How can an enterprise mobile VPN fit into a mobility plan?

On-premises vs. cloud-hosted enterprise VPNs

When building a mobile VPN strategy, one of the first decisions IT must make is whether to host the VPN locally or to use a cloud-based provider. Both approaches offer advantages and disadvantages.

On-premises VPNs

If an organization hosts its own VPN, it has full control over the VPN configuration and all the underlying hardware and software. This might make it easier to comply with regulatory standards.

The disadvantage is that the organization must bear the full hardware and software cost, as well as the administrative overhead involved in maintaining the VPN and keeping it secure. This approach also requires the organization to have enough internet bandwidth available to support inbound VPN traffic.

Cloud-based VPNs

Using a cloud-based VPN is a simpler option, but the organization must choose a reputable VPN provider. Some free or low-cost VPN providers have been known to sell their customers' data. With this in mind, organizations and IT departments should carefully consider the provider's reputation, financial stability, support model and customer base when selecting a mobile VPN option.

Cost can be another area of concern, since a provider could raise its rates without warning. Some cloud-based VPN providers also perform traffic metering. This means that they charge customers based on the amount of traffic passing through the VPN, or they use throttling to diminish client connectivity speeds after a certain data threshold.

Before opting for a cloud-based VPN, organizations must also determine how much control they need over the VPN's configuration. This is especially true for organizations that are subject to regulatory requirements. For example, some organizations need to enforce multifactor authentication for remote workers, which not all VPN providers support.

Integrating a mobile VPN into an enterprise mobility strategy

Regardless of which option an organization chooses, IT must address how the VPN fits into its mobile endpoint strategy. At the most basic level, this means making sure that a VPN client is available for all the mobile device OSes that the organization supports. Otherwise, some devices might not be able to connect to the VPN.

Organizations often design their VPN infrastructure so that devices must pass a health check before gaining network access.

Organizations often design their VPN infrastructure so that devices must pass a health check before gaining network access. The nature of this health check varies from one organization to the next. Generally, it checks that the device meets security standards such as having an up-to-date OS and being free of malware. Most organizations also check basic device-level security settings, like whether the device is secured with a password.

IT teams must ensure that these health checks support both mobile and more conventional computing devices. After all, the health checks an iOS device would need to undergo are completely different from those that would be appropriate for a Windows laptop.

Another thing that IT should consider is how the use of mobile device VPNs might affect its MDM strategy. Typically, when a user begins using a personal smartphone for work, they must complete a device enrollment process. This might occur through a web portal, email link or QR code. In exchange for access to corporate resources, the user must allow the MDM to apply various security settings to the device.

When a mobile user connects to the corporate network through a VPN, they might end up accessing various resources directly rather than through the web portal. This might enable a user to skip the device enrollment process, leaving the device with unsecure settings.

However, properly configured MDM technology can prevent unauthorized access by requiring device enrollment and checking compliance before allowing VPN connections. To this end, it's important to think about mobile device access in a cohesive manner. IT teams must ensure that their MDM policies apply regardless of whether users are connecting through a web portal, VPN or some other means.

Editor's note: This article was originally written by Robert Sheldon in November 2019. Brien Posey wrote an updated version in May 2025 to include more details on VPN implementation and improve the reader experience.

Brien Posey is a former 22-time Microsoft MVP and a commercial astronaut candidate. In his more than 30 years in IT, he has served as a lead network engineer for the U.S. Department of Defense and a network administrator for some of the largest insurance companies in America.

Robert Sheldon is a freelance technology writer. He has written numerous books, articles and training materials on a wide range of topics, including big data, generative AI, 5D memory crystals, the dark web and the 11th dimension.