Explained

Per-App VPN: How It Works on iOS, macOS, and Android

Unlike full-device VPN, per-app VPN tunnels only the apps you choose — and without MDM enforcement, users can bypass it entirely on unmanaged devices.

Mountain landscape representing leadership perspective and vision
Written by
Trio Content Team
Published on
08 Jul 2026
Modified on
08 Jul 2026

Most enterprise VPN setups treat the device as the unit of protection — everything on it goes through the tunnel. That works well for a company-issued laptop that never leaves the office, but it creates real problems the moment you introduce BYOD devices or a mixed fleet where employees use the same phone for corporate apps and personal browsing.

Per-app VPN takes a different approach. Instead of routing all device traffic through an encrypted tunnel, it designates specific apps as the only ones whose traffic goes through that tunnel. Everything else — streaming, personal email, social apps — goes directly to the internet. The IT admin controls which apps are included. The end user controls nothing.

This distinction matters for three reasons: it reduces the bandwidth load on your corporate infrastructure, it gives employees on BYOD devices a legitimate privacy guarantee, and it lets your security team scope network protection to the apps that actually carry regulated or sensitive data. You're not protecting Netflix. You're protecting your ERP system and your internal file server.

This article covers how per-app VPN tunneling works at the OS level, how MDM-enforced per-app VPN differs from the user-configured kind, and how to set it up on iOS, macOS, and Android Enterprise. It also covers VPN client compatibility and where enterprise deployments tend to stall before any device is ever configured.

TL;DR

TL;DR
  • - Per-app VPN routes only specific apps through a secure tunnel — all other traffic goes directly to the internet, not through the corporate network.

  • - Full-device VPN is the wrong default for BYOD fleets. It routes personal traffic through corporate infrastructure and gives employees a legitimate privacy complaint.

  • - MDM is the only reliable way to enforce per-app VPN at scale. A VPN profile the user configures themselves is a VPN profile the user can turn off.

  • - Each platform handles per-app VPN differently: iOS uses PerAppVPN payload keys, macOS uses VPN configuration profiles, and Android Enterprise uses managed configurations pushed through Google EMM.

  • - Protocol support does not equal per-app enforcement. A VPN client can support IKEv2 or IPsec and still fail to honor per-app tunneling — verify client compatibility before you deploy.

  • - In most organizations, the longest part of a per-app VPN rollout is not the configuration. Budget approval and security sign-off routinely take longer than the technical setup.

What Is Per-App VPN?

If you've already deployed per-app VPN on at least one platform, skip ahead to the How Per-App VPN Works on Each Platform section for configuration specifics.

Per-app VPN is a network policy that designates specific apps as VPN clients. Only those apps' traffic travels through the encrypted tunnel — every other app on the device connects directly to the internet. The IT admin defines the app list. On a managed device, the end user has no visibility into or control over which apps are included.

This is different from full-device VPN, which routes all traffic through the tunnel regardless of which app generated it. It is also different from split tunneling, which is a VPN-server-side configuration that excludes certain traffic by IP range or subnet. Split tunneling operates at the network layer. Per-app VPN operates at the app layer, enforced by the OS and the MDM policy that pushed the configuration profile.

Per-app VPN requires two things to work: a mobile device management solution to push the VPN configuration profile to devices, and a compatible VPN client installed on each device. The distinction between MDM vs MAM is relevant here — MAM (mobile application management) controls app behavior and data policies, but per-app VPN is a network policy enforced at the device level through MDM, not through the application itself — which means without MDM enrollment, there is no mechanism to enforce or audit that the tunnel is active.

Per-App VPN vs. Full-Device VPN: Why the Distinction Matters for Enterprise

Per-app VPN and full-device VPN solve the same underlying problem — protecting corporate traffic — but they make opposite assumptions about device ownership and user behavior. For enterprise fleets with any BYOD or mixed-ownership component, those assumptions have real consequences for compliance, user experience, and infrastructure cost. The benefits of mobile device management become far more pronounced when your network policy matches your actual fleet composition. And where per-app VPN fits within your broader MDM strategy is a decision that deserves a clear framework.

When Full-Device VPN Makes Sense

Full-device VPN is the right model in a narrow set of situations:

  • Company-owned, single-purpose devices with no personal use — field service tablets, warehouse scanners, kiosk terminals
  • Environments where all traffic must be inspected for regulatory reasons, such as certain financial services implementations with data loss prevention requirements
  • Small, highly controlled fleets where the admin overhead of full-device tunneling is manageable and the compliance requirement justifies it
  • Devices that never leave a controlled network environment and need a consistent, auditable connection path for every request

When Per-App VPN Is the Right Call

For most enterprise environments, per-app VPN is the better default:

  • Any BYOD environment — routing personal traffic through corporate infrastructure creates a legitimate employee privacy concern and puts data on your VPN server that you are not obligated (and may not want) to hold
  • Mixed-ownership fleets where the same MDM policy applies to both corporate-owned and employee-owned devices
  • Organizations looking to reduce VPN server bandwidth load — only regulated app traffic consumes tunnel capacity
  • Teams protecting specific high-risk apps (EHR systems, financial platforms, legal document tools) without forcing the entire device through compliance infrastructure
  • Remote workforces using personal devices who would otherwise experience degraded performance from a full-device tunnel running alongside their normal daily activity

The Enforcement Gap You Need to Know About

The most important distinction in per-app VPN is not iOS vs. Android. It is MDM-enforced vs. user-configured.

A user-configured per-app VPN — one the employee sets up themselves on their own device — can be turned off by that employee at any time. The moment they toggle it off, the apps you thought were protected are connecting without a tunnel. There is no alert. There is no policy violation flag. The traffic simply goes out unprotected.

An MDM-enforced per-app VPN, pushed as a configuration profile to a managed device, cannot be removed by the end user on a fully managed or supervised device. The profile is locked. The app list is enforced. If the user tries to delete the VPN configuration, the MDM re-pushes it.

On BYOD devices with lightweight enrollment, the picture is more nuanced. If the user can remove the management profile entirely, they also remove the VPN configuration with it. This is not a per-app VPN failure — it is an unmanaged device problem. The solution is stronger enrollment, not a different VPN model.

One second-order consequence to plan for: if you push a per-app VPN profile and later remove it from the MDM console, enrolled devices lose the configuration without any notification to the end user. Apps that staff depend on for secure access may fail silently — and no error message will point to VPN removal as the cause. Test profile removal in a staging group before touching production.

In practice, the longest delays in per-app VPN deployments are not configuration problems. They are procurement cycles and security team sign-off timelines that run weeks longer than the technical setup itself.

Per-App VPN vs. Other VPN Configurations

Configuration TypeWho Controls ItDevice TypesEnforcement LevelBYOD CompatibleBandwidth Impact
Full-Device (Always-On) VPNIT AdminCOD preferredHigh — all traffic tunneledPoor — routes personal trafficHigh — all traffic through tunnel
Per-App VPN (MDM-Enforced)IT Admin via MDMCOD and BYODHigh — profile locked on managed deviceGood — only app traffic tunneledLow — only designated app traffic
Per-App VPN (User-Configured)End UserBYOD, unmanagedLow — user can disable at any timeAcceptable — no corporate infra overheadLow — only app traffic (when active)
Split Tunneling (VPN-Level)IT Admin (VPN server config)AllMedium — server-side rule, not app-levelDepends on implementationMedium — excludes some subnets
Always-On VPN (MDM Payload)IT Admin via MDMCODVery High — cannot be disabled by userPoor — full device tunnel on personal deviceHigh — persistent full-device tunnel
MAM-Only (No VPN)IT Admin (app policy)BYODApp-layer only — no network tunnelPartial — no network-layer protectionNone — no tunnel
No VPN PolicyN/AAnyNoneN/ANone

How Per-App VPN Works on Each Platform

This section assumes you have an MDM solution in place and at least one supported VPN client deployed to your devices. If not, start with the What Is Per-App VPN? section first.

Per-app VPN is supported across iOS, macOS, and Android Enterprise, but the configuration approach and payload syntax differ meaningfully across platforms. What works on iOS does not translate directly to macOS, and Android Enterprise adds a Google EMM layer that neither Apple platform requires. Pushing these profiles as part of your mobile device management implementation is straightforward once you understand the per-platform logic — the gap is in knowing where each platform diverges. Following mobile device management best practices, always test per-app VPN profiles on a staging group before rolling them out fleet-wide. The following covers what each platform actually does and where admins typically run into trouble.

iOS Per-App VPN

iOS handles per-app VPN through the PerAppVPN key within the VPN configuration payload, pushed via MDM. Admins specify which apps are tunneled using bundle IDs — for example, com.yourcompany.erpapp. The VPN profile contains the full list of bundle IDs, and the OS enforces the tunnel for those apps only.

Two additional keys expand what iOS per-app VPN can cover. The SafariDomains key routes Safari traffic to specified domains through the tunnel — this is domain-level scoping for the browser, distinct from app-level tunneling, and is useful for browser-based internal tools. The OnDemandRules key lets you configure the VPN to connect automatically when a designated app opens and disconnect when the app closes, so the tunnel is only active when it is actually needed.

A common configuration mistake: admins push the VPN profile but forget to push the app itself via MDM. If the app is user-installed rather than MDM-managed, the per-app VPN policy may not apply to it. Every app in the bundle ID list should be an MDM-managed app.

If on-demand rules are not triggering the VPN when a designated app opens, check whether the app is MDM-deployed or user-installed. Only MDM-managed apps reliably honor on-demand per-app VPN triggers on iOS.

macOS Per-App VPN

macOS supports per-app VPN through VPN configuration profiles pushed via MDM, with admins designating apps by bundle ID — the same conceptual model as iOS. The implementation, though, is more limited. macOS does not support Safari domain-level VPN scoping in the same way iOS does, which matters if you are trying to protect browser-based internal tools rather than native apps.

A common mistake specific to macOS: using the same MDM VPN profile for both iOS and macOS devices. The payload syntax overlaps but is not identical. Admins who build one profile and assign it to both platforms often find that one platform applies it correctly and the other silently fails. Maintain separate VPN profiles per platform — it adds one configuration step and removes a significant troubleshooting surface.

Android Enterprise Per-App VPN

Android Enterprise — previously referred to as Android for Work, a term still in use in older documentation and some IT forums — handles per-app VPN through managed configurations pushed via Google EMM. The AlwaysOnVpnPackage managed configuration key designates a specific VPN app as the always-on provider for the work profile. Per-app traffic scoping is then handled within that VPN app's own managed configuration.

The device ownership model determines the scope of enforcement. On work profile devices (BYOD), the VPN applies only within the work profile — personal apps are never tunneled, and the employee's personal traffic is never visible to the IT admin. On fully managed devices (device owner mode, COD only), the VPN policy covers all managed apps on the device.

The VPN app itself must be deployed to the work profile, not the personal profile. If the VPN app is installed in the personal profile, it cannot tunnel work profile traffic — and there will be no error indicating why.

If the VPN app is not applying to work profile apps, verify that the app was distributed through managed Google Play and deployed specifically to the work profile. A VPN client that is not available on managed Google Play cannot be used in a work profile configuration, regardless of whether it supports the right protocols.

Choosing the Right VPN Client for Per-App Enforcement

Protocol support and per-app enforcement support are two different things. A VPN client can fully support IKEv2 or IPsec and still fall back to full-device tunneling when per-app scoping is applied — either because the client does not implement the OS-level network extension properly, or because it was built before the per-app APIs existed.

Per-app VPN enforcement on iOS requires the VPN client to integrate with Apple's Network Extension API. On macOS, the client should use a system extension rather than a legacy kernel extension — kernel extensions have limited per-app VPN support on modern macOS versions, and Apple is actively deprecating them. For Android Enterprise work profile deployment, the client must be available on managed Google Play and must support managed configurations so the MDM can push VPN server settings without any manual user input.

When evaluating a VPN client for per-app deployment, check for:

  • Native iOS Network Extension API support
  • macOS system extension (not a legacy kernel extension)
  • Managed Google Play availability for Android Enterprise work profile
  • Managed configuration support so the MDM can configure the client without user action
  • MDM-deployable installation — a client the user has to download and set up manually undermines the entire enforcement model

A cloud MDM platform handles VPN client deployment across the fleet as part of the standard app push workflow — the client lands on the device pre-configured, and the user never touches the VPN settings.

If per-app VPN enforcement is inconsistent across devices running the same client version, check whether the client uses a system extension or a kernel extension on macOS. Kernel extension-based clients have documented limitations with per-app VPN on recent macOS versions, and the behavior can differ device-to-device depending on the OS version installed.

How Trio MDM Helps You Deploy Per-App VPN Across Your Fleet

Deploying per-app VPN across a mixed fleet means managing different payload formats, different OS enrollment models, and different app deployment pipelines — all at the same time. Trio MDM handles the cross-platform coordination from a single Device List that surfaces all enrolled devices — iPhone, iPad, Mac, Android, and Windows — regardless of platform.

For Apple devices, Trio MDM's depth in Apple device management — including support for supervised enrollment via Apple Configurator 2 and APN certificate management — means that configuration profiles deploy through the same standard profile workflow used for every other Apple policy. iOS and macOS devices are managed through the same Apple MDM stack, using separate per-platform assignments to match the configuration approach described in this article. You can manage these policies alongside your full Apple fleet through Trio MDM's unified endpoint management interface, which provides a centralized view of all enrolled devices regardless of OS.

For Android, Trio MDM connects with Google EMM to manage Android Enterprise devices in both Work Profile (BYOD and COD) and Fully Managed (COD only, Android 8.0+) modes. Managed configurations — including those needed for per-app VPN client deployment — are pushed through this Google EMM integration. On Work Profile devices, policy enforcement applies only within the work profile, keeping personal traffic completely outside the corporate management boundary.

For BYOD fleets specifically, Trio MDM isolates corporate data in a separate workspace with no location tracking and no full-device control. Employees get a real privacy boundary. IT admins get policy enforcement on the apps that matter. If you need to understand how Trio MDM fits your budget before committing, the MDM pricing breakdown is a good starting point.

Ready to see how it works on your fleet? Start your free trial or book a demo to walk through per-app VPN deployment and your specific platform mix with the Trio MDM team.

Ready-to-use Templates

Must-have Template Toolkit for IT Admins

Explore All
Template Toolkit

Start your free trial

No credit card required
Full access to all features

Get Ahead of the Curve

Every organization today needs a solution to automate time-consuming tasks and strengthen security. Without the right tools, manual processes drain resources and leave gaps in protection. Trio MDM is designed to solve this problem, automating key tasks, boosting security, and ensuring compliance with ease.

Don't let inefficiencies hold you back.

Every organization today needs a solution to automate time-consuming tasks and strengthen security. Without the right tools, manual processes drain resources and leave gaps in protection. Trio MDM is designed to solve this problem, automating key tasks, boosting security, and ensuring compliance with ease.

Smiling womanAbstract geometric patternAbstract geometric patternSmiling womanSmiling woman

Frequently Asked Questions

It depends on the platform and ownership model. On iOS, a user-enrolled (lightweight) MDM profile lets you push VPN configuration profiles, but the user can remove the management profile entirely — and the VPN configuration goes with it. On Android BYOD with a work profile, the per-app VPN policy applies within the work profile and persists as long as the work profile remains active. Lightweight enrollment gives you policy push capability, but not enforcement permanence on every platform.

Generally, updating the VPN configuration profile in your MDM console and redeploying it will push the updated app list to enrolled devices without requiring re-enrollment. On iOS, adding a bundle ID to the VPN profile is not enough on its own — the app must also be an MDM-managed app. If the newly added app is user-installed rather than MDM-deployed, the per-app tunnel may not apply to it even after the profile update.

No. Always-on VPN in Android Enterprise keeps the VPN connection active at all times for the work profile and tunnels all work profile traffic through the VPN server — every managed app goes through the tunnel, not just selected ones. Per-app scoping within Android Enterprise is handled by the VPN client app's managed configuration, not by the Android OS natively. The AlwaysOnVpnPackage key designates which VPN app is always-on for the work profile; it does not, by itself, limit tunneling to specific apps.

The user can see that a VPN connection is active — iOS shows the VPN icon in the status bar, macOS shows VPN status in System Settings, and Android work profile devices display a VPN status indicator. What they cannot see is which specific apps are included in the per-app policy. On a managed device, the configuration details are not exposed to the end user at all.

Per-app VPN generally produces lower overhead than full-device VPN. When on-demand rules are used, the tunnel is only active while a designated app is running — when no VPN-scoped app is open, no tunnel is maintained. Full-device VPN holds a persistent tunnel regardless of what the user is doing, which consumes battery continuously. The difference is most noticeable on mobile devices and in BYOD scenarios where employees use their devices heavily for personal apps throughout the day.
Per-App VPN: How It Works on iOS, macOS, and Android