Part of:Securing mobile devices against unique threat vectors
How can an enterprise mobile VPN fit into a mobility plan?
Organizations that need to secure mobile users and provide remote access to corporate resources should consider an on-premises or cloud-hosted mobile VPN.
A mobile VPN can help improve enterprise mobility, but deploying this technology involves thoughtful planning.
An enterprise mobile VPN establishes secure connections between users' mobile devices and the resources residing on an organization's private network. There are many VPNs that an organization can choose from. IT decision-makers must find one that keeps corporate resources secure while also providing easy access to remote workers.
Remote access VPNs use tunneling protocols to encrypt data. Then, the data can be safely transmitted and received across less secure networks, such as the internet. The VPN's authentication mechanism controls which users gain remote access to the organization's secure resources. However, most enterprise VPNs go well beyond the basics. For example, some enterprise mobile VPNs can protect against malware. Some vendors also provide functionality for managing mobile devices.
To implement a secure, effective mobile VPN, IT teams must consider several factors and map out how the tool will fit into their broader approach to enterprise mobility.
On-premises vs. cloud-hosted enterprise VPNs
When building a mobile VPN strategy, one of the first decisions IT must make is whether to host the VPN locally or to use a cloud-based provider. Both approaches offer advantages and disadvantages.
On-premises VPNs
If an organization hosts its own VPN, it has full control over the VPN configuration and all the underlying hardware and software. This might make it easier to comply with regulatory standards.
The disadvantage is that the organization must bear the full hardware and software cost, as well as the administrative overhead involved in maintaining the VPN and keeping it secure. This approach also requires the organization to have enough internet bandwidth available to support inbound VPN traffic.
A mobile VPN has much of the same functionality as a traditional VPN, but it's designed to work in a mobile environment.
Cloud-based VPNs
Using a cloud-based VPN is a simpler option, but the organization must choose a reputable VPN provider. Some free or low-cost VPN providers have been known to sell their customers' data. With this in mind, organizations and IT departments should carefully consider the provider's reputation, financial stability, support model and customer base when selecting a mobile VPN option.
Cost can be another area of concern, since a provider could raise its rates without warning. Some cloud-based VPN providers also perform traffic metering. This means that they charge customers based on the amount of traffic passing through the VPN, or they use throttling to diminish client connectivity speeds after a certain data threshold.
Before opting for a cloud-based VPN, organizations must also determine how much control they need over the VPN's configuration. This is especially true for organizations that are subject to regulatory requirements. For example, some organizations need to enforce multifactor authentication for remote workers, which not all VPN providers support.
Integrating a mobile VPN into an enterprise mobility strategy
Regardless of which option an organization chooses, IT must address how the VPN fits into its mobile endpoint strategy. At the most basic level, this means making sure that a VPN client is available for all the mobile device OSes that the organization supports. Otherwise, some devices might not be able to connect to the VPN.
Organizations often design their VPN infrastructure so that devices must pass a health check before gaining network access.
Organizations often design their VPN infrastructure so that devices must pass a health check before gaining network access. The nature of this health check varies from one organization to the next. Generally, it checks that the device meets security standards such as having an up-to-date OS and being free of malware. Most organizations also check basic device-level security settings, like whether the device is secured with a password.
IT teams must ensure that these health checks support both mobile and more conventional computing devices. After all, the health checks an iOS device would need to undergo are completely different from those that would be appropriate for a Windows laptop.
Another thing that IT should consider is how the use of mobile device VPNs might affect its MDM strategy. Typically, when a user begins using a personal smartphone for work, they must complete a device enrollment process. This might occur through a web portal, email link or QR code. In exchange for access to corporate resources, the user must allow the MDM to apply various security settings to the device.
When a mobile user connects to the corporate network through a VPN, they might end up accessing various resources directly rather than through the web portal. This might enable a user to skip the device enrollment process, leaving the device with unsecure settings.
However, properly configured MDM technology can prevent unauthorized access by requiring device enrollment and checking compliance before allowing VPN connections. To this end, it's important to think about mobile device access in a cohesive manner. IT teams must ensure that their MDM policies apply regardless of whether users are connecting through a web portal, VPN or some other means.
Editor's note:This article was originally written by Robert Sheldon in November 2019. Brien Posey wrote an updated version in May 2025 to include more details on VPN implementation and improve the reader experience.
Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.
Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.
Though newer tools are available, a Microsoft roaming profile is a simple and time-tested way to manage a user's profile across physical and virtual ...
Continue Reading
Do you know the difference between a business impact analysis and risk assessment? Find out how they differ and why you need to perform both here.
Continue Reading
While flape was a concept coined by Wikibon back in 2012, now might be the time to employ the combination of flash and tape for a multi-tier storage ...
Continue Reading
Part of:Securing mobile devices against unique threat vectors