VPN Protocols (IPsec, IKEv2, L2TP, SSL VPN)

VPN protocols establish secure, encrypted connections over public networks. IKEv2/IPsec is Apple’s recommended VPN protocol for iOS and macOS due to its security and mobility support. MDM admins can deploy VPN profiles to configure these connections automatically.

What to Know

VPNs enable secure remote access to corporate networks, encrypting traffic to protect data when devices connect from untrusted networks (home internet, coffee shop Wi-Fi, cellular). For organizations with on-premises resources (file servers, internal applications, databases), VPNs provide the secure connectivity layer enabling remote work. IKEv2 specifically handles network transitions gracefully — when devices switch between Wi-Fi and cellular, IKEv2 automatically re-establishes the VPN connection without user intervention, maintaining seamless access to corporate resources. Modern Always-On VPN configurations ensure devices maintain VPN connectivity whenever outside trusted networks, enforcing security policies before allowing network access.

MDM deployment of VPN profiles eliminates manual configuration, reduces support burden, and enables centralized VPN policy management. IT can configure split-tunnel routing (only corporate traffic through VPN) or full-tunnel (all traffic through VPN), certificate-based authentication (eliminating passwords), and per-app VPN rules (only specific apps use VPN). VPN authentication can integrate with corporate identity systems (Active Directory, Azure AD) for centralized credential management and access control.

Common Scenarios

Enterprise IT: Corporate remote access policies typically require VPN for accessing internal resources from external networks. IT deploys VPN profiles via MDM that configure IKEv2 connections with certificate-based authentication, eliminating password management. Always-On VPN configurations force devices to connect to VPN before allowing network access, ensuring security policies apply before users access any resources. Split-tunnel configurations route only corporate traffic through VPN, improving performance for internet-bound traffic while protecting corporate data. Per-app VPN rules enable specific applications (internal web apps, file sharing) to automatically trigger VPN connections.

MSP: MSPs configure client-specific VPN profiles for remote access to client networks, often using certificate-based authentication for improved security and reduced password management overhead. Multi-client MSP deployments require managing different VPN endpoints, authentication credentials, and routing configurations per client. MSPs should implement VPN connection monitoring to detect authentication failures, certificate expiration, or connectivity issues affecting remote workers. VPN troubleshooting often involves verifying firewall rules, certificate validity, and authentication server accessibility.

Education: School districts deploy VPN profiles to teacher and IT staff devices for secure remote access to student information systems, file servers, and administrative applications. Student devices typically don’t require VPN access, though distance learning scenarios may require VPN for accessing on-premises learning management systems. Education VPN deployments must balance security (protecting student data) with usability (minimizing complexity for teachers). Certificate-based authentication simplifies VPN access while maintaining security, avoiding password-related support calls.

In Addigy

Addigy enables admins to deploy VPN configuration profiles that configure IKEv2, IPsec, L2TP, and SSL VPN connections on managed devices. Administrators configure VPN settings including server addresses, authentication methods, and routing rules through the Addigy console, then deploy profiles to devices or device groups. Addigy supports certificate-based VPN authentication by deploying identity certificates alongside VPN profiles, enabling password-less VPN access.

Addigy’s VPN profile configuration includes options for Always-On VPN, per-app VPN rules, split-tunnel vs. full-tunnel routing, and on-demand connection rules that automatically establish VPN when accessing specific domains or networks. Administrators can deploy multiple VPN profiles to support different use cases (corporate network access, remote desktop, specific application access). Addigy’s deployment controls enable staged rollouts and easy profile updates when VPN infrastructure changes require configuration adjustments.