Skip to main content

Deploying VPN to Supervised Devices with MDM

Jacky LiangJacky Liang

Installing a VPN profile on a supervised device is straightforward — Apple's .mobileconfig format handles that. The harder part is controlling what happens inside the VPN client itself. Can users add their own tunnels? Can they change settings? What happens if the device is jailbroken?

Vylos answers these through three managed app configuration keys that are read on every app launch and foreground transition.

Pushing Managed Tunnels

Managed tunnels are delivered through standard Apple .mobileconfig profiles containing VPN payloads. These profiles can be installed manually, distributed through a web portal, or pushed via MDM. Each tunnel configuration includes the standard WireGuard fields — interface private key, peer public key, endpoint, allowed IPs — plus optional on-demand activation rules.

Managed tunnels appear in a dedicated "Managed Tunnels" section in Vylos. Users can see the tunnel status and connection details, but they cannot modify, delete, or manually control managed tunnels.

Restricting User Access

Three restriction keys control what users can do:

Blocking Manual Tunnels

Setting allowManualTunnels to false removes all user-facing tunnel management. The "My Tunnels" section disappears, the Add Tunnel button is hidden, and any existing app tunnel VPN entries are suspended from iOS Settings. The tunnel data itself is preserved locally — when the restriction is lifted, everything comes back.

This is the key setting for environments where users should only use IT-approved VPN configurations. Schools deploying Vylos to student iPads, businesses with compliance requirements, or any organization that needs predictable VPN behavior across devices.

Locking Down Settings

Setting allowSettings to false hides the Settings icon from the toolbar entirely. As a defense-in-depth guard, if the screen is reached through other means, it displays a "Settings are managed by your organization" message. Users cannot change the app protection method, export tunnel archives, or view logs.

Enforcing Device Integrity

Setting blockJailbrokenDevices to true activates jailbreak detection on iOS. Vylos checks for jailbreak indicators using four methods: known jailbreak file paths, registered URL schemes (Cydia, Sileo, Undecimus), sandbox escape attempts, and dynamic library injection scans.

If any check fails, the app displays a full-screen "Device Policy Violation" message that cannot be dismissed. All app functionality is blocked until the device is restored to an unmodified state. Tunnel data is preserved — nothing is deleted.

The check runs when the home view loads, so it catches jailbreaks that happen after initial deployment.

Handling Delayed Configuration

MDM configuration delivery is not always instant. Vylos includes a retry mechanism that polls for managed configuration for up to 30 seconds after app launch and foreground transitions. This handles cases where the MDM profile arrives slightly after the app opens — common on first install or after a device restart.

App Lock Bypass

When any managed app configuration is present, Vylos automatically bypasses its built-in app lock (Face ID, Touch ID, or TOTP). The assumption is that device-level authentication is already enforced by the MDM policy, so a second authentication layer inside the app is unnecessary.

Getting Started

Tunnel profiles use standard .mobileconfig VPN payloads — no MDM required for basic deployment. For restriction keys, configure them through your MDM solution's managed app configuration channel. All restriction key values are strings — "false" and "0" evaluate to false, everything else evaluates to true.

See the admin guide for the full list of configuration keys and deployment examples.