Always-on VPN that tunnels <i>everything</i> requires MDM commissioning. It's documented by Apple.<p>See the section "Always On VPN":
<a href="https://support.apple.com/guide/deployment/vpn-overview-depae3d361d0/web" rel="nofollow">https://support.apple.com/guide/deployment/vpn-overview-depa...</a><p>Is it dubious that Apple doesn't let VPN apps do this as well? Maybe. But this is known and documented.
> We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.We used @ProtonVPN and #Wireshark
Related ProtonVpn article:<p>"<i>We’ve raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”. We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises.</i>"<p><a href="https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/" rel="nofollow">https://protonvpn.com/blog/apple-ios-vulnerability-disclosur...</a>
For those looking for a workaround, you can get a VPN router in my case, a GL.iNet Mango[0] router.<p>The great thing: even if the VPN connection drops, it doesn't leak your real/naked IP, and also /all/ traffic on an iOS device has to pass through the VPN. No special exceptions for Apple traffic.<p>The only caveat is you have to carry this when traveling, which means if you're traveling light, carrying this around could be burdensome. If you are at home most of the time though, such a router is invaluable.<p>[0] <a href="https://www.amazon.co.uk/GL-iNet-GL-MT300N-V2-Converter-Pre-installed-Performance/dp/B073TSK26W" rel="nofollow">https://www.amazon.co.uk/GL-iNet-GL-MT300N-V2-Converter-Pre-...</a>
And remember... This is WiFi.<p>But over the LTE connection, which is far harder to sniff without very expensive equipment, it could be doing almost anything. And you can't even check what it's doing.
This type of feature is useful for places like China that need to imprison people that speak out against the ccp.<p>Our tech overlords are not immune to pressures if we teach them how it is abused.
That is why a detached but portable WiFi/5G router is for … to block these Apple shenanigans …<p>While your phone is in Airplane mode and regular (but your router’s) WiFi only network
iOS devices are leaky as hell. I once tried blackholing all requests besides those to a VPN service on a router level, and even then my iPhone would just fall back to mobile data for notifications and other Apple services.