Skip to main content
F
Fxzxmicah
Level 1.5: Cupcake
August 26, 2025
Solved

Support for a Single VPN Instance Shared Across All Users on a Corporate-Owned Device

  • August 26, 2025
  • 2 replies
  • 3 views

Hello everyone,

I am exploring how to reduce resource usage on corporate-owned Android devices that are configured with multiple users or profiles.

Currently, Android's VPN framework is per-user:

  • Each user (or work profile) maintains its own VPN state.
  • An Always-On VPN can only be configured within the context of the current user or profile.
  • This means that if a device has several users, each user needs to run a separate VPN instance.

This design results in unnecessary duplication:

  • Multiple VPN processes or tunnels are active on the same device.
  • System resources (CPU, battery, memory) are consumed redundantly.
  • The VPN app itself must be installed and configured multiple times.

My request/idea:
Enable a single VPN instance at the device level (not just per-user), so that one VPN tunnel can secure network traffic across all users and profiles. This would:

  • Greatly reduce resource waste.
  • Simplify deployment and management for IT admins.
  • Prevent the need for each user or profile to maintain its own VPN connection.

Questions for the community and Google team:

  1. Is there any existing mechanism (documented or OEM-specific) that allows a VPN to operate at the device scope rather than user scope?
  2. Are there any roadmap plans to support device-level VPN in Android Enterprise?
  3. If not currently supported, could this be considered as a feature request for future Android versions?

This would be particularly valuable for dedicated devices and shared device scenarios where multiple users must access corporate resources, but IT only wants to maintain one VPN tunnel.

Looking forward to your insights and to hear whether others face the same challenge.

Thank you.

Best answer by jasonbayton

You quite openly included OEM scope in your original request:

Fxzxmicah wrote:

Is there any existing mechanism (documented or OEM-specific) that allows a VPN to operate at the device scope rather than user scope?

 

There's no native option today, this would be a feature request. 

2 replies

M
Moombas
Level 4.4: KitKat
August 27, 2025

I'm not using COPE (or VPN this way) yet but i wonder about "multiple-users" on a COPE device, would expect just one. Also i would see a shared device here with fully managed instead of COPE.

And just to add here, as I see it (but may be wrong) the VPN settings on COPE and even on fully managed for me look like device based not user based.

 

Maybe you can share how you use multiple users on the COPE devices, which MDM you use and how you setup the VPN (ofc with fake data), just to see if maybe the issues is more likely how you set it up.

F
FxzxmicahAuthor
Level 1.5: Cupcake
August 27, 2025

Thanks for your reply! Just to clarify: my use case is corporate-owned shared devices with multiple full users (e.g. shift workers), not COPE. In this setup Android requires a separate VPN per user, which causes duplication. That's why I'm asking for a device-level VPN option that covers all users, rather than a per-user limitation.

From what I can see in the official Android docs, VPN is only described as a per-user / per-profile feature — I haven't found any reference to device-level VPN support.

M
Moombas
Level 4.4: KitKat
August 27, 2025

I only know shared device mode from fully managed, maybe the mentioning from corporate-owned just irritates me.

On fully managed we use VPN but just with one user, on shared device mode the device may behave different. So we need someone who had this usecase in the past already. Maybe @jasonbayton ?

R
Rakib
Level 2.2: Froyo
August 29, 2025

Samsung do support device level VPN, but your vendor must also support this since they need to use Samsung API.

https://docs.samsungknox.com/dev/knox-sdk/features/vpn-providers/overview/

F
FxzxmicahAuthor
Level 1.5: Cupcake
August 29, 2025

Thanks, but solutions limited to a specific OEM (like Samsung Knox APIs) are clearly not what I'm looking for. The request here is for native Android support, available across all devices, not tied to one vendor.

J
jasonbaytonAnswer
Level: 4.1: Jelly bean
August 29, 2025

You quite openly included OEM scope in your original request:

Fxzxmicah wrote:

Is there any existing mechanism (documented or OEM-specific) that allows a VPN to operate at the device scope rather than user scope?

 

There's no native option today, this would be a feature request. 

    Terms & ConditionsCookie settingsAccessibility statement