Always-On VPN
What is Always-On VPN?
Always-On VPNA device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles.
Always-On VPN is a managed-device feature that the operating system enforces before any application can use the network. On Windows it is delivered as a VPN profile pushed by Intune or PowerShell, supporting IKEv2 with device-tunnel and user-tunnel phases that come up automatically. Apple iOS, iPadOS, and macOS expose VPN On Demand and Per-App VPN with the AlwaysOn flag in mobileconfig payloads, typically using IKEv2 or vendor IKEv2/WireGuard tunnels. Android offers a system-level Always-on VPN setting combined with Block connections without VPN; enterprise MDMs (Workspace ONE, Intune) deploy it across the fleet. The control prevents users from bypassing the corporate gateway, hardens roaming devices against rogue Wi-Fi, and is often paired with kill-switch behaviour and certificate-based machine authentication.
● Examples
- 01
Windows 11 Always On VPN with a device tunnel built from an Intune-pushed XML profile and IKEv2 machine certificates.
- 02
Android Enterprise enforcing Always-on VPN plus 'Block connections without VPN' so all apps go through the corporate gateway.
● Frequently asked questions
What is Always-On VPN?
A device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles. It belongs to the Network Security category of cybersecurity.
What does Always-On VPN mean?
A device-wide policy that establishes the VPN tunnel automatically as soon as the network is available and refuses non-tunnelled traffic, enforced by Windows, Apple, and Android profiles.
How does Always-On VPN work?
Always-On VPN is a managed-device feature that the operating system enforces before any application can use the network. On Windows it is delivered as a VPN profile pushed by Intune or PowerShell, supporting IKEv2 with device-tunnel and user-tunnel phases that come up automatically. Apple iOS, iPadOS, and macOS expose VPN On Demand and Per-App VPN with the AlwaysOn flag in mobileconfig payloads, typically using IKEv2 or vendor IKEv2/WireGuard tunnels. Android offers a system-level Always-on VPN setting combined with Block connections without VPN; enterprise MDMs (Workspace ONE, Intune) deploy it across the fleet. The control prevents users from bypassing the corporate gateway, hardens roaming devices against rogue Wi-Fi, and is often paired with kill-switch behaviour and certificate-based machine authentication.
How do you defend against Always-On VPN?
Defences for Always-On VPN typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Always-On VPN?
Common alternative names include: AOVPN, Always On VPN, Device tunnel.
● Related terms
- network-security№ 1213
VPN Kill Switch
A safeguard that automatically blocks all network traffic on the host whenever the VPN tunnel drops, preventing inadvertent leaks over an unencrypted connection.
- network-security№ 1215
VPN Split Tunneling
A VPN configuration that routes only selected traffic (e.g. corporate subnets) through the encrypted tunnel while letting the rest reach the internet directly.
- network-security№ 1244
WireGuard
A modern, minimal VPN protocol that uses a fixed set of state-of-the-art cryptographic primitives and runs as part of the Linux kernel.
- network-security№ 556
IPsec
A suite of IETF protocols that authenticates and encrypts IP packets to provide secure communications at the network layer.