In one of their Developer sessions, they talked specifically about how iOS17 will finally have official support for Private Cellular Networks.
Let’s dig into how iOS 17 provides greater flexibility for a Private Cellular Network.
Private Cellular and iOS17
In that Developer session, Apple talked about how previous version of iPadOS had support for LTE and 5G NSA. Apple brought support for 5G SA to both iPhones and iPads with iOS17 and iPadOS17 and LTE and 5G NSA to iPhones running iOS17. Apple further explains what is new with iOS17 in this Support Document.
One thing you notice in that document is that Private Cellular PLMN 5G SA is only available on iOS17 on the iPhone 13 or newer. I have an iPhone 12 and apparently it doesn’t support 5G SA, although it does support 5G NSA. I don’t have a Private 5G SA Core to test this yet.
Settings and Field Test Mode
Next, looking at the Settings App and the Field Test Mode App in iOS17 there are some new features. First let’s dig into the changes in Settings first.
First thing I noticed, was the change to the SIM Card name under Cellular Plans. On iOS16, the Private Cellular SIM showed as the generic “SIM Card” as you can see below for my enterprise private network.
Upgrading to iOS17, that name changes to “Non-Public Network” as I talked about in my previous post about the Field Test Mode unless a different name is configured like “Celona” or “GXC Onyx”.
Field Test Mode, as I discussed in my previous post about iOS17 Shortcuts, can now be activated with a Shortcut without having to dial a code in the Phone app. When I was preparing for that blog post, I quickly notice the change in the title at the top of the main Field Test Mode screen. Previous versions of iOS, the title would be “Carrier” although the network was a Private Cellular Network like this.
With iOS17, Field Test Mode now shows the same “Non-Public Network” identifier as it does in the settings app.
I discovered one more little easter egg. When running a speedtest with the Ookla SpeedTest.net App, the app uses the same Non-Public Network identifier as above which was a cool thing to find.
The “Carrier” or “Non-Public Network” identifier changes accordingly if the SIM is configured with a Service Provider Name like “Celona” or “GXC Onyx”. In GXC Onyx, you can change this in the “Long Network Name” field under Network->Pencil. This brings some changes that Apple has introduced that I’ll discuss next.
Private PLMN Cell Identifiers
The PLMN identifier on iOS17, in the screenshot below “315 010”, hasn’t changed from previous versions of iOS. You can configure the Service Provider Name to display something different. Apple does call out different options specifically in that Support Document though. 315010 is specific to CBRS but there are others in other countries as mentioned before.
Multiple methods are supported for displaying the network name on an iPhone and iPad. These include:
- Network Identity and Time Zone (NITZ)
- Operator PLMN List (OPL)
- PLMN Network Name (PNN)
- Service Provider Name (SPN)
The “Network Selection” menu under Cellular Data shows the following if you disable Automatic. Notice how the CBRS PLMN 315 010 is now as an available option. The 313 100 is FirstNet’s PLMN.
LTE and 5G NSA Attach-Accept
Another section talks about the Attach-Accept for 5G NSA and LTE or the Registration Accept attachment methods.
Data-only network
iOS 17 and iPadOS 17 support data-only private cellular networks. The following data-only attach methods are recommended:
- 5G SA: Registration Accept (REG-Accept) for Data (without voice activation)
- 5G NSA and LTE: Attach-Accept (EPS-only)
With Dual SIM on iPhone, users can make and receive calls and text messages using a public carriers network, while remaining connected to your organization’s private, data-only cellular network.
I don’t have a PCAP of the 5G version, but the LTE version will look like the screenshot below. This is the whole attach method for a device, although it isn’t an Apple device. I capture this using SCAT.
5G Network Slicing
The Developer Session includes this slide and the Document says the following about 5G SA Network Slicing.
iOS 17 and iPadOS 17 offer organizations the ability to assign specific network slices to managed apps on their carrier’s 5G Standalone (SA) network. This causes all traffic for a designated managed app to be routed to the slice identified by a specified Data Network Name (DNN).
If you are building a 5G SA network, with iOS17 you can now configure 5G Slicing using an MDM or directly in the specific App. 5G Slicing configuration will be available in a future release of iOS17. I have yet to find the settings in JAMF or Mosyle MDMs, as I will discuss later. If you have a VPN Configured for a Device, you cannot use 5G Slicing.
5G SUCI and SUPI
When configuring a 5G network, the document says the following about enabling the SUCI to protect the SUPI.
To help ensure compatibility of iPhone and cellular iPad devices on private 5G SA networks, infrastructure vendors must adhere to the following security and privacy requirements:
- Privacy concealment: Subscription Concealed Identifier (SUCI) must use a Non-Null Protection Scheme. This can be achieved through either on-SIM SUCI calculation or ME SUCI calculation. For detailed information, refer to the 3GPP TS 33.501 documentation.
- User data confidentiality: To safeguard user data from unauthorized access, the use of Null-Ciphering isn’t supported.
- NAS/RRC signaling confidentiality and integrity: Ensure the confidentiality and integrity of NAS/RRC signaling information using encryption to prevent unauthorized access and interception, and prevent unauthorized tampering or modifications during transmission.
SIB24
Finally, if running a 5G SA network in conjunction with a LTE Network, be sure to enable SIB24 on the LTE network to help devices connected with LTE to find the appropriate 5G network settings. I talked a lot about SIB24 in my 5G NSA Discovery with LTE PCAPs post. I discovered a 5G SA network with my War Driving capturing LTE Frames because of the broadcast SIB24. SIBs are broadcast by the eNodeB or eNodeG to help a device attach the first time or to reselect a different cellular tower. The document says the following about SIB24, and I capture the PCAP below using SCAT that shows a SIB24 message.
On a mixed network with both 5G SA and LTE, System Information Block 24 (SIB24) should be broadcast by the LTE network. This broadcast message helps ensure that the iPhone or iPad receive the necessary network information to scan for the 5G SA network.
Private Cellular and MDM Options
Apple allows MDMs to configure certain settings on Private Cellular networks. You’ve been able to configure the APN settings in previous versions of iOS as these screenshots shows from JAMF and Mosyle below.
Some device settings for an organization’s private 5G and LTE network can be configured using an MDM solution or a configuration profile containing a Private Cellular Network payload. Only one Private Cellular Network payload is supported at a time.
- 5G Standalone: 5G SA is turned off by default, and users can manually turn it on in Settings > Cellular. Additionally, organizations can use the new
EnableNRStandalonekey in their Private Cellular Network payload.- Prioritizing Cellular over Wi-Fi: With the
CellularDataPreferredkey, organizations with private 5G and LTE networks have the option to prefer using cellular over Wi-Fi when both are available. With this setting, supported devices can be set to prefer the private cellular network, while still allowing Wi-Fi for services such as AirDrop and AirPlay.- Geofence activation: A private network eSIM or physical SIM can automatically be turned on when entering cellular network coverage defined by a geofence, using the new
Geofencesdictionary with theGeofenceId,Latitude,LongitudeandRadiuskeys.By creating a geofence, the iPhone can seamlessly switch between a private network SIM and a carrier SIM as the user moves in and out of private network coverage. When they enter the geofence, the private network SIM is enabled, and automatically disabled when they exit the geofence and leave private network coverage. This feature is only available when using a single private network eSIM or physical SIM on their iPhone.The Private Cellular Network payload allows defining up to 1000 geofences, each with a radius ranging from 100 meters to 6.5 kilometers. Radii should be set slightly greater than the private cellular network coverage area.
Most Private Cellular Networks are Data Only and below is the configuration for the Data APN. You can also push an eSIM using an MDM as you are able to do with Carrier eSIMs. JAMF has a document explaining how to configure eSIM, the APN, and other settings in JAMF Pro.
In JAMF and Mosyle, I’m still unable to configure the settings involving 5G Slicing, Prioritizing Cellular over Wifi, and Geofencing in the JAMF Pro and Mosyle Business installations that I have access to. Hopefully, these setting are enabled soon.
Big Improvements for Private Cellular
These changes with iOS17 and iPadOS17 will help push the Private Cellular market along. Celona has begun to integrate their products into the MDM vendor, JAMF and AirWatch, as they announced recently.
I’m excited to see these settings become available for our Private Cellular networks. The tools to improve Private Cellular Networks are finally coming together. I can’t wait to see these settings to be enabled in MDMs. The market is maturing!
