Journalist 
Intune per app vpn ios setup guide: configure per-app VPN on iOS with Intune, best practices, troubleshooting, and real-world tips
Introduction
Yes, Intune per app VPN on iOS is supported. If you’re aiming to route only specific apps through a VPN tunnel rather than all device traffic, per‑app VPN is the feature you want. This guide walks you through what per‑app VPN is, how it works on iOS, and how to configure it in Intune, plus practical tips, common issues, and real‑world use cases.
What you’ll get in this guide:
– A clear explanation of per‑app VPN on iOS and why it matters for security
– A step‑by‑step setup for Intune on iOS, including prerequisites and caveats
– How to map apps to a VPN tunnel and test the configuration
– Best practices for certificates, authentication, and app coverage
– Troubleshooting tips and common pitfalls to avoid
– Real‑world scenarios showing when to use per‑app VPN vs full device VPN
– A quick FAQ to answer the most common questions
Affiliate note: If you’re evaluating a VPN to pair with per‑app VPN on iOS, consider NordVPN. For the current deal, check this offer:
Useful resources unlinked text
– Apple Developer: App VPN and Network Extension – https://developer.apple.com
– Microsoft Intune documentation – https://learn.microsoft.com/en-us/mem/intune/
– Apple Support: iOS VPN and Network Extension basics – https://support.apple.com
– Azure Active Directory & Intune integration – https://learn.microsoft.com/en-us/azure/active-directory/
– VPN best practices for mobile devices – https://www.cisecurity.org
Body
What is Intune per app VPN on iOS?
Per‑app VPN is a feature that lets you route traffic from selected apps through a VPN tunnel, while other apps can bypass the VPN. In Intune, you configure an App VPN iOS profile and then associate specific apps by their bundle identifiers. When a user launches an app that’s mapped to the VPN, the app’s network traffic is sent through the VPN extension, often providing an extra layer of security for sensitive data in transit. This is especially useful for BYOD environments or organizations with split‑tunnel or data‑sensitive workloads where you don’t want every app’s traffic forced through your corporate VPN.
Key concepts you’ll encounter:
– App VPN extension: the iOS Network Extension that handles the VPN tunnel for the designated apps
– VPN policy: settings that define the connection, server, and authentication method
– App mapping: linking an app’s bundle ID to the App VPN so only that app uses the VPN
– Always On vs On Demand: how aggressively the VPN connects and stays active
How per‑app VPN works on iOS with Intune
– The device gets enrolled in Intune and a VPN profile of type App VPN iOS is deployed
– You define a VPN connection server, remote ID, local ID, authentication
– You map one or more apps by their bundle ID to the VPN
– When the user launches a mapped app, iOS triggers the Network Extension to establish the VPN, and traffic from that app is routed through the VPN until the app is closed or the VPN disconnects
– Unmapped apps continue normal network access no VPN involvement
Benefits:
– Enhanced data protection for flagship apps and sensitive corporate data
– Flexible policy: secure critical apps without forcing all device traffic through VPN
– Better user experience for BYOD programs where some apps don’t need VPN
Prerequisites
Before you start, make sure you have:
– An active Microsoft Intune subscription with access to the Endpoint Manager admin center
– An iOS device iPhone/iPad enrolled and managed by Intune
– An active VPN server or service that supports App VPN on iOS IKEv2/IPsec is common. some vendors offer their own App VPN extensions
– A certificate strategy certificate-based authentication is common for stronger security, though some setups may use username/password with a trusted server
– Administrative permissions to create VPN profiles in Intune and to publish app assignments
– Knowledge of the app bundle IDs you want to map to the VPN
– An understanding of your network topology: whether you want traffic to flow through a corporate VPN gateway or a cloud VPN endpoint
Optional but recommended:
– A test device group to pilot the setup before wide rollout
– A security baseline to ensure encryption, certificate trust, and device posture checks align with your policy
Step‑by‑step setup in Intune iOS App VPN
Note: The exact UI wording can change as Microsoft updates the portal, but the flow remains consistent.
1 Prepare your VPN server and certificate
– Ensure your VPN server is reachable from iOS devices and supports the expected authentication method
– If you’re using certificate‑based authentication, issue and install a client certificate for the device/user
– Obtain any necessary CA certificates that iOS devices must trust for the VPN connection
2 Create the App VPN profile iOS in Intune
– Sign in to the Microsoft Endpoint Manager admin center
– Navigate to Devices > Configuration profiles > Create profile
– Platform: iOS/iPadOS
– Profile type: VPN
– Connection type: App VPN iOS
– Give the profile a descriptive name e.g., “App VPN for Finance App”
– VPN settings:
– Server address or FQDN
– Remote ID the server identity
– Local ID if required by your server
– Authentication method certificate, password, or certificate plus password
– Any necessary certificate profiles or trusted root certificates
– Save the VPN profile
3 Create a VPN app mapping App mapping
– Still in the Endpoint Manager, add a new App:
– App package: use the app’s bundle ID for iOS, format is com.company.app
– Associate the app with the VPN profile you created
– Define whether the app uses “Always On” or On Demand behavior Always On means the VPN starts as soon as the app launches and stays connected while the app is in use
4 Assign the configuration to user groups
– Choose the user/group memberships that should receive the App VPN profile and the app mapping
– Consider a pilot group first, then roll out to broader audiences
5 Deploy and monitor
– After assignment, devices will receive the policy during the next check‑in
– On the user’s device, open the app mapped to the VPN and verify connectivity
– In Intune, monitor deployment status to confirm devices have received the VPN profile and app mapping
6 Testing and validation
– Launch the mapped app and confirm that traffic is routed through the VPN by checking the app’s behavior or using network monitoring tools
– Validate that non‑mapped apps don’t route through the VPN
– If using certificate authentication, ensure the client certificate is properly installed on the device
7 Optional advanced settings
– Configure “Always On” for seamless user experience, if policy requires continuous protection
– Configure On Demand rules to auto‑connect when certain apps are opened
– Use split tunneling if you want only specific destinations to go through the VPN
Best practices and security considerations
– Prefer certificate‑based authentication when possible for stronger security
– Use a dedicated VPN subnet and appropriate firewall rules for traffic coming through App VPN
– Keep the VPN server and client configurations updated to avoid protocol vulnerabilities
– Document bundle IDs for all mapped apps and maintain an up‑to‑date inventory
– Test with a representative mix of apps internal, partner apps, and public apps to verify map accuracy
– Consider a tiered approach: start with a few high‑risk apps and gradually expand
– Use device compliance policies to ensure devices are enrolled, managed, and in a healthy state before provisioning App VPN
– Monitor VPN usage and performance to identify bottlenecks or misconfigurations
– Plan for user education: explain why certain apps require VPN and how it affects their workflow
Troubleshooting and common issues
– Issue: VPN fails to connect for a mapped app
– Check that the app bundle ID is correct and matches the app launched by the user
– Verify the VPN server address, remote ID, and local ID in the Intune profile
– Confirm the appropriate client certificate is installed and trusted on the device
– Review Intune deployment status for the profile and mapping
– Issue: VPN connects but traffic isn’t routing
– Ensure the VPN profile uses the correct tunnel type IKEv2/IPsec or compatible and that the server allows the expected traffic
– Check firewall rules on the VPN gateway to permit app‑specific destinations
– If using split tunneling, confirm the destination networks are included in the allow list
– Issue: App launches but VPN is not established automatically
– Verify Always On vs On Demand settings and test with both
– Confirm Network Extension entitlement is enabled for the VPN extension and that the app supports per‑app VPN
– Issue: Certificate errors during authentication
– Confirm the device trusts the issuing CA and that the certificate chain is complete
– Check certificate validity period and revocation status
– Issue: iOS policy conflicts
– Look for conflicts with other VPN or network configurations
– Ensure there isn’t a conflicting app policy that overrides or disables Network Extensions
– Issue: Devices not receiving the policy
– Check device check‑in frequency and policy scope
– Verify user/group membership and license entitlements
– Issue: Performance impact
– Review VPN server capacity and bandwidth
– Optimize tunnel routing and consider upgrading hardware or changing the VPN topology if needed
– Issue: Unsupported apps
– Some apps don’t permit traffic routing through per‑app VPN. ensure the apps you map can tolerate App VPN traffic
– Issue: BYOD privacy considerations
– Be transparent about which apps are VPN‑protected and how data is handled
– Ensure policies align with privacy and data governance requirements
Real‑world use cases and scenarios
– BYOD security for field staff: Map critical line‑of‑business apps to App VPN, leaving internal tools accessible without VPN to reduce overhead
– Data protection for contractors: Restrict sensitive data paths to corporate VPN channels, while other apps stay direct
– Regional access control: Route only apps that access geofenced resources through VPN, while general browsing remains local
– Compliance auditing: Use per‑app VPN logs to demonstrate controlled data egress for specific apps
Per‑app VPN vs full device VPN: when to choose which
– Per‑app VPN is ideal when you want to secure only selected apps and minimize battery/network overhead
– Full device VPN is simpler to manage in some scenarios and guarantees all traffic is tunneled, which can be important for certain compliance requirements
– In mixed environments BYOD + corporate-owned devices, starting with per‑app VPN often provides the most flexible balance between security and user experience
Licensing, costs, and maintenance
– Per‑app VPN configuration in Intune is part of the standard Intune feature set, but you’ll incur typical licensing costs for Intune and your VPN service
– Regularly review certificate lifecycles, VPN server capacity, and app inventory to keep policies effective and secure
– Plan for ongoing maintenance: updated VPN profiles, refreshed certs, and periodic validation of app mappings
Alternatives and complements
– Always‑on VPN for all traffic if your organization requires pervasive protection
– App proxy or gateway solutions for mobile apps that don’t support native VPN extensions
– Cloud‑based secure access services that offer integrated per‑app routing and conditional access
Best practices checklist
– Define a small pilot group and test end‑to‑end flow
– Map only the most sensitive apps initially
– Use certificate‑based authentication where possible
– Maintain an up‑to‑date app bundle ID inventory
– Regularly audit VPN gateway capacity and performance
– Document all configurations and update runbooks
– Train IT staff and provide user guidance for troubleshooting
– Monitor compliance and ensure device posture aligns with policy
– Plan for decommissioning apps from App VPN when no longer needed
– Review privacy implications for BYOD users and communicate clearly
Frequently Asked Questions
# How does Intune per app VPN on iOS differ from a standard device VPN?
Per‑app VPN targets specific apps to run through the VPN, leaving non‑mapped apps and general web traffic outside the tunnel. This provides granular control over data traffic and can improve performance for users who only need protection for certain apps.
# Which iOS versions support App VPN in Intune?
App VPN on iOS is supported on modern iOS devices that can run the Intune App VPN extension. Ensure devices are updated to supported iOS versions and enrolled in Intune with the necessary Network Extension capabilities.
# Can I map multiple apps to the same VPN profile?
Yes. You can map several apps by bundle ID to the same App VPN profile so their traffic goes through the same VPN tunnel.
# Do I need a VPN app installed on the device for per‑app VPN?
In many cases, you’ll use a VPN server configuration that can work with iOS’ built‑in VPN capabilities IKEv2/IPsec or you’ll rely on a VPN app that provides an App VPN extension. If you’re using a third‑party VPN app, ensure it supports iOS App VPN extensions and works with Intune per‑app VPN.
# How do I test per‑app VPN after deployment?
Open a mapped app and perform a network action e.g., fetch data, load content. Verify that traffic routes through the VPN by checking the app’s behavior, connecting to corporate resources, or using network monitoring tools. Ensure non‑mapped apps connect directly to the internet.
# What are the common reasons per‑app VPN doesn’t connect?
Mismatched bundle IDs, incorrect server details, certificate issues, or permissions problems with the VPN extension. Verify the configuration, app mapping, and certificate trust chain. Check Intune deployment status and device check‑in logs.
# Can per‑app VPN help with BYOD policies?
Absolutely. It allows you to protect data in transit for specific corporate apps while maintaining user privacy for personal apps and general traffic.
# How do I handle certificate renewal for App VPN?
Coordinate certificate lifecycles with your PKI, deploy updated certificates to devices, and refresh the VPN profile as needed. Automated certificate management helps minimize downtime.
# Is it possible to have Always On for some apps and On Demand for others?
Yes. In the Intune App VPN configuration, you can set Always On for designated apps or use On Demand rules to connect when those apps run.
# How do I monitor App VPN usage and health in Intune?
Use the Intune admin center’s reporting and device status to watch deployment success, app mappings, and VPN health. Some VPN vendors also offer telemetry that can be integrated into your monitoring stack.
# What if my VPN server doesn’t support IKEv2/IPsec?
You’ll need to choose a VPN solution that supports App VPN extensions in iOS or adapt your setup to work with the available protocol that iOS supports for App VPN, ensuring your server and client configurations are compatible.
# Can per‑app VPN be used with AI or analytics apps that require continuous data flow?
It depends on the app and its network requirements. Some apps may function with intermittently routed VPN traffic, while others expect steady, Always On VPN. Test with your target apps to confirm behavior.
# What’s the recommended rollout plan for per‑app VPN?
Start with a pilot group, map a couple of high‑risk apps, verify connectivity and performance, and then gradually expand to more apps and user groups. Use feedback to refine app mappings and VPN settings.
# Are there privacy concerns with per‑app VPN in mobile environments?
Per‑app VPN protects data in transit for corporate apps, but you should still be transparent about data collection, monitoring, and access controls. Align policies with your organization’s privacy guidelines and compliance requirements.
If you’re implementing Intune per app VPN on iOS for the first time, take it slow, validate each step, and keep your stakeholders in the loop. With careful planning, per‑app VPN can dramatically improve data protection for critical apps without forcing every piece of traffic through a corporate tunnel. If you want to explore a VPN option while you set this up, the NordVPN deal shown earlier is a solid starting point to pair with your secure app traffic strategy.