Skip to content
Control Stack logo Control Stack
ISM-2097 ASD Information Security Manual (ISM)

Configure Mobile Devices with Always On VPN

Ensure mobile devices have a VPN that is always active to protect data.

Preventative Non-classified OFFICIAL: Sensitive PROTECTED SECRET TOP SECRET ASD Information Security ManualGuidelines for enterprise mobilitynetwork securityendpointsMarch 2026 ISM Update

🏛️ Framework

ASD Information Security Manual (ISM)

🧭 Control effect

Preventative

🔐 Classifications

NC, OS, P, S, TS

🗓️ ISM last updated

Mar 2026

✏️ Control Stack last updated

23 Mar 2026

🎯 E8 maturity levels

N/A

Guideline

Guidelines for enterprise mobility

Section

Mobile Device Security

Topic

Maintaining Mobile Device Security
Official control statement
Mobile devices are configured with always on VPN functionality.

Source: ASD Information Security Manual (ISM)

Plain language

Always On VPN means that your mobile devices are always connected to a secure network, even if you're on public Wi-Fi. This prevents hackers from stealing your information, protecting your business data wherever you and your team are.

Why it matters

Without an always-on VPN, sensitive company data can be intercepted on public networks, leading to data breaches or financial loss.

Operational notes

Regularly review VPN logs and ensure the app updates automatically on all devices to maintain security. Stay informed on emerging VPN vulnerabilities.

Implementation tips

  • IT teams should deploy always-on VPN profiles via MDM (Mobile Device Management) to all organisational mobile devices. Configure the VPN to activate automatically at device boot and prevent users from disabling it.
  • Network administrators should configure split tunnelling policies carefully — for sensitive environments, route all traffic through the VPN. Test connectivity to ensure business apps function correctly through the tunnel.
  • IT teams should set up automated monitoring and alerting for VPN connection drops. Use MDM compliance policies to flag devices where the VPN is not running and quarantine non-compliant devices from accessing organisational resources.
  • System owners should establish a process for VPN certificate/credential rotation and ensure devices receive updated profiles automatically. Plan for VPN gateway redundancy so a single point of failure doesn't disconnect the fleet.
  • Security teams should regularly test the always-on VPN enforcement by attempting to access the internet or organisational resources with the VPN disabled. Document test results and remediate any bypass methods found.

Audit / evidence tips

  • Ask: the MDM configuration profile: Request the VPN profile deployed to mobile devices

    Look at: 'always-on' or 'connect on demand' rules that activate at boot and cannot be user-disabled

    Good: shows the VPN is enforced at the profile level, not optional

  • Ask: VPN connection logs: Request logs from the VPN gateway showing device connections

    Look at: consistent, uninterrupted sessions during device usage periods

    Good: shows devices maintaining VPN connections whenever active, with no extended gaps

  • Ask: MDM compliance reports: Request device compliance status showing VPN enforcement

    Look at: the percentage of devices with the VPN profile active and any non-compliant devices flagged

    Good: shows near-100% compliance with remediation actions for exceptions

  • Ask: a live device demonstration: Request a walkthrough on a sample device showing the VPN activates automatically and cannot be turned off by the user

    Good: shows the VPN connected on boot with the toggle greyed out or hidden

  • Ask: the VPN failover and redundancy plan: Request documentation showing how VPN availability is maintained

    Look at: multiple VPN gateways, automatic failover, and monitoring alerts

    Good: shows redundancy measures that prevent devices from falling off VPN due to gateway issues

Cross-framework mappings

How ISM-2097 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.

These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.

ISO 27001

Control Notes Details
Partially meets (2)
Annex A 8.1 ISM-2097 requires mobile devices to use always on VPN to reduce exposure of data and sessions when devices use untrusted networks
Annex A 8.20 ISM-2097 requires mobile devices to be configured with always on VPN so their network traffic is protected in transit regardless of the n...
Supports (1)
Annex A 5.15 ISM-2097 requires always on VPN on mobile devices to enforce a protected and controlled network path back to organisational services

Mapping detail

Mapping

Direction

Controls