If the VPN deployed via a device profile, unless they can also remove profiles or unenrolled the device.

Enforcing VPN usage is a little more complicated. 

• If supported by your VPN solution, you could set it to always-on or on-demand. 


• Setup network rules to prevent access unless VPN is on.


• Per-app VPN solution like Cloudflare

It really depends on what you've got in your toolbox.

Thanks! I will check to see if the app in question has an "always-on" option for the VPN. 

How would I set up network rules to prevent access unless the VPN is on? 

It really depends on how you're connecting to VPN. Are you using the native VPN client or a 3rd party solution? Any other tools you're using?

Remember if you use Jamf Safe Internet, that is already an always-on VPN config.

I was considering using an app called Qustodio. It has some features that Jamf School does not, like setting schedule and time limits for apps. Qustodio's parental controls are enforced by VPN. Their documentation (and a support rep I spoke with) said that when the user toggles the VPN off, it automatically re-enables itself within a few seconds. I'm not sure how this works, though. Is that a capability inherent to the app itself?

They said if I want to prevent the user from deleting the entire profile, I'd need to install their MDM, which prevents deleting a VPN configuration. But as I will already have an MDM (Jamf) installed, I don't think I can do this. Instead, I could create a separate mobileconfig file that prevents deletion of VPN configurations and upload that to her phone, right? 

Tech Lockdown offers a mobileconfig file that does this. 

Yes, if their product is also an MDM (which is what you're describing), then they should be able to give you the configuration to do it with Jamf. Some of the config is going to vary a bit from their product, but the principles are the same.

Ok, I will check with them. Thanks!