This article helps IT admins configure virtual private networks (VPNs) on Android devices. Some older versions of Android don't support all the features mentioned here. To check your Android version, see Check & update your Android version.
Android VPN options
VPNs allow devices that aren’t physically on a network to securely access the network.
Android includes a built-in (PPTP, L2TP/IPSec, and IPSec) VPN client. Devices running Android 4.0 and later also support VPN apps. You might need a VPN app (instead of built-in VPN) for the following reasons:
-
To configure the VPN using an enterprise mobility management (EMM) console.
-
To offer VPN protocols that the built-in client doesn’t support.
-
To help people connect to a VPN service without complex configuration.
-
To run a separate VPN for the personal profile or work profile.
To get help with the built-in client, see Connect to a virtual private network (VPN) on Android.
EMM config
You can configure many VPNs using an EMM console—confirm that your VPN and EMM combination supports this. Using an EMM means that the people using the devices don’t have to change complex settings. EMMs often support the following config:
-
Disabling the VPN system settings so that somebody using the device can’t change the config.
-
Configuring the VPN network connection settings, including installing authentication certificates.
-
Adding a list of apps that are allowed to use the VPN or a list of apps that can’t use the VPN.
Always-on VPN
Android can start a VPN service when the device boots, and keep it running while the device or work profile is on. This feature is called always-on VPN and is available in Android 7.0 or higher. To learn more, see Edit Always-on VPN settings.
Block non-VPN connections
Advanced 
Settings.Allow bypassing the VPN
Per-app VPN
Many VPN apps can filter which installed apps are allowed to send traffic through the VPN connection. You can create either an allowed list, or, a disallowed list, but not both. If you don’t create a list, the system sends all network traffic through the VPN.
You normally configure per-app VPN in your EMM console or directly in the VPN app.
Allowed apps
Disallowed apps
Google Play traffic
Restrict system settings
If your EMM supports it, you can prevent device users from changing system VPN settings. In some versions of Android, this restriction stops an always-on VPN from starting:
|
Android version |
Administration |
Behavior when restricted |
|---|---|---|
|
5.0 |
Fully managed devices |
VPN app doesn’t start. |
|
6.0 |
Fully managed devices and work profile |
VPN app doesn’t start. |
|
7.0 or higher |
Fully managed devices and work profile |
Always-on VPN app starts if set by device policy controller. Other VPN apps don’t start. |