Skip to main content

Introducing Vylos: A WireGuard Client Built for Managed Devices

Jacky LiangJacky Liang

Most WireGuard clients are built for people who manage their own VPN. You import a config, toggle the tunnel, and move on. That works for individual users. It does not work for organizations that need to deploy VPN across dozens or hundreds of supervised devices where users should not be configuring tunnels themselves.

Vylos is a WireGuard VPN client for iOS built specifically for that scenario. IT administrators push tunnel configurations via MDM, restrict what users can change, and enforce device security policies — without requiring users to understand anything about networking.

Two Types of Tunnels

Vylos separates tunnels into two categories:

Managed Tunnels are delivered through standard Apple .mobileconfig profiles — either installed manually, distributed through a web portal, or pushed via MDM. They appear in a dedicated section at the top of the tunnel list. Users can view their status and connection details, but cannot edit, delete, or manually toggle them.

App Tunnels are created by the user — imported from .conf files, scanned from QR codes, or entered manually. These are standard WireGuard tunnels that users manage themselves. In organizations where users should only use IT-approved VPN configs, app tunnels can be restricted.

MDM Restriction Keys

Vylos supports two restriction keys through Managed App Configuration:

allowManualTunnels — When set to false, the "My Tunnels" section is hidden, the Add Tunnel button disappears, and all app tunnel VPN entries are suspended from iOS Settings. Tunnel data is preserved locally and automatically restored when the restriction is lifted. Managed tunnels remain visible and functional.

allowSettings — When set to false, the Settings icon is hidden from the toolbar. As a defense-in-depth measure, if the screen is somehow reached, it displays a "Settings are managed by your organization" message. All settings become inaccessible, including app protection and export functions.

These keys give IT administrators granular control over what Vylos can do on each device.

App Protection

Not everyone managing devices has an MDM solution. Parents supervising their children's devices, small business owners managing a handful of company phones, or anyone who needs to prevent unauthorized changes to VPN settings can use Vylos's built-in app lock.

Two protection methods are available:

  • Local Authentication — Face ID, Touch ID, or device passcode
  • Authenticator App (TOTP) — Time-based one-time password compatible with any standard authenticator app

When MDM configuration is present, app lock is automatically bypassed — device-level authentication is already handled by the MDM policy, so a second layer inside the app is unnecessary.

Import Options

Users (when allowed) can import tunnels through:

  • File picker.conf files, .zip archives with multiple configs
  • QR code scanning — Standard WireGuard QR codes
  • Manual entry — Full interface and peer configuration form

ZIP archives support batch import with per-file result reporting, so users know exactly which configs succeeded and which were skipped.

Getting Started

Vylos is available on the App Store for iOS 15 and later. Tunnel profiles are delivered through standard .mobileconfig files — no MDM required. For managed deployments, configure the restriction keys through your MDM solution's managed app configuration channel.

See the admin guide for MDM configuration details and the user guide for end-user documentation.