Do not update to iOS18 if you use VPN

Hi,
I find out an issue that can expose you to data leak, per-app-vpn scenario ONLY.
If you are using a managed per-app-VPN, starting from iOS18 this configuration can be disabled from the user via “settings>generally>vpn&device management> VPN> deactivate configuration” and then use the browser freely and upload sensitive data from your managed browser.

Already opened a case to microsoft and Apple, please do the same to speedup the resolution

[Update October 2024]: Issue currently fixed in iOS 18.1, button disappeared

I’m on a supervised device (managed from work) and cant deactivate it.
I’m on iOS 18.0 (22A5346a)
Perhaps its the version of ios you are using?

Is that on a supervised device or byod?

Damm it… Did you get any updates from Microsof.?

its Apple stealing your data to train its AI !!!

I don’t see that option.

1125×2436 101 KB

Both, is a OS feature

Hello!
Will be fixed with iOS 18.1

Please click in the “i” to check inside the vpn config and let me know

The difference in my case is that we use a per-app-vpn

The connect on demand we had last year. We recently switch to zscaler and its gone now.

Care to share how it will be fixed?
Will the “feature” disappear on its own or is there a new payload option to disable said “feature”?

Ok, but the button below “deactivate configuration” is not clickable in your case?

We are using per-app-vpn using Microsoft tunnel gateway

The button will disappear, no restrictions needed from admin perspective

It seems that is not happening in the device-wide VPN configuration, good to know.
I’ll add this details to the post.

Maybe that’s why. We had per-app-vpn, but now zscaler handles everything. Perhaps that’s why that button disappeared. I don’t have that button anymore.

Nice to know, so apparently this is happening in a per-app-vpn scenario. Interesting

You sure you’re even using VPN? I don’t have zscaler experience but casb solutions typically use something like ztna and don’t really VPN for apps