Per App VPN and app-to-VPN mappings
In iOS, iPadOS, and macOS, VPN connections can be established on a per-app basis, which provides more granular control over which data goes through VPN. With device-wide VPN, any client process can potentially pass traffic across the routes the tunnel provides. This ability to segregate traffic at the app level allows the separation of personal data from organizational data. As a result, Per App VPN provides secure networking for internal-use apps, while preserving the privacy of personal device activity.
Using Per App VPN for internal-use apps
Per App VPN lets each app that’s managed by a mobile device management (MDM) solution communicate with the private network using a secure tunnel, while excluding nonmanaged apps from using the private network. Managed apps can be configured with different VPN connections to further safeguard data. For example, a sales quote app could use an entirely different data center than an accounts payable app.
To use Per App VPN, an app must be managed by MDM and use standard networking APIs. After enabling Per App VPN for any VPN connection, you need to associate that connection with the apps using it to secure the network traffic for those apps. You do this with the Per App VPN mapping payload in a configuration profile.
IKEv2 is supported by the IPSec client. For information about Per App VPN support, contact third-party SSL or VPN vendors. For more information about IKEv2, see:
Using app-to-VPN mappings in macOS
AppLayerVPNMapping is an array of dictionaries that determines the app-to-VPN mappings in macOS. The keys are:
Identifier: The app’s bundle ID
VPNUUID: The VPNUUID of the Per App VPN