We currently have a PacketTunnelProvider providing VPN to managed devices. Our profile locks this down with OnDemandEnabled and OnDemandUserOverrideDisabled set to true.
We've received some reports that on device startup, there is a time period after Wi-Fi connects but before the OnDemand VPN kicks in to enable our VPN, where users are able to navigate to IPs that are meant to be captured by the VPN tunnel. Instead, they are able to reach these IPs directly during this time period.
Is there an expectation in regards to when OnDemand VPN is allowed to kick in to enable the VPN? Is there anything that we can do to minimize this delay?