VPN On Demand
VPN On Demand lets Apple devices automatically establish a connection on an as-needed basis. It requires an authentication method that doesn’t involve user interaction—for example, certificate-based authentication. VPN On Demand is configured using the OnDemandRules key in a VPN payload of a configuration profile. Rules are applied in two stages:
Network detection stage: Defines VPN requirements that are applied when the device’s primary network connection changes.
Connection evaluation stage: Defines VPN requirements for connection requests to domain names on an as-needed basis.
Rules can be used to do things like:
Recognize when an Apple device is connected to an internal network and VPN isn’t necessary
Recognize when an unknown Wi-Fi network is being used and require VPN for all network activity
Require VPN when a DNS request for a specified domain name fails