Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Per-App VPN Architecture: Routing managed app traffic through secure tunnels

Jump To

Traditional perimeter-based security relies on device-wide Virtual Private Networks (VPNs). In this legacy “All-or-Nothing” model, once a user authenticates, their entire device—including personal applications, social media, and background OS traffic—is routed through the corporate gateway. This approach not only consumes massive amounts of internal bandwidth but also severely violates the principle of Least Privilege and introduces significant user privacy risks.

This playbook serves as the architectural source of truth for configuring, managing, and troubleshooting Per-App VPN routing logic within a Hexnode UEM environment. It defines the application state logic, proxy routing behaviors, OS-level enforcement mechanisms, and the privacy governance required to maintain a strict Zero-Trust posture.

1. The Architectural Concept

In a Zero-Trust Network Access (ZTNA) model, granting device-wide VPN access violates the principle of least privilege. Hexnode UEM implements a Per-App VPN (Zero-Trust App Proxy) to create ephemeral, app-specific micro-tunnels.

Crucially, Hexnode acts as the Orchestrator. It deploys cryptographic payloads and routing rules to the endpoint OS, which then delegates network interception to a verified VPN client (e.g., Cisco AnyConnect, Palo Alto GlobalProtect, OpenVPN).

Traditional VPNs tunnel the whole device’s web traffic through a single network. Hexnode’s Per-App VPN policy associates specific Managed Apps with a designated VPN profile.

  • Managed Apps: Applications distributed and installed via the Hexnode UEM Portal (e.g., VPP apps on iOS/iPadOS, or Enterprise Apps). On Android Enterprise deployments, this specifically targets apps deployed to the Work Profile. Traffic from these explicitly targeted apps is intercepted and tunneled securely.
  • Unmanaged Apps: Apps downloaded manually by the user from public stores. Unmanaged apps cannot access the Per-App VPN profile deployed via the MDM payload, isolating personal data from the corporate network.

2. Policy Configuration Matrix

Verified routing types and supported protocols configured under Policies > VPN in the Hexnode portal.

App Source Provider Type (Routing) Supported VPN Protocol Logic Trigger
Enterprise App App-proxy (Layer 7) Cisco AnyConnect On-Demand: Domain Match
VPP Store App Packet-tunnel (IP Layer) IPSec (Cisco) / IKEv2 On-Demand: Network Connect
Web App (Kiosk) App-proxy (Layer 7) F5 SSL / Juniper SSL Manual / Continuous
User Installed Direct N/A Bypass (Unmanaged)

3. Advanced Logic: VPN On-Demand Rules

  • On Apple platforms (iOS, iPadOS, macOS), On-Demand rules allow conditional VPN activation. The OS evaluates rules sequentially when a managed app initiates network traffic.
  • EvaluateConnection: The OS evaluates connection parameters (e.g., DNS resolution) before deciding whether to initiate the VPN.
  • ConnectIfNeeded: The VPN activates only if specified conditions (e.g., domain match or external network) are met.
  • Disconnect: The traffic is forced to bypass the VPN entirely, even if the app is managed.
  • Ignore: The OS drops/blocks the network request entirely.

4. Architectural Definitions

Standardized definitions aligning with the Hexnode UEM interface.

  • Policy.Per_App_VPN: The specific configuration profile created in the Hexnode portal used to associate a VPN connection with specific App Groups or individual apps.
  • Target.Device_Group: The grouping mechanism within Hexnode used to deploy the Per-App VPN policy to a specific set of enrolled devices.
  • Trigger.VPN_On_Demand: An automated rule set configured in the MDM payload (e.g., Connect, Disconnect, EvaluateConnection) that triggers the VPN connection when an app attempts to reach a specific internal domain.

5. Failure Modes & Remediation

Optimized troubleshooting logic utilizing Hexnode administrative actions.

Error Code / Logic Failure Cause Remediation Action
APP_NOT_MANAGED The app is installed but the VPN is not triggering. Ensure the app is deployed via the Hexnode App Inventory. If it was user-installed, deploy a command to convert it to a Managed App.
SYNC_FAIL The device has not received the latest VPN routing rules. Initiate a Scan Device or Sync Policy command from the Manage > Devices tab in the Hexnode UEM Portal to force APNs/FCM communication.
ON_DEMAND_FAIL The tunnel does not initiate automatically upon app launch. Verify the On-Demand rules within the active Hexnode policy.

6. Governance: The Privacy Handshake

To maintain privacy in BYOD enrollments (such as Apple User Enrollment), Hexnode’s architecture operates on strict cryptographic separation. The Per-App VPN framework inherently limits VPN access to the Managed App List. The Hexnode administrator cannot route, intercept, or monitor traffic from apps existing outside the managed workspace, ensuring total separation of personal web traffic and corporate data transmission.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework