Set up always-on VPN on Android work devices.
Always-on VPN forces all traffic (or just work app traffic) through a tunnel to your network or cloud security stack. On Android Enterprise it can be per-app or device-wide, and lockdown mode prevents any traffic going out without VPN.
Try this first
- 1MDM (Intune > Configuration profiles > Android Enterprise > VPN), pick VPN client app from Managed Google Play (Cisco AnyConnect, Microsoft Tunnel, Zscaler).
- 2Tick always-on, optionally lockdown (no traffic when VPN is down).
- 3Per-app VPN: only work apps through the tunnel, personal apps direct, this stays manageable and saves bandwidth.
- 4Test on one device: captive portals (hotel wifi) break lockdown, you need an exception.
When to bring us in
We link your VPN client (FortiClient EMS, Microsoft Tunnel Gateway, Zscaler) to Intune, define per-app routes, and test captive portal flows.
See also
- Work and personal apps blur together on the same phoneAndroid Enterprise and iOS-with-Intune can enforce a work profile, isolating business apps in a separate container.
- Setting up Microsoft 365 on a new phoneOutlook, Teams, and OneDrive run smoothest if you install Authenticator first and sign the others in afterwards.
- Moving Authenticator to a new phoneMicrosoft Authenticator has built-in cloud backup. Run it before wiping the old device, otherwise everything has to be re-added by hand.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.