Prevent disabling iPhone "connect on demand" setting for vpn
complete
Ben
complete
After much research, it's clear that connect on demand enforcement is not consistent between iOS versions, but I think we have ideal workarounds that solves for this.
- You can add mandatory DNS configuration that the device is locked to. You can use the same DNS settings that point to your content policy that the VPN app also uses. This means that if the VPN is disabled, the connection immediately falls back to the DNS settings, which have the same content filtering rules. The new device config generator can be used to set this up: https://techlockdown.com/blog/april-2025-device-config-generator.
- We're still working on guidance for this, but another strategy is to force the use of the VPN on the device with content policy rule layering. You'd need to also have the protected DNS settings like I mentioned previously. Since the VPN can use audience rules that are scoped to the login email address, you can use a default-deny approach so that most internet access is blocked unless the vpn is enabled. Basically, you'd create a block rule that blocks several categories of content. Then, create an allow rule which is scoped to your VPN login email that whitelists specific apps. If the VPN isn't used, the allow rule isn't applied to the device. This encentivizes the user to use the VPN to have a less restrictive setup. We'll include more info here: https://help.techlockdown.com/hc/en-us/articles/36424448742164-Force-the-use-of-the-Filtered-VPN-on-iPhone
- You can add an apple shortcut, which you can configure to automatically toggle back on the on-demand setting for the cloudflare vpn: https://techlockdown.com/guides/apple-shortcuts-automations-ios. If you wanted to go a step further, you could restrict access to the shortcuts app. However, it's probably not necessary given the other two points remove the incentive to bypass vpn on demand.
Ben
planned