On-Demand, Per App or Always On? Choosing the right VPN for Apple devices

Andrei Geralt

Jun 7, 2021

7 min read

If you asked anyone a couple of years ago regarding remote work, many would’ve considered it an alien concept. Now globally, 74% of professionals expect work from home to be the new norm. While setting up a remote workplace at your house seems pretty simple, it is not. Remote work poses challenges to the company, which may be oblivious to the workers. Securing the connection between the employee device and the enterprise network is a priority, and VPN is the answer to that problem.

Issuing corporate devices to employees is a common practice. Apple devices are considered a popular choice as corporate or personal devices. These devices find their way into most enterprises since they are optimized for professional use. A suitable VPN service must be configured in these Apple devices to establish a secure connection with the enterprise network.

VPN protocols supported by Apple devices

VPN protocols determine how the data is routed between the device and the VPN server and Apple supports some of the commonly used ones. Apple used to support PPTP (Point-to-Point Tunneling Protocol), but it was discontinued in 2016. While PPTP boasts greater speed than other protocols, it does so by sacrificing security. PPTP can still be used by relying on third-party VPN providers, but Apple encourages its users to rely on other supported more secure protocols.

IPSec (Cisco) is also supported in Apple devices. IPSec is a suite of cryptographic protocols used to secure a connection. Most of the supported protocols also rely on IPSec for encryption. Cisco IPSec supports various protocols such as certificates, shared secret, two factor token and machine authentication.

IKEv2 – The popular speedster

Internet Key Exchange version 2 was developed by Microsoft and Cisco and is built over IPSec. IKEv2 works by generating a symmetric key for the client and the VPN server. The data which moves between these entities are encrypted and decrypted using this key.

IPv6 is slowly replacing IPv4, and it’s expected to take a while. Some countries have adopted IPv6 faster than others, but fret not! IKEv2 offers support for both IPv4 and IPv6. Shared secret, certificates, MSCHAPv2, Machine authentication, MOBIK and EAP TLS are also supported by IKEv2.

L2TP over IPSec – Child of the old

Layer-2 Tunneling Protocol was born of combining the two older tunneling protocols, Microsoft’s PPTP and Cisco’s Layer 2 Forwarding Protocol (L2F). L2TP exhibits all of PPTP’s features while covering its security vulnerabilities by utilizing IPSec for encryption. L2TP also supports both IPv4, IPv6, certificates, shared secret, two factor token, MSCHAPv2 and machine authentication.

SSL VPN – The odd one

While most of the other protocols rely on IPSec for encryption, SSL VPNs do not. The main drawback of relying on IPSec is the additional software and hardware required to implement it. Now, this is a hassle. Who wants to set up hardware and software to get a little privacy? This is where SSL VPN comes in. Its software? Well, we all have browsers installed on our devices, and that’s all that it needs.

SSL and TLS protocols are used to encrypt the data routing between the browser and the SSL VPN device. The VPN automatically chooses the latest cryptographic protocol available for the browser, so its pretty easy to set up. SSL VPN can use certificates and two factor tokens for authentication.

Person working on their Apple device
VPN is essential when working from public networks

Third-Party VPN for Apple devices – The middle man

Why do people use third-party VPNs? For starters, its simple interface and ease in setting up the connection make it an attractive choice. Using a third-party VPN also gives access to different features based on the vendor. You can get them from the App Store. These VPN connections require a plugin to be installed on the browser prior to use. Here are a few examples;

Cisco AnyConnect
Juniper SSL
Aruba VIA

The main drawback of using a third-party VPN is, well, the involvement of said third party. When using a VPN, all your data moves through the VPN server. Almost every VPN vendor claims that they are trustworthy, but it’s pretty hard to convince yourself to expose your data just like that entirely. Even if they are tight-lipped, their respective governments could use laws and policies to crack open the data on their server. So, it would be best to do some research before choosing a vendor, and there are tons of vendors to choose from .

VPN Support

Protocols and authentications are essential, but it is the base of VPN. Many technologies have come up to support and streamline its user experience. Here are some of the important features supported by Apple devices.

On-Demand VPN

Say you require your VPN only on an as-needed basis. Like needing a VPN when you connect to an unknown Wi-Fi network or deeming the VPN unnecessary when connecting to an internal network. This is possible by configuring VPN On Demand. This feature automates the establishment of a VPN connection based on the OnDemandRule key in the configuration profile.

Since enabling the VPN is an automated process, it would be annoying to enter user credentials every time the switch gets flipped. Certificates are usually used to create a better and more seamless user experience.

Always On VPN

Security is a must for any enterprise, and to keep the network secure, some organizations may require a VPN to be enabled all the time. This is where Always On VPN comes in. Once the profile for this feature is installed on the device, the VPN will always stay enabled even after multiple reboot instances. Device supervision is required to activate Always On VPN.

This ensures that all the traffic passes through the organization’s VPN server. The data from the device can be optionally filtered and monitored before reaching its destination. Similar processes can be done to the data sent to the device. To disable Always On VPN, the profile installed on the device has to be removed. This makes it an ideal VPN to be set up on a corporate device.

Per-App VPN

So, imagine you use a couple of enterprise apps on your personal device. Using an Always-on VPN isn’t really an option since it’s your device. Using a Per-App VPN fits perfectly for your use case. Once upon a time, Per-App VPN was only supported by certain VPN providers. It was only after iOS, that Per-App was supported by every built-in VPN client. By configuring which all apps require a secure connection, you can automate the activation of the VPN when a particular application is underuse.

Some apps might need a more secure connection than others. It is possible to assign more secure connections to different managed apps in order to safeguard data further. There are two criteria to use Per-App VPN on iOS devices: using standard networking APIs and being managed by an MDM (Mobile Device Management) solution. We can enable Per-App VPN by configuring it on the in-built VPN client supported by iOS devices.

A Final Note

Setting up a VPN for Apple devices may sound very complex, but it’s a breeze for a device managed by a modern UEM solution like Hexnode. With a UEM solution, it’s possible to configure the entire VPN setup and push it onto the managed devices in your enterprise. This eliminates any need for the employee to spend additional time and effort. This is also an excellent method to prevent the employee from removing the configurations set up on the device. With Apple devices already natively supporting a chunk of VPN appliances, relying on a third party VPN isn’t exactly necessary.

When it comes to tools to secure your connection, VPN is definitely the first option that comes to your mind. A consumer or an enterprise can employ one to protect one’s privacy or to secure their data. Each VPN protocol has its own pros and cons, but IKEv2 seems to be the popular choice. Statistics show that more than 26% of internet users employ a VPN solution. While alternatives for VPN are available in the market, it’ll take a very long time for VPN to go entirely out of the picture. But right now, if you want a secure connection, VPN is the way to go.

Andrei Geralt

Frolicking on the keys while appreciating the serenity behind the screen.

Share your thoughts