Overview of iOS Per-app VPN with BlackBerry Secure Connect Plus

ENTERPRISE / 06.14.16 / BlackBerry

bes12_4Written By: Colin Fullerton & Chris Greco

In BES12 version 12.4, BlackBerry introduced BlackBerry Secure Connect Plus for iOS 9 and later devices. One of the powerful ways you can use this feature is to set up per-app VPN and specify which apps on devices must use a VPN for their data in transit. Per-app VPN helps decrease the load on your organization’s VPN by enabling only certain work traffic to use the VPN (for example, accessing application servers or webpages behind the firewall).

This feature also supports user privacy and increases connection speed for personal apps by not sending the personal traffic through the VPN.

This, of course, is just one of many VPN solutions that BES12 supports.


  • BES12 version 12.4 or later
  • iOS 9 or later
  • Devices must be activated using the Good for BES12 app, available from the App Store
  • MDM controls activation type

Benefits – What can iOS Per App VPN do for you?

  • Leverage the native out of box iOS email experience
  • Seamlessly use the Safari browser for both Internet and intranet web sites simultaneously. Domains can start the VPN connection in Safari.
  • Get the benefit of using any app in the Apple App Store with behind the firewall access. No working with vendors, wrapping, or SDK’s required.
  • Decreases the load on your organization’s VPN

Enabling – How do you set it up?

  1. In the Enterprise Connectivity profile, select the Enable BlackBerry Secure Connect Plus, Enable per-app VPN, and Allow apps to connect automatically options.ios_vpn12. Assign BlackBerry Secure Connect Plus to the app or app group that your users belong to and associate the appropriate enterprise connectivity profile with the app or app group.


VPN on demand rules

VPN on demand allows you to specify whether an iOS device connects automatically to a VPN in a particular domain. Client certificates provide authentication for the user’s device when accessing the particular domain. For example, you can specify your organization’s domain to allow users access to your intranet content using VPN on demand.

Note: If you allow all apps on iOS devices to use BlackBerry Secure Connect Plus, avoid adding On Demand rules such as “Connect” that attempt to create an “always on” VPN connection. If you do, during the activation process the device may try to establish a VPN connection before receiving the necessary profiles and certificates from BES12. As a result, the device cannot connect and the user must toggle the VPN connection to resolve the issue. It is recommended to instead use On Demand rules such as EvaluateConnection, which allow the device to receive the necessary profiles and certificates before attempting a VPN connection to specified domains.


When you click on Payload format an example of the connection requirements for VPN on demand displays. You have to use one or more keys from this example. This setting overrides the “Domain or host names that can use VPN on demand” setting in the VPN profile.

If you assign the following example of a payload format to Google Chrome for instance, when a user uses Google Chrome on their device to access a site in the domain, a VPN icon displays on the device, the device connects, and the user has access to internal resources.


The DomainAction keys define the VPN behavior for the specified domains. Allowed values are:

  • ConnectIfNeeded: The specified domains should trigger a VPN connection attempt if domain name resolution fails, such as when the DNS server indicates that it cannot resolve the domain, responds with a redirection to a different server, or fails to respond (timeout).
  • NeverConnect: The specified domains will not trigger a VPN connection nor be accessible through an existing VPN connection.

For more information about Per-App VPN Payload, see the iOS developer library.

You can also use SSID which is helpful when devices are connected to a corporate Wi-Fi network, for example. You set the SSID of your organization’s Wi-Fi network in a Wi-Fi profile and then assign the profile to user accounts, user groups, or device groups.

You can set up an SSIDMatch in your On Demand Rules Dictionary so that whenever a network change is detected the VPN On Demand service compares the newly connected network against the match network criteria that you specified in your dictionary.

For more information about On Demand Rules Dictionary Keys, see the iOS developer library.

Watch this blog for more information about other BES12 features!


About BlackBerry

BlackBerry is an enterprise software and services company focused on securing and managing IoT endpoints.