A virtual private network (VPN) creates an encrypted connection over a less secure network, such as the internet. VPN technology was developed to allow remote users and satellite offices to securely access corporate applications and resources.
Traditional VPNs were designed for fixed networks with high bandwidth and rely on the IP address of the user to remain stable. When wired VPN technology is applied to mobile devices, users experience slower speeds, data loss, and failed log-in attempts. VPN apps have become very popular for mobile users looking to enhance privacy and security online and there is a huge range of them are available for consumers. When it comes to protecting corporate mobile traffic, choosing the right VPN from the outset is important.
Things to consider
Special consideration must be taken when deploying a VPN to mobile devices. Depending on the use case, OS version and VPN hardware, different options are available.
Use case – End-users will likely be familiar with VPNs as a way of circumventing geo-controls when they want to stream or download content, such as a different country’s version of Netflix. In the enterprise world, the increase in the use of cloud-based services likely limits the usage of VPNs for certain users but is still required in many organizations to access internal services and for additional security.
Mobile OS – A fleet with different mobile device hardware adds additional complexity for an administrator to consider when deploying a VPN. Furthermore, different OS versions can support a variety of VPN options.
VPN hardware – The type of VPN hardware within the organization’s network must also be taken under consideration. Adding mobile devices to a VPN can greatly affect bandwidth and concurrent connections. Some VPN vendors will also require separate licenses for mobile devices and provide their own software clients.
Types of Mobile VPN
A full tunnel VPN configuration tunnels all of the device’s traffic when the VPN is activated. Historically seen as a more secure option, this method is generally not used on mobile devices due to the performance and bandwidth overhead it introduces, not just on the device but back at the VPN hardware and internal network.
A split tunnel VPN only takes specific IP ranges and is a better option for organizations that don’t wish to tunnel personal sites and apps. Some organizations may be concerned over the security exposure of having devices connected to their network and the public internet simultaneously. This split tunnel can only be defined by IP ranges and so may not be feasible for some network configurations or cloud-based applications which are hostname-defined rather than IP subnet.
A per-app VPN is a more advanced configuration for mobile use cases. In this configuration, only selected enterprise applications are tunneled fully whenever they use data. Special consideration must be given to domains and services accessed within the browser as these need to be defined separately to the per-app configuration.
Recommendations for VPN
Enterprise VPN services can be configured in many different ways, and determining which one is right for you depends on how your business will be using the system. Here are our tips for successful VPN implementation:
- Evaluate with your VPN vendor which tunnel options are available
- Ensure VPN hardware and licensing is sized according to tunnel configuration
- Avoid passwords and 2FA where possible – use PKI instead
- Evaluate whether VPN is required for cloud-based applications and services
Jamf security software offers the next step in securing your Apple desktop & mobile fleet
using Jamf Private Access to not only encrypting all network connections, but securing access to apps, services and data through Zero Trust Network Access technology.