How to configure intune per app vpn for enhanced mobile security across iOS and Android devices

You configure Intune per-app VPN by deploying per-app VPN profiles to managed devices and assigning VPN settings to specific apps. In this guide, you’ll learn how per-app VPN works in Intune, what you need before you start, a step-by-step setup for supported platforms, how to test and troubleshoot, best practices, and real-world use cases. This approach helps keep corporate data within approved apps while mobile users browse and work securely, even on untrusted networks. If you’re exploring extra protection for personal devices or remote work scenarios, consider NordVPN as a supplemental layer of security while you experiment NordVPN is a popular choice for mobile security on the go

Useful URLs and Resources unlinked text, not clickable

Microsoft Intune documentation: docs.microsoft.com/en-us/mem/intune
Apple iOS App VPN / Per-App VPN documentation: developer.apple.com
Android Enterprise / Work Profile VPN guidance: android.com/work
Windows per-app VPN for corporate scenarios: docs.microsoft.com
General enterprise mobility management EMM best practices: nist.gov or equivalent reputable sources

What is per-app VPN and why it matters

Per-app VPN sometimes called managed app VPN or App VPN is a feature that allows you to route traffic from specific, trusted apps through a corporate VPN tunnel. This gives you finer control than a device-wide VPN, so sensitive apps like email, CRM, or file repositories can stay private, while non-corporate apps can use direct Internet access. The benefits are clear:

Reduced risk of data leakage by ensuring only approved apps’ traffic goes through the VPN
Better performance since not all device traffic is forced through the VPN
Easier policy management for BYOD programs because you don’t have to force a VPN on every app
Clear enforcement: if a user removes a managed app or the VPN profile, access to corporate data is blocked for that app

Intune’s Per-App VPN feature works with the combination of a VPN gateway that supports app-based tunnels and a managed app list configured in the Intune console. When a user launches a managed app that’s assigned to the VPN, the app’s traffic is tunneled to the corporate VPN endpoint. If the app isn’t assigned, it uses normal Internet access. This lets security teams apply “the right VPN to the right app” in real-world workflows.

Supported platforms and limitations

iOS and iPadOS: Strong support for per-app VPN withManaged App VPN configurations. You can specify the VPN connection, assign apps by bundle IDs, and enforce user/device enrollment requirements.
macOS: Similar per-app VPN capabilities with Intune, often used for corporate apps on laptops, though this guide focuses on mobile devices.
Android: Per-app VPN support varies by device and vendor. Some Android Enterprise setups support per-app VPN with enterprise VPN apps, but you may encounter limitations on some consumer devices or OEM implementations. If Android support isn’t available in your environment, you can consider device-level VPN configurations or always-on VPN alternatives as a fallback.
Windows 10/11: Windows has its own set of VPN features Always On VPN, per-app VPN-like configurations and Intune can manage them, but this guide focuses on mobile platforms.

Tip: Always verify the latest Microsoft Endpoint Manager and platform-specific docs before starting, because support and UI terminology can evolve.

Prerequisites

An active Microsoft Intune tenant with the appropriate licensing MDM/MEM features enabled.
A VPN gateway/provider that supports app-based VPN and can interoperate with your chosen platform IKEv2/IPsec is common. some providers offer SSL-based or proprietary approaches.
A supported app catalog: ensure the apps you want to protect are managed iOS: managed apps. Android: managed Google Play apps or as part of an Android Enterprise work profile.
iOS/iPadOS devices enrolled in Intune with a managed configuration profile or inclusive MDM enrollment.
For Android, ensure devices are enrolled via Android Enterprise and that the required permissions are granted for managed apps.
A certificate or pre-shared key mechanism ready for VPN authentication depending on your VPN provider.
Sufficient testing devices to validate the end-to-end flow before rolling out broadly.

Step-by-step guide to configure per-app VPN in Intune

Note: The exact UI labels can differ slightly as Microsoft updates the console. The core flow remains consistent: create a Per-App VPN profile, connect it to a VPN gateway, specify the apps to protect, assign the profile to devices, and verify.

Step 1: Prepare your VPN solution and app list

Confirm your VPN gateway supports per-app VPN on your target platforms iOS/Android and identify the tunnel type IKEv2, IPSec, SSL, or provider-specific.
Collect the necessary connection details:
- VPN gateway address
- Authentication method certificate or pre-shared key
- Local and remote identifiers as required by the gateway
- Any necessary DNS or split tunneling rules
Compile the list of managed apps to include in the per-app VPN assignment for example: Outlook, Teams, Salesforce, a custom corporate app. You’ll need the bundle IDs on iOS e.g., com.example.mobileapp or Android package names e.g., com.example.mobileapp.

Step 2: Create a Per-App VPN profile for iOS in Intune

In the Intune admin center, go to Devices > Configuration profiles > Create profile.
Platform: iOS/iPadOS
Profile type: Per-app VPN
VPN connection: Choose the VPN gateway/connection that you prepared in Step 1 you may have multiple connections for different regions or partners.
App to VPN: Add the list of managed apps by their bundle IDs. Only these apps will route traffic through the VPN.
Connection type: Select the type that matches your VPN gateway IKEv2/IPSec, etc..
Authentication: Provide certificate or key material as required. If you’re using a certificate-based method, upload or reference the certificate, and specify the identity/cert binding as needed.
Always-on VPN: Decide if you want the VPN to run whenever the app launches, or only when traffic occurs. For enhanced security, you may enable a policy that enforces VPN when the app is in use.
Scope tags or assignment: Assign to the user/account groups that require protection for the selected apps.

Step 3: Create a Per-App VPN profile for Android if supported in your environment

Platform: Android Enterprise
Profile type: Per-App VPN Assuming your Android environment supports this
VPN app: Select the VPN client app that you want to use for per-app VPN many providers publish a VPN app that can be used for per-app routing.
App to VPN: Add the managed apps by their package names e.g., com.example.mobileapp.
VPN configuration: Provide server, authentication, and any tunnel settings required by the VPN client.
Assignment: Assign to the appropriate Android Enterprise work profiles or device groups.

If Android per-app VPN isn’t available in your deployment, use an alternative approach: How to use openvpn your step by step guide: setup, configuration, optimization, and troubleshooting

Device-level Always-On VPN for Android via a device policy to protect all traffic from the device.
Use separate security controls MFA, app-level data protection within the apps themselves.

Step 4: Deploy and assign

Ensure the VPN gateway profile and the per-app VPN profile are deployed to the same target groups the devices/users who need protection for those apps.
For iOS, you’ll typically also configure “Managed Apps” in Intune to ensure the apps you want to shield are managed and eligible for the per-app VPN flow.
For Android, verify that the VPN client is available in the managed Google Play account and that the device group has the correct AppConfig if required by the VPN vendor pushed.

Step 5: Enroll test devices and validate

Enroll a test iOS device or Android device where supported into Intune with the appropriate user account.
Install a test managed app that’s assigned to the per-app VPN.
Launch the app and generate traffic to verify it passes through the VPN tunnel. Use the VPN’s status or logs, and verify the IP address seen by service endpoints is the VPN’s exit IP.
Check for edge cases:
- Does the VPN disconnect when the app is closed or during background activity?
- Are split-tunnel rules applied correctly only intended app traffic uses the tunnel?
- How does the VPN behave on user-initiated network changes Wi-Fi vs cellular?

Step 6: Monitor, log, and adjust

In the Intune console, monitor per-app VPN status for enrolled devices.
Use your VPN gateway’s analytics to track tunnel health, connection duration, and failed attempts.
Adjust app lists, tunnel rules, or authentication settings as needed to fix misrouted traffic or app failures.
Establish a routine for certificate rotation or key updates if you’re using certificate-based authentication.

Step 7: Disaster recovery and rollback

Prepare a rollback plan if a misconfiguration locks users out or disrupts access to critical apps.
Keep a small set of coaching notes for IT support: which apps are protected, what VPN settings were used, and how to re-enroll devices quickly.
Maintain a change log so that you can audit when VPN profiles were added, updated, or removed.

Best practices and security considerations

Start with a minimal viable deployment: protect a handful of high-risk apps first, then expand to additional apps as you validate stability.
Use strong authentication for VPN access certificate-based where feasible, or strong pre-shared keys with rotation policies.
Enforce device compliance: require devices to be enrolled, have a compliant status, and meet minimum OS requirements before VPN connections are allowed.
Prefer app-specific traffic routing to enable faster performance and lower overhead.
Implement split-tunneling only when necessary. If your data must always traverse the corporate network, consider full tunneling with robust monitoring.
Regularly review the App IDs and ensure they’re still the correct targets for VPN routing after app updates or vendor changes.
Document all VPN parameters for future audits and onboarding of new admins.
Coordinate with security teams to align with data handling policies, geofencing requirements, and data residency rules.
Provide end-user guidance: explain when and why the VPN is used for certain apps and how to report issues.

Troubleshooting tips

Issue: VPN won’t start for a managed app.
- Check the VPN gateway configuration and ensure the app’s bundle/package IDs are correct.
- Ensure the VPN profile is assigned to the correct device groups and users.
- Verify that the device is enrolled and compliant, and that no conflicting VPN profiles exist on the device.
Issue: Traffic leaks or non-RFC compliant routing.
- Review split-tunnel rules and VPN server configuration.
- Confirm that only intended apps are included in the App-to-VPN mapping.
Issue: App crashes or connectivity failures when VPN is active.
- Check the VPN client compatibility with the OS version and update if needed.
- Look for certificate expiration or misconfigured authentication settings.
Issue: Android per-app VPN not available or not applying.
- Confirm device support for Android Enterprise and the VPN provider’s Android app supports per-app VPN on your devices.
- Consider using an Android device with vendor-specific support or switch to an always-on VPN approach if necessary.
Issue: VPN disconnects on network switch Wi-Fi to cellular.
- Consider session persistence options and re-authentication flows.
- Verify roaming support on the VPN gateway.

Real-world use cases

Financial services workforce: Protects access to email, CRM, and document repositories while employees use public Wi-Fi in coffee shops.
Field service teams: Technicians use mobile apps to fetch data from enterprise systems. per-app VPN ensures sensitive app traffic stays within the corporate tunnel without slowing down other device apps.
Global sales teams: Per-app VPN helps keep client data and proposals secure as reps switch between travel networks or hotel networks.
Healthcare providers where allowed: Use per-app VPN to ensure patient data accessed through specific apps remains within a controlled tunnel and complies with data protection regulations.

Tools and resources

Intune documentation for per-app VPN configuration
VPN gateway provider guides for app-based VPN setups
Platform-specific best practices for iOS/iPadOS and Android Enterprise
Brand-specific guidance on certificate management and key rotation
Community forums and user groups where IT admins share real-world experiences

Realistic expectations and governance

Per-app VPN is a powerful tool, but it’s not a silver bullet. It’s part of a broader security strategy that includes identity protection, device posture checks, data loss prevention, and app security controls.
Plan for ongoing maintenance: certificate renewals, app updates, and potential changes in corporate app catalogs.
Communicate clearly with end users about which apps are protected and how to report issues if a protected app can’t connect through the VPN.

Frequently Asked Questions

What is per-app VPN in Intune?

Per-app VPN in Intune is a feature that routes traffic from selected managed apps through a corporate VPN tunnel, rather than forcing the whole device’s traffic through the VPN. This gives you app-level control over secure access to corporate resources.

Which platforms support per-app VPN in Intune?

As of now, per-app VPN is supported on iOS and iPadOS and macOS in many setups. Android support varies by device and vendor. Windows has its own VPN approaches. Always check the latest Intune docs for platform-specific availability.

Do I need a specific VPN provider to use per-app VPN with Intune?

Yes. You’ll need a VPN gateway/provider that supports per-app VPN and can integrate with Intune’s per-app VPN configuration. The gateway should support the required tunnel type IKEv2/IPSec or similar and authentication method certificate-based or pre-shared key.

How do I start configuring per-app VPN in Intune?

The basic steps are: prepare your VPN gateway details, create a Per-App VPN profile in Intune for the relevant platform, specify the apps to protect by package name or bundle ID, assign the profile to the target device groups, deploy the managed apps, and verify through testing.

Can I assign per-app VPN to third-party apps?

Yes, provided those apps are managed by Intune and you can identify them by their bundle ID iOS or package name Android. Only the apps you specify will route traffic through the VPN. How to use a vpn with microsoft edge on iphone and ipad for enhanced privacy and secure browsing on iOS

How do I test per-app VPN on iOS devices?

Enroll a test device, install a managed app that’s included in the per-app VPN assignment, launch the app, and verify that its traffic exits via the VPN gateway check IP address seen by a test endpoint and VPN status in the VPN client.

How do I manage per-app VPN for Android devices?

If your Android environment supports it, deploy a Per-App VPN profile that uses a recognized VPN client app and specify the apps to route through the VPN. If Android support is limited, consider device-level VPN or Always-On VPN as alternatives.

How does authentication for per-app VPN work?

Authentication is typically certificate-based or uses a pre-shared key, depending on your VPN gateway. Certificates can be issued from your PKI or a trusted CA, and Intune will push the necessary credentials to devices as part of the VPN profile.

Can per-app VPN work with split tunneling?

Split tunneling is possible in some configurations, but it requires careful planning to ensure only designated app traffic goes through the VPN while other traffic uses the normal path. Evaluate security requirements and performance implications carefully.

What are common pitfalls when implementing per-app VPN?

Common issues include incorrect bundle IDs or package names, misconfigured VPN gateway settings, conflicting VPN profiles on the device, or insufficient app coverage. Start small, validate with a test group, and expand gradually. Hotspot not working with vpn heres how to fix it

How can I monitor per-app VPN usage and performance?

Use the Intune admin center to monitor VPN profile deployment status and per-app VPN assignments. Complement this with your VPN gateway’s analytics to track tunnel health, connection durations, and failed attempts.

How do I troubleshoot VPN connection failures in Intune?

Check VPN gateway configuration, validate that the correct apps are assigned, ensure devices are enrolled and compliant, verify certificate validity, inspect logs on the VPN client, and confirm there are no conflicting profiles on the device. If needed, re-issue credentials or re-publish the profile.

Is per-app VPN recommended for all organizations?

Not for every scenario. Per-app VPN is especially valuable for protecting sensitive app traffic without constraining all device traffic. For some environments, device-wide VPN or different containerization strategies may be a better fit. Assess your data sensitivity, user workflows, and device mix before deciding.

Can I later change which apps use the VPN without redeploying the entire profile?

Yes. In many cases, you can update the App-to-VPN mappings within the Per-App VPN profile and reassign to reflect new or retiring apps. Plan for a change window to minimize user disruption.

How do I ensure compliance with data protection regulations when using per-app VPN?

Document which apps are protected, how traffic is routed, how authentication is handled, and how audit logs are stored and reviewed. Align the per-app VPN configuration with your organization’s data governance, data residency, and incident response plans. Free vpn github your ultimate guide to open source privacy

What’s the difference between per-app VPN and always-on VPN?

Per-app VPN targets traffic from specific apps, offering finer control and potentially better performance. Always-on VPN directs all device traffic through the VPN, which provides uniform protection but can impact performance or app behavior. Use per-app VPN when you only need to secure corporate app traffic. use always-on when device-wide protection is essential.

What scenarios benefit most from per-app VPN in Intune?

Remote or roaming workers who access corporate apps over public networks
BYOD programs where you want to limit VPN enforcement to corporate apps only
Organizations needing granular control over which apps can access corporate data through a VPN

— End of FAQ —

If you’re serious about mobile security and want to elevate your enterprise’s protection, per-app VPN with Intune is a solid approach when you have the right VPN gateway and vendor support. It allows you to tailor security to the real-world apps your workforce relies on, without forcing every bit of traffic through the enterprise tunnel. And if you’re testing things out or want extra peace of mind on non-corporate networks, NordVPN can be a handy companion to keep your personal devices secure while you experiment with configuration and policy creation.

蚂蚁vpn被抓风险分析与防护指南：如何合法、安全地使用 VPN、选择最佳方案

Setting up surfshark vpn on your router a comprehensive guide