5 Replies Latest reply on Dec 16, 2015 6:30 AM by timo_altenseuer

    Always-On VPN Profile

    Troja

      Hi all,

      how about a Always-On VPN Profile?? Is this possible in any way without a MDM solution??

       

      During testing the VPN connection is always closed when changing between 3G and Wifi connections. Also when there is no connection e.g. in the Metro and the phone is connecting again to any provider VPN is not active any more.

       

      Cheers

        • 1. Re: Always-On VPN Profile
          timo_altenseuer

          Hi,

           

          yes... and no...

           

          We already think about this, it is also a problem when the device goes into sleep/lock mode, then the VPN also is not re-established automatically. Basically it should be possible to set this in the profile (and i think also when the existing profile is loaded into the Apple Configurator, modified and then pushed to the device).

          Two technical limitations currently stop us from doing so:

          a) at least iOS 8 is needed (which is a limitiation I think we could live with, when we found out what an iOS 6 device will do when it hits unknown features -> this may lead to the fact that we would need to provide multiple profiles for multiple iOS versions)

          b) IKEv2 is needed, also an feature that is added with iOS 8. We currently do only IKEv1 due to some strange network issues at some of our Cloud-PoP with IKEv2, IKEv2 seems not to be supported by all the underlying network infrastructure which leads to e.g. merged/big TCP packets which destroy the protocol. Hard to explain... but basically we see that in some datacenters IKEv2 works nicely, whereas on other datacenters the packets get destroyed. We simply did not found out yet where, it could be even some old router inbetween that is out of our control. So we decided to go with IKEv1 first, even if IKEv2 is the better technology. I think we will enable IKEv2 in parallel someday, but I cannot tell you a timeframe yet.

           

          But even when we provide a mathing profile and support IKEv2, there are reports on the net that Apple devices have problems with Always-on VPNs...

          • 2. Re: Always-On VPN Profile
            Troja

            Hi Timo,

            seems to be a littel bit mor tricky. :-)

            I´m testing now since weekend. Tested several functionalities on my phone from installing Apps, Video and Audio Streaming and much more. No Problem

             

            But, from a customer compliance point of view or from a usability view. I think no one will use the feature. During the last days i had to enable the VPN tunnel approx. 100 times. No user will this do, i´m absolutely shurel. It is absolutely painful to check the VPN connection the whole time.

             

            I´m 100000% shure, no user will this do. So, if there is a bad response from the users most companies will not use the feature.

             

            Lets take a look at Tuesday:

            Went out of my flat -> switched from WLAN to 3G

            Went to Airport -> switched from 3G to WLAN

            Disabled Phone in the plane and enabled again at arrival

            Changed from 3G to WLAN at the airport.

            Went down to the train platfrom (no connection). There are several tunnels from the Airport until i arrived at the customer. Connection lost several times.

            At customer i switched from 3G to WLAN.

            Went from customer to Hotel: switched from WLAN to 3G and WLAN again.

            Every Time my phone locked the screen the VPN connection was dropped.

            On this day, i had to enable the VPN conenction (if i want always connect secure to internet) at a minimum of 25- 35 times. No user will ever to this.

             

             

            How the competitors solved this??

             

            Cheers

            • 3. Re: Always-On VPN Profile
              timo_altenseuer

              Hi,

               

              well... I know... all I can say is: we'll try our best to get this in as soon as possible. There are still a lot of things missing, and I cannot promise that this will be in the january controlled release.

              • 4. Re: Always-On VPN Profile
                Troja

                Hi Timo,

                anything fine, just testing and giving feedback. :-)

                Cheers

                • 5. Re: Always-On VPN Profile
                  timo_altenseuer

                  ... and it's a good feedback ... and you're right :-) Thanks again.

                   

                  As always: basically just a matter of time and priorities. I don't want do find cheap excuses...