How to Enable Always-on VPN on an iPhone or iPad

iphone

VPNs on an iPhone or iPad still have a big problem. You can’t easily enable an “Always-on VPN” mode that forces your applications to connect only through a VPN. With iOS 8, Apple added this feature — although it’s hidden and hard to access.

“Always-on VPN” is designed for businesses and other organizations, so it must be enabled with a configuration profile or a mobile device management server. After enabling it, the VPN will always be activated. If the VPN connection fails, apps on your device won’t be allowed to connect to the Internet until it comes back up.

What You’ll Need

This isn’t as simple as flipping a switch on your iPhone or iPad. You’ll need a specific type of VPN, your iOS device will have to be in supervised mode, and then the option can only be enabled via a configuration profile or mobile device management server. Here’s what you’ll need:

  • An IKEv2 VPN: This requires you’re using an IKEv2 VPN on your iPhone or iPad. If you’re setting up your own VPN server, use server software that offers this type of VPN. For example, StrongSwan runs on Linux, Mac OS X, FreeBSD, and other operating systems, offering an open-source VPN server that supports the IKEv2 protocol.
  • A Supervised iPhone or iPad: You can’t simply enable the “always-on” VPN option on a mobile device management server or with a configuration profile. This option requires your iPhone or iPad be “supervised,” which will require a complete reset of the iPhone or iPad.
  • A Configuration Profile or Mobile Device Management Server: Once your device is supervised, you’ll need to enable this option via a configuration profile created with Apple Configurator, or on a mobile device management server. We’ll cover the configuration profile method, but know that you can remotely activate this option an an MDM server if you have your iPhone or iPad managed via one.

Supervise Your iPhone or iPad and Install the Profile

Assuming your iOS device isn’t supervised yet, you’ll need to supervise it first before continuing. Install the Apple Configurator application on your Mac — yes, you need a Mac for this process.

Be sure to disable the “Find My iPhone” or “Find My iPad” feature in the iCloud Settings pane before continuing. If you don’t, you won’t be able to supervise the device and will instead see an error message.

Connect the iPhone or iPad to your Mac and open Apple Configurator. Name the device and flip the “Supervision” slider to On. Click the Organization Info button and provide a name for your organization. Finally, click the Prepare button.

Warning: Preparing your iPhone or iPad will wipe its storage. You may want to create a backup in iTunes first. You can then restore from the backup afterwards — or just restore from a normal iCloud backup.

Apple Configurator will prepare the device and supervise it. This involves downloading a new copy of iOS and setting everything up from scratch. Depending on the speed of your Internet connection, this might take between fifteen and twenty minutes.

When the process is finished, you’ll need to set up the iPhone or iPad normally. You have the option of restoring from an existing backup or setting it up as a new device.

If you go into Settings > General > Profile afterwards, you’ll see that your device is now considered supervised.

Create an Always-on VPN Profile

You’ll now need to apply the always-on VPN setting through a configuration profile. We’ve previously given instructions for creating profile files that contain VPN settings, and the process is much the same. However, the always-on VPN setting requires that a device be “supervised,” so you can’t simply make the profile and install it.

With your iPhone or iPad connected to the same Mac, click the Supervise icon at the top of the Apple Configurator window. Select the connected device, click the + button at the bottom of the Profiles list, and select “Create New Profile.”

Select the VPN category and click Configure. Under Connection Type, choose IKEv2. You’ll then be able to enable the “Always-on VPN (supervised only)” option. Complete the other information here to provide the server and connection details your VPN requires. If the server requires certificates, you’ll need to select the Certificates category and provide the certificates your device will require.

For more details, follow our guide to setting up VPNs on an iOS device with a configuration profile.

Once you’ve created the profile, enable it in the list and click the Apply button. It’ll be pushed to the supervised iPhone or iPad you have connected to your Mac.


Unfortunately, there’s no way to make other types of VPNs work in an “always-on” mode, and you also can’t do this without jumping through the above hoops. Thankfully, iOS 8 will now stay connected to VPNs even when the screen is off — but that’s not the same as an always-on VPN that protects application data from ever being sent over normal cellular data and Wi-Fi connections.

Image Credit: William Hook on Flickr

Chris Hoffman is a technology writer and all-around computer geek. He's as at home using the Linux terminal as he is digging into the Windows registry. Connect with him on Google+.