
Always On VPN overview
Always On VPN gives your organization full control over device traffic by tunneling all IP traffic back to the organization. The default tunneling protocol, IKEv2, secures traffic transmission with data encryption. Your organization can now monitor and filter traffic to and from devices, secure data within your network, and restrict device access to the internet.
Always On VPN activation requires device supervision. After the Always On VPN profile is installed on a device, Always On VPN automatically activates with no user interaction, and it stays activated (including across reboots) until the Always On VPN profile is uninstalled.
With Always On VPN activated on the device, the VPN tunnel bring-up and teardown is tied to the interface IP state. When the interface gains IP network reachability, it attempts to establish a tunnel. When the interface IP state goes down, the tunnel is torn down.
Always On VPN also supports per-interface tunnels. For devices with cellular connections, there’s one tunnel for each active IP interface (one tunnel for the cellular interface and one tunnel for the Wi-Fi interface). As long as the VPN tunnels are up, all IP traffic is tunneled. Traffic includes all IP-routed traffic and all IP-scoped traffic (traffic from first-party apps such as FaceTime and Messages). If the tunnels aren’t up, all IP traffic is dropped.
All traffic tunneled from a device reaches a VPN server. You can apply optional filtering and monitoring treatments before forwarding the traffic to its destination within your organization’s network or to the internet. Similarly, traffic to the device is routed to your organization’s VPN server, where filtering and monitoring processes may be applied before being forwarded to the device.