An “entitlement server” is a carrier network node that performs dynamic policy (or device management) control for a given set of devices running in the carrier network. Node selection for Voice-over-WiFi (“VoWiFi”) access may be preconfigured in a client device, provided to the client device via Domain Name Server (“DNS”) lookup, or provided by a subscription entitlement server during verification for service usage. A key node selection event associated with VoWiFi carrier service is selection of the access point to the network from an untrusted Wi-Fi network. Such an access point is typically implemented as evolved Packet Data Gateway (“ePDG”). The primary function of an ePDG is to secure data communication with user equipment devices (“UEs”) that connect to a core network via an untrusted non-3GPP network (such as a WiFi network). In general, the ePDG functions as a termination node of IPsec tunnels established with UEs.