Understanding VPNs for Apple Devices

Standard VPN, third-party clients or Per-App VPN? Get the lowdown on Apple’s many VPN possibilities here.

Successful Apple VPN Strategist

A virtual private network (VPN) serves to connect branch offices and external employees. VPNs also play an essential role in the integration of smartphones and tablets by ensuring that all network regulations in the company are also applied to the mobile devices.

And it is precisely here that the problems arise because, depending on whether the smartphone or tablet is provided by the company or is the personal property of an employee, the requirements of how to use such a VPN can vary widely.

Common VPNs include:

  • Standard VPN
  • Third-Party VPN clients
  • On Demand VPN
  • Always On VPN
  • Per App VPN

What’s the difference between these VPN configurations?

While the Standard VPN describes the manual VPN based on the built-in VPN client, using Apple’s On Demand VPN allows domains to be managed so that whenever the Safari browser or an app wants to access them, a VPN connection is established.

With Apple’s Always On VPN, which was added in iOS 8 and operated the iPhone almost like a BlackBerry, turning on the device establishes a VPN that cannot be disabled by the user. This form, certainly only used on company-owned devices, ensures that all communication is routed through the corporate network and can be appropriately monitored and controlled there.

It goes without saying that this is unacceptable in a BYOD context. So Apple introduced the so-called Per-App VPN in version 8. This VPN is used only by managed apps and rolled out directly via a mobile device management solution. Typical consumer apps like YouTube and WhatsApp are ignored.

Not only does this result in users not feeling monitored when using this app, but it also spares the corporate network from personal traffic.

Disable access to Dropbox & Co. with Per-App VPN

One quick example of the utility of Per App VPN is that it disables Microsoft Office’s Dropbox access, which cannot be disabled with any other setting.

If you use the Per-App VPN for Microsoft Office, then the IT administrator can disable the access to Dropbox on the network simply through corresponding DNS entries.

Since the Per-App VPN only affects Microsoft Office, it is still possible to use your personal Dropbox on the iPhone. It is solely the corporate data that has no access to it.

Per-App VPN after iOS 9: An important milestone

Before iOS 9, Per-App VPN still required a specific VPN that was supported by only a few conventional VPN providers. This requirement and the somewhat complex implementation prevented the breakthrough of this concept.

Since iOS 9, it has been possible to create a Per-App VPN with every VPN that is supported by the built-in VPN client. Now, Per-App VPN can be used in virtually every corporate network.

Per-App VPN is the central component of a business container

The Per-App VPN is also a central component of the native business container, which has already been described in this previous article. The interesting thing is that it not only allows Apple to connect applications with the Per-App VPN through the native support, but rather Apple ensures with the concept of the managed domain that email traffic and access to certain websites, mostly intranet sites, only occur through this Per-App VPN.

Thus this technology creates a completely closed container, including mail app and secure browser, which is connected to the company via a secured VPN without limiting the user’s personal apps.


In short, Per-App VPN is the premium option among Apple’s VPN alternatives and easily implemented with a mobile device management solution for iOS.

For more information, please download the following White Paper:
VPN with iOS: Which type of virtual private network is best for you?