iOS VPNs: Which option is best for your enterprise?

Although vendor-written, this contributed piece does not advocate a position that is particular to the author’s employer and has been edited and approved by Network World editors.

Virtual private networks (VPNs) play an essential role in enabling staff to use mobile devices to securely access corporate resources, and when it comes to Apple devices, the VPN options have evolved with time.

Starting with iOS 3, when essential enterprise standards were still lacking, Apple developed various forms of VPNs to make iOS suitable for the workplace. As iOS evolved to encourage enterprise use, VPN configurations naturally followed suit. Key developments occurred with the advent of iOS 9, leaving us with the configurations we have today: Standard VPN (manually launched from the built-in VPN client), On demand VPN, Per app VPN, and Always on VPN.

Here is an overview of each VPN configuration for iOS and the considerations to determine which is best for your enterprise.

* Standard VPN.  Two options for standard VPN exist. With the first, VPN settings must be switched on and off manually by the user on the device. With the second option, companies require the use of VPN clients on the device to heighten security. These clients are rolled out using mobile device management (MDM) tools. In both cases, when the VPN is activated, communications for all apps on the device is routed through a secure channel.

A potentially overlooked consequence of the standard VPN is that all data, including data from unsecure or personal apps, is transmitted to the company gateway, host, or server.  Furthermore, this approach commonly causes reduced connection speeds. Instead of a direct Web server connection, all data is sent from the device to the corporate VPN and then back to the Web server, bogging down the link.

* On demand VPN. Under this configuration, the employee isn’t required to turn the VPN on and off. The connection is automatically made as soon as apps or Web sites designated in advance by IT administration are accessed. This is more convenient for the end user, and provides a better separation of work and personal data.

Unlike a standard VPN, not all the mobile device’s data travels through the VPN connection. The company benefits from routing less potentially harmful data through the network. Furthermore, this improves connection speed and, at times, even reduces costs as there is no need to invest in a more powerful Internet connection. This configuration requires a more sophisticated and expensive backend, making it more appealing for enterprises as opposed to small businesses.

* Per app VPN.  This configuration works well in a Bring Your Own Device (BYOD) context. With per app VPN, IT administration can assign specific VPN connections to individual apps that are already being managed with MAM through an EMM system. The VPN is started automatically when the app connects to the Internet. Typical consumer apps, such as YouTube and WhatsApp, are ignored, separating personal and corporate traffic. 

A per app VPN can be convenient for both IT administrators and employees. For administrators, any other important security settings needed can be configured centrally with MDM through an EMM system. The loss of data can also be limited on a per app basis.  Different apps can connect via different VPN configurations and servers, depending on the security level designated. This keeps traffic from different applications separate, and keeps the applications from being able to exchange data. In terms of employees, there is no need to remember to turn the VPN on and off, and the use of their personal apps is not affected.

* Always on VPN. Always on VPN is used only for company-owned devices. This is best in scenarios where security is the most important factor, such as healthcare, finance or government. The VPN is connected the moment the device is turned on and cannot be disabled by the user. No data is transmitted when the VPN is not active. This ensures all communication is encrypted and routed through the corporate network and can be appropriately monitored and controlled. The router can filter out domains barred from the VPN. There are even options to exclude AirPrint or items such as Voicemail as corporate security departments see fit. Always on VPN is set up via the MDM features of an EMM system.

As IT has complete control, the potential dangers that typically come from end users are eliminated. IT does not have to invest resources into setting up, maintaining and supervising a secure container on each smartphone or tablet. Instead, the device can only be used for professional purposes and cannot be compromised by unsecure personal apps.

The VPN is one of the most secure and practical data communications solutions for both companies and end users. As outlined above, much must be taken into consideration to determine the best configuration for your business. This includes user behavior and business requirements in relation to security and compliance.

VPNs have evolved rapidly with the launch of new mobile devices and operating systems, and are bound to keep changing. What can we expect for the near future? That will depend on enterprise demands. Don’t be surprised if history repeats itself, with additional features and management solutions in the upcoming versions of iOS enabling even more granular and flexible control of the VPN.

Cortado Mobile Solutions is a wholly owned subsidiary of Cortado Holding AG, and is responsible for all operations relating to the enterprise mobility solution Cortado Corporate Server. The unique enterprise mobility solution offers the perfect balance between security for the organization, easy manageability for the IT department and maximum flexibility for users.

 

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.