VPN Alone Is Not the Whole Story for Secure Mobile Access

Enterprise security teams often do the right thing by deploying VPN or SSE clients on managed mobile devices. That step is important, but it does not fully answer a separate question: who governs the mobile transport path underneath the secure tunnel?

For iPhone and iPad fleets, the endpoint tunnel is what most effectively reduces direct destination visibility for application traffic. Zscaler documents that Client Connector establishes a tunnel to the nearest service edge, and Apple documents that supervised devices can enforce Always On VPN behavior that drops IP traffic if required tunnels are not established. Yet even a strong overlay does not remove every concern around mobile metadata, routing transparency, breakout control, and enterprise ownership of the path.

That is where secure mobile connectivity becomes relevant. Its value is not that it replaces the overlay. Its value is that it complements the overlay with a governed underlay, so mobile traffic can follow enterprise-defined routing, breakout, and segmentation rules before or beneath broader internet access decisions.

Why this matters now

Many organizations are revisiting secure mobile access because users, partners, and administrators often assume that encrypted traffic means the entire problem is solved. In practice, LTE and 5G secure the air interface, but the mobile environment still includes subscriber handling, session processing, APN context, timing, and operator-controlled transport functions that remain relevant to enterprise architecture.

As mobile devices take on more business-critical access roles, IT and security teams increasingly need to think beyond application security alone. They also need to define where mobile traffic lands first, whether public breakout is allowed by default, and how cellular access fits into broader zero-trust and network-governance models.

What the underlay adds

A governed mobile underlay can make the cellular estate behave more like a managed enterprise access domain. Depending on the design, it can provide enterprise-first landing, deterministic egress IPs, controlled breakout, and SIM- or APN-based segmentation.

This does not mean private routing can hide everything from the operator. Without an endpoint-originated tunnel, the mobile core still handles the session and therefore retains visibility into information needed to route and deliver traffic. The point is different: underlay control improves governance, while overlay security protects the session and enforces application-aware policy.

Technical Q&A

Does a VPN already solve secure mobile access?

A VPN or SSE client solves a large part of the problem, especially for application traffic confidentiality and policy enforcement. Apple’s Always On VPN model and Zscaler’s documented client tunnel behavior both provide strong controls for managed devices. However, those controls do not fully determine who owns the transport path, how mobile traffic breaks out, or how the cellular estate is integrated into enterprise routing policy.

Can private routing replace an endpoint tunnel?

Usually not. Private routing and endpoint tunneling address different layers of the architecture. Network-layer routing can improve control over breakout and traffic ownership, but an endpoint-originated tunnel is what most effectively reduces direct destination visibility for application traffic.

What remains visible in the mobile environment?

Even in a strong always-on design, the mobile environment still includes subscriber identity handling, attachment events, APN use, timing, and approved bootstrap or tunnel-endpoint connectivity. Apple’s documented approach limits arbitrary IP leakage, but it does not remove all metadata exposure inherent to mobile service delivery.

Why would a company add a mobile underlay if Zscaler is already deployed?

Because the underlay adds a different type of control. It can make mobile traffic land on enterprise-controlled infrastructure first, support fixed IP egress, enforce a no-public-breakout posture, and align mobile access with the organization’s existing routing and governance model.

When does the combined model make the most sense?

The combined model is strongest when the organization cares about both session security and path governance. That is common in regulated industries, environments with strong allowlisting requirements, or architectures where mobile traffic must be treated like another governed enterprise access segment.

What security leaders should take away

The key takeaway is not that VPNs are insufficient in a simplistic sense. The more accurate conclusion is that VPN or SSE security and governed mobile connectivity solve different parts of the enterprise mobility problem.

When mobile security is discussed only in terms of encryption, an important architectural layer is missed. The overlay protects the session; the underlay governs the path.