More and more people are using mobile devices in personal and business settings for a variety of purposes. These devices are often used by employees to access company resources, sometimes from remote or unusual locations. Increasingly, corporations and other organizations are providing and/or otherwise enabling their employees and other associates with mobile devices, such as smart phones, tablet computers, and other mobile computing devices. As these devices continue to grow in popularity and provide an increasing number of business applications, enterprise mobile applications are providing employees with means to access networked enterprise applications from their mobile device.
Many mobile users connect to an enterprise server executing on a private network from their mobile device over a virtual private network (VPN). Conventional VPN systems use a device level VPN connection such that all network traffic issued by a mobile application from a mobile device is routed to the private network. In such conventional device level VPN systems, application traffic destined to public network addresses from applications executing on the mobile device that do not need to communicate with any portion of the private network is also automatically intercepted. Such interception of application traffic that is not destined to the private network unnecessarily burdens the VPN connection and the device battery and often poses a privacy risk to the end user. In conventional device level VPN systems, packets are intercepted from all applications installed on the mobile device including non-enterprise applications that do not require packets to be intercepted. Such interception of personal applications on a mobile device by an enterprise VPN system causes privacy concerns because individual mobile users' private application data is being intercepted by the enterprise device level VPN. Furthermore, in conventional device level VPN systems, each mobile application is dependent on the operating system of the mobile device for packet interception and creation of a tunneling network interface and in such systems there can only be one device level VPN running at a given time through which all network traffic must be intercepted and tunneled.