Vendor Support for Per-App VPN on iOS

For iOS devices you have the option of forcing selected applications to connect through your corporate VPN. This feature must be supported by your VPN vendor, and the apps must be published as managed applications. Once enabled, AirWatch will generate a VPN UUID for the current VPN profile settings. The VPN UUID is a unique identifier for this specific VPN configuration and is used to configure apps so they always use the Per-App VPN service for all of their network communication.


Per-App VPN Requirements

  • iOS 7+
  • Support from VPN vendor
  • Applications published as managed apps from the AirWatch Admin Console.
  • Per-App VPN configuration profile created in the AirWatch Admin Console.


Vendor Support

The table below shows the current VPN provider support for configuring Per-App VPN through AirWatch. 

Provider Per-App VPN Support?
AirWatch Tunnel Yes
Aruba VIA Yes
Blue Coat Yes
Check Point Mobile VPN Yes
Cisco AnyConnect Yes
Custom Yes
F5 SSL Yes
IKEv2 Yes
IPSec (Cisco) Yes
Juniper SSL Yes
L2TP Yes
NetMotion Mobility Yes
OpenVPN Yes
Palo Alto Networks GlobalProtect Yes
Pulse Secure Yes
SonicWALL Mobile Connect Yes
Websense No


Configuring Per-App VPN for iOS 

The Per-App VPN feature, which is available for iOS devices, allows you to specify which managed applications can utilize the VPN connection. Managed applications are those you push specifically to devices via the AirWatch Admin Console. The following instructions explain how to configure such a VPN profile using F5 SSL VPN as an example. 




  1. Navigate to Devices ► Profiles ► List View and Add a new profile for iOS or Android.
  2. Select the VPN payload and click on Configure to add a new payload.
  3. Customize the Connection Name as it will appear on the client.
  4. Select your specific Connection Type.
  5. Provide the Server address to which the client will connect.
  6. Specify a user Account or lookup-value from in the user field.
  7. Enter Authentication details. By default the authentication type will be set to Password. If left empty, the end user will prompted for a password when initiating the connection.
  8. Enter Proxy details, if applicable.
  9. Select Per-App VPN in the Connection Info section.
  10. Enter whitelisted domains for Safari, if applicable. Since Safari is not a managed application, this is the location in the AirWatch  Admin Console where you specify the domains that should use Per-App VPN. (For other applications, see the next section on enabling Per-App VPN for managed applications.)
  11. Select Save & Publish.


Now that you have created and published the Per-App VPN profile, you need to specify which managed applications will be able to use this VPN connection. 



  1. Navigate to Apps & Books ► Applications ► List View. The applications page displays.
  2. Add an application from either the Internal or Public tabs. 
  3. In the Deployment tab, select Use VPN.
  4. Select Save & Publish to push the application.


F5-specific Per-App VPN Configuration Notes 

  • Applications with the Use VPN option enabled will require an active VPN connection for Internet access.
  • The Access Policy and Virtual Server need to be modified to support Per-App VPN.


    In this case, there should be no Resource Assignment within the policy.

  • Verify that VDI & Java Support is enabled within the Virtual Server settings.

Have more questions? Submit a request


Article is closed for comments.