VPN On Demand empowers the system to autonomously start or stop a VPN connection based on diverse criteria. For instance, configure an iPhone device to initiate a VPN connection on Wi-Fi and halt it on cellular, or kickstart the VPN when a specific app tries to connect to a service accessible solely via VPN, like an domain name that is not exposed to internet.
You can dive deeper into this feature here and here
Now, here’s a twist: while we might assume this is a device-wide setting, allowing any app to utilize VPN capabilities, that’s not entirely accurate. Let me illustrate this with an example:
Imagine an organization deploying on-demand VPN profiles for iOS devices via Microsoft Intune. They set a rule to connect the VPN when the user attempts to access a particular domain name. While it smoothly operates for apps like Microsoft Edge, Google Chrome, or iOS’s built-in Files app, it falls short for other FTP clients or RDC Manager apps, to name a few.
This issue arises when affected applications utilize certain APIs that do not activate VPN on-demand. For instance, if an application uses CFHostStartInfoResolution , the VPN won’t kick in.
🌐 Apple’s preferred networking APIs, supporting connect-by-name semantics, can handle on-demand VPN. Check out their insights here
Are you facing a similar scenario? Consider these options—none perfect, but better than nothing:
🛠️ Configure Always-On VPN Profile: From your MDM solution, set up the on-demand VPN profile to function as an always-on VPN. For example, using Intune, create a VPN profile to connect and restrict the setting to all domains. Learn more here
🚀 Use Another App to Trigger VPN: Employ a different app to call the action that triggers the VPN. Once connected, other apps gain access to internal resources.
🔄 Use per-app VPN: If there is a strong need to have a specific app trigger the VPN, you may want to switch to this mode. However, keep in mind that all traffic generated by that application will be send via the VPN tunnel.
🤝 Engage App Developers: Reach out to app developers. Encourage them to upgrade their apps to support an API compatible with the on-demand VPN scenario.
Feel free to share your thoughts or experiences with on-demand VPN! ✨ #TechTalk #iOSVPN #MicrosoftIntune