Enabling per-app VPN

Per-app VPN allows a wrapped app to use an HTTP or HTTPS connection to access internal resources in your organization from public networks, regardless of VPN settings on the device.

Before you begin

IBM® MaaS360® Mobile Enterprise Gateway (MEG) 2.0 or later is required.

Your organization must deploy the Mobile Enterprise Gateway (MEG) on a gateway server. The network administrator must then set up gateway routes, users, and network policies before the administrator enables per-app VPN. For more information about deploying the Mobile Enterprise Gateway (MEG), see the Mobile Enterprise Gateway (MEG) module.

About this task

When the wrapped app is started, the app prompts for user credentials for a gateway connection. The credentials are used to authenticate to the gateway. If credentials are cached, the user is not prompted to enter the credentials every time the app is started. The expiration time for cached credentials is set on the MEG Control Panel on the Mobile Enterprise Gateway (MEG) server.

Per-app VPN is not supported for apps that use certain networking APIs. For more information about which networking APIs are supported, see App wrapping (iOS) overview for developers.

Make sure that you test VPN capability before deployment.


  1. Create a Workplace Persona policy for the devices or the users that need VPN management.
    You can also modify an existing policy.
  2. Go to the WorkPlace Apps section of the policy.
  3. In the policy, open MaaS360 Enterprise Gateway.
  4. Enable Enable MaaS360 Enterprise Gateway For WorkPlace apps.
  5. Configure the policy settings that are needed by your organization.
    Tip: In iOS v9.0 and later, the app might not be able to detect when it is on your organization's intranet (also known as Corporate Network Detect). This issue occurs if the URL mentioned in the Browser and Gateway policy for Corporate Network Detect is not App Transport Security (ATS) security-feature compliant. For more information about ATS, see the NSAppTransportSecurity section of Apple's documentation at https://developer.apple.com/library/ios/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html. In this case, you must modify the URL in the policy. Alternately, the developer of the wrapped app must allow the URL as part of the ATS setting in the Info.plist file within the app.
  6. Ensure that the designated devices are assigned to the policy.