How To Implement iOS AnyConnect Per-App with MobileIron

AnyConnect Per-Application VPN (PerApp VPN) solves the problem of providing BYOD VPN support to AnyConnect on mobile devices where tunneling only applications defined by a policy to the corporate network is desired. PerApp not only protects the targeted corporate data but also protects the user’s personal data and applications since only applications explicitly permitted by the ASA administrator will be permitted access to VPN head-end and ultimately the corporate network. This solution is essentially split-tunneling at Layer 7 without the inherent risks associated with L3 split-tunneling.

This use case focuses on Apple iOS devices which are required to be managed by an MDM/EMM solution.  MDM servers such as MobileIron are able to push PerApp VPN configurations when managing devices.  When devices are managed, the AnyConnect VPN Client behaves as an application filter and performs validation of the application prior to allowing the traffic to be tunneled. This validation is accomplished using a PerApp Policy applied to the ASA.  Applications not permitted by the PerApp policy will not have its packets forwarded to the ASA.