So many times law enforcement take advantage of this too, to fingerprint devices. The number of people caught because someone leaks packets outside the VPN for a few seconds because they forgot to configure VPN to disable outbound data if VPN drops... I've long wondered if making always on VPN require MDM provisioning on iPhones was a sop to police/criminal investigation forces, especially after Apple's public fights with the FBI over matters like the locked San Bernadino phone etc. I bet very few crims installing VPNs are aware of that apple support doc.
If this was working as it arguably should and could be done easily without MDM provisioning, it would remove a genuinely useful avenue for law enforcement and add more fuel to the the FBI's dislike for Apple's security features.
You used FBI and the term law enforcement in the same sentence. Sad to say the respect I once had for what the FBI likes and dislikes has been greatly diminished by the political bias that seems to influence it’s actions. I look forward to the day when they are strictly law enforcement and without political agenda. We as a country need them.
I wonder if there's a small bit of pressure on the device manufacturers to keep DNS leaks happening for consumers. I'd love to be a fly on the wall at some of the NatSec-level conversations.
Should it be expected that individual users should be familiar with corporate deployment documentation just to know that their VPN app they bought actually leaks?
I'm not following. Your link appears to be specific to corporate environments. The title of the document is:
"VPN overview for Apple device deployment."
It further states "Secure access to private corporate networks is available in iOS ..."
An individual iPhone user who is not using a company issued device would not be beholden to MDM restrictions or profiles. Nor would access to "private corporate networks" be necessarily relevant.
It's written that way because the target audience is enterprise IT folks who are managing fleets of employee devices, but you can freely use MDM profiles as a consumer. It's certainly not user-friendly which is why I commented that the way it works for VPN clients installed as apps could be seen as a dubious implementation.
Yes and if it's an unmanaged device it is by definition not being managed by an MDM. The title of the link makes it clear that the context is "device deployment." Further the section un the linked article states"Always On VPN"
">Always On VPN activation requires device supervision."
Supervision denotes a managed device"
"Supervision generally denotes that the device is owned by the organization, which provides additional control over its configuration and restrictions."[1]
No regular non-corporate iOS device user is ever likely to be downloading manually distributed mobile profiles.
If this was working as it arguably should and could be done easily without MDM provisioning, it would remove a genuinely useful avenue for law enforcement and add more fuel to the the FBI's dislike for Apple's security features.