Always-on VPN overview
Always-on VPN gives your organization full control over device traffic by tunneling all IP traffic back to the organization. The default tunneling protocol, IKEv2, secures traffic transmission with data encryption. Your organization can now monitor and filter traffic to and from devices, secure data within your network, and restrict device access to the Internet.
Always-on VPN activation requires device supervision. After the always-on VPN profile is installed on a device, always-on VPN automatically activates with no user interaction, and it stays activated (including across reboots) until the always-on VPN profile is uninstalled.
With always-on VPN activated on the device, the VPN tunnel bring-up and teardown is tied to the interface IP state. When the interface gains IP network reachability, it attempts to establish a tunnel. When the interface IP state goes down, the tunnel is torn down.
Always-on VPN also supports per-interface tunnels. For devices with cellular connections, there’s one tunnel for each active IP interface (one tunnel for the cellular interface and one tunnel for the Wi-Fi interface). As long as the VPN tunnels are up, all IP traffic is tunneled. Traffic includes all IP-routed traffic and all IP-scoped traffic (traffic from first-party apps such as FaceTime and Messages). If the tunnels aren’t up, all IP traffic is dropped.
All traffic tunneled from a device reaches a VPN server. You can apply optional filtering and monitoring treatments before forwarding the traffic to its destination within your organization’s network or to the Internet. Similarly, traffic to the device is routed to your organization’s VPN server, where filtering and monitoring processes may be applied before being forwarded to the device.