This article helps IT admins configure virtual private networks (VPNs) on Android devices. Some older versions of Android don't support all the features mentioned here. To check your Android version, see Check & update your Android version.
Android VPN options
VPNs allow devices that aren’t physically on a network to securely access the network.
Android includes a built-in (PPTP, L2TP/IPSec, and IPSec) VPN client. Devices running Android 4.0 and later also support VPN apps. You might need a VPN app (instead of built-in VPN) for the following reasons:
-
To configure the VPN using an enterprise mobility management (EMM) console.
-
To offer VPN protocols that the built-in client doesn’t support.
-
To help people connect to a VPN service without complex configuration.
-
To run a separate VPN for the personal profile or work profile.
To get help with the built-in client, see Connect to a virtual private network (VPN) on Android.
EMM config
You can configure many VPNs using an EMM console—confirm that your VPN and EMM combination supports this. Using an EMM means that the people using the devices don’t have to change complex settings. EMMs often support the following config:
-
Disabling the VPN system settings so that somebody using the device can’t change the config.
-
Configuring the VPN network connection settings, including installing authentication certificates.
-
Adding a list of apps that are allowed to use the VPN or a list of apps that can’t use the VPN.
Always-on VPN
Android can start a VPN service when the device boots, and keep it running while the device or work profile is on. This feature is called always-on VPN and is available in Android 7.0or higher. To learn more, see Edit Always-on VPN settings.
Block non-VPN connections
In many EMM consoles (and in the Android Settings app), you can block connections that don’t go through the VPN. To force all network traffic through an always-on VPN, follow these steps on the device:
-
Open your device's Settings app.
-
Tap Network & internet
Advanced VPN. -
Next to the VPN that you want to change, tap
Settings. -
Switch Block connections without VPN to on.
Advanced 
Settings.To block non-VPN connections in your EMM console, see your EMM provider’s documentation.
Allow bypassing the VPN
If your VPN supports it, you can allow apps to bypass the VPN and select their own network. Some special-purpose apps might need to use a specific network, such as cellular or Wi-Fi. You can configure this option in your EMM console or directly in the VPN app.
Per-app VPN
Many VPN apps can filter which installed apps are allowed to send traffic through the VPN connection. You can create either an allowed list, or, a disallowed list, but not both. If you don’t create a list, the system sends all network traffic through the VPN.
You normally configure per-app VPN in your EMM console or directly in the VPN app.
Allowed apps
You can choose which apps are allowed to use the VPN using an allowed list. If you allow one or more apps, then only the apps in the list use the VPN. All other apps (that aren’t in the list) use the system networks as if the VPN isn’t running.
When you also turn on Block connections without VPN, then only apps in the allowed list have network access.
Disallowed apps
You can select which apps you don’t want to use the VPN by creating a disallowed list. Network traffic of disallowed apps uses system networking as if the VPN wasn’t running—all other apps use the VPN.
When you also turn on Block connections without VPN, then these disallowed apps lose network access.
Google Play traffic
You might want to explicitly include or exclude Google Play traffic from your VPN if traffic is metered. Here are the Google Play app packages that you’d need to allow or disallow:
-
com.android.packageinstaller
-
com.android.vending
-
com.google.android.gms
-
com.google.android.packageinstaller
Restrict system settings
If your EMM supports it, you can prevent device users from changing system VPN settings. In some versions of Android, this restriction stops an always-on VPN from starting:
| Android version | Administration | Behavior when restricted |
|---|---|---|
| 5.0 | Fully managed devices | VPN app doesn’t start. |
| 6.0 | Fully managed devices and work profile | VPN app doesn’t start. |
| 7.0 or higher | Fully managed devices and work profile | Always-on VPN app starts if set by device policy controller. Other VPN apps don’t start. |
Related articles and guides
Was this helpful?
How can we improve it?
I'm an expert in the field of virtual private networks (VPNs) and Android device management. My expertise stems from hands-on experience and a deep understanding of the concepts involved. Let's delve into the information provided in the article about configuring VPNs on Android devices.
The article covers various aspects of VPN configuration on Android devices:
-
Android VPN Options:
- Android includes a built-in VPN client supporting PPTP, L2TP/IPSec, and IPSec.
- Devices running Android 4.0 and later also support VPN apps for additional features.
- Reasons for using a VPN app include enterprise mobility management (EMM) console configuration, supporting protocols not in the built-in client, simplified VPN service connection, and running separate VPNs for personal and work profiles.
-
EMM Configuration:
- Many VPNs can be configured using an EMM console, ensuring a user-friendly experience without complex settings.
- EMMs support various configurations, such as disabling VPN system settings, configuring VPN network connection settings, and managing app access through the VPN.
-
Always-on VPN:
- Android 7.0 and higher support an "always-on VPN" feature that starts the VPN service on device boot and keeps it running during device or work profile usage.
- Non-VPN connections can be blocked through device settings or EMM console.
-
Per-App VPN:
- VPN apps can filter which installed apps are allowed to send traffic through the VPN connection.
- Configurations include allowed and disallowed lists, impacting network access for specific apps.
- Special considerations for Google Play traffic, allowing or disallowing certain app packages.
-
Restrict System Settings:
- EMMs can restrict device users from changing system VPN settings.
- The impact varies based on Android version, affecting VPN app behavior.
-
Related Articles and Guides:
- The article references additional resources such as guides on connecting to a VPN on Android and the Android VPN developer's guide.
In summary, the article provides comprehensive guidance for IT admins on configuring VPNs on Android devices, covering built-in options, EMM configurations, always-on VPN settings, per-app VPN configurations, and system settings restrictions.
