Always On & Untrusted Networks
The beem app is designed to automatically keep your beemNet VPN tunnel active, ensuring a secure connection without any user intervention. The “Always On” feature can be configured in various ways by your beem administrator to suit organizational requirements. Depending on these settings, users may have access to the Stay connected option within the beem app.
If you prefer to manually connect and disconnect, and your beem administrator allows it, the app can still help by warning you when you're connected to an untrusted network.
To activate or deactivate Stay connected:
- Tap the ☰ icon (located in the upper right corner of the app's home screen).
- Go to Connection details (which can be found as the first item in the menu).
- Select Stay connected.
To activate or deactivate Untrusted network warning:
- Tap the ☰ icon.
- Go to Connection details.
- Select Untrusted network warning.
Understanding Untrusted Networks
INFO
The concept of untrusted networks only applies when the “Always On” feature is enabled. If “Always On” is not active, the beem app does not monitor or label networks as untrusted.
An untrusted network is any network that isn’t integrated with beemNet and therefore not protected by it. Typical examples include public Wi-Fi hotspots, private home networks, and mobile-data connections from SIM cards that aren’t connected to beemNet. The beem app automatically identifies and labels such networks as “untrusted,” keeping users informed and helping them safeguard their devices and data.
If “Always On” is not enforced by your beem administrator or the user has deactivated Stay connected, users have the option to deactivate or activate the Untrusted network warning.
When users tap or click Disconnect from beemNet, the beem app verifies whether the current network connection is protected by beemNet. Additionally, whenever there is a change in the network interface of the client device, such as switching from mobile to Wi-Fi, the beem app assesses whether it is now connected to an untrusted network. When the beem app detects that the current network connection is not protected by beemNet, it displays a toast message if the app is running in the foreground. If running in the background, it issues a system notification to the device in use.
WARNING
Due to technical limitations in iOS and iPadOS, the beem app cannot display untrusted network notifications while running in the background. To check their protection status at any time, users can open the beem app and view the home screen.
Pausing the beemNet VPN
When the Stay connected feature is enabled—either by the user or enforced by the beem administrator—there may be scenarios where users need or choose to temporarily pause encryption. Although the action button is labelled Disconnect from beemNet, its behaviour depends on the device’s current network configuration:
- If permitted by the beem administrator, encryption will be paused for a predefined duration.
- If not permitted, a toast message will appear explaining the restriction.
The button label will update based on the outcome:
If the device remains connected to beemNet, the button label changes to Encrypt connection, and the home screen will indicate that encryption is paused while protection remains active.
If the beemNet connection is fully terminated, leaving the device unprotected, the button will switch to Connect to beemNet, and the status icons for both encryption and protection on the home screen will turn red.
Auto-Reconnect Behaviour
When a pause duration is defined by the beem administrator, the encrypted beemNet VPN tunnel will automatically re-establish once the timer expires. This functionality is available on Android, Windows, and macOS, with a slightly adapted experience on iOS and iPadOS.
Due to platform limitations on iOS and iPadOS—specifically the lack of full background processing, automatic reconnection to the beemNet VPN is not always guaranteed. Users are notified whether the reconnection attempt succeeds or fails. If it fails, the VPN remains inactive until the user either taps the notification or manually opens the beem app.
Behind the Scenes: Auto-Reconnect on iOS and iPadOS
On iOS and iPadOS, the beem app relies on the Apple Push Notification service (APNs) to re-establish the beemNet VPN tunnel, as no alternative background mechanism is currently available on these platforms.
Step 1: Background Notification
A background notification is sent to trigger the VPN reconnection. However, Apple may delay or suppress these notifications to conserve battery and optimize system performance. As a result, delivery may be delayed—or in some cases, missed entirely—leading to a postponed or failed reconnection.Step 2: Follow-up Notification
If the VPN tunnel is not successfully re-established within five minutes, a second, time-sensitive notification is sent to inform the user. This notification is designed for prompt delivery and only appears if the initial reconnection attempt fails.Note on Notification Order
In rare cases, the time-sensitive notification may arrive before the background notification due to Apple’s delivery prioritization. This can result in users seeing the two notifications in reverse order.
TIP
Users should always receive at least one of the two notifications. Restarting the device can sometimes improve the reliability of background notification delivery.
Understanding Fail-Mode, Restricted and Limited Access
When configuring “Always On”, administrators of beem Plus or Premium Security Editions can choose between “fail-open” and “fail-close” modes. However, the beem Essential and Basic Security Editions always default to “fail-open”. This approach enables organizations to effectively balance security and availability, depending on corporate policies and specific requirements. As a result, network access may be restricted or limited for a given device and beem app user, depending on the circumstances.
🔒 Fail-Close prioritizes security: When only (unprotected) Internet connectivity is available — and there's no secure, encrypted connection to beemNet or a system malfunction occurs — access to “everything” is automatically denied to protect security. If an unencrypted beemNet connection is available, protected Internet access remains accessible, but access to corporate resources is restricted.
🚪 Fail-Open prioritizes availability: When there’s no connection to beemNet — whether encrypted or not — or a system malfunction occurs, the beem app defaults to allowing unprotected Internet access in order to maintain availability.
Comparing Fail-Close (Restricted & Limited Access) and Fail-Open
| Feature / Fail-Mode | 🔒 Fail-Close | 🚪 Fail-Open | |
|---|---|---|---|
| Core Principle | Security First | Availability First | |
| Access Type | Restricted Access | Limited Access | Internet Access only |
| Trigger Condition | No secure, encrypted connection to beemNet OR system malfunction | beemNet connection without encryption OR VPN malfunction | No connection to beemNet (encrypted or not) OR system malfunction |
| Internet Access | ✗ Access to all network resources is denied | ✓ Internet access is allowed and protected | (✓) Unprotected Internet access is allowed |
| Access to Business Applications | ✗ Access to all network resources is denied | (✓) Limited access to corporate data and resources is allowed | ✗ Access to all corporate data and resources is denied |
| Response to Public Wi-Fi or Untrusted Network | ✗ Blocked | ✓ Allowed | ✓ Allowed |
| User Experience (Default Behaviour) | May cause loss of access or service interruption | Connectivity continues with reduced access | Connectivity continues with reduced security |
| Risk Exposure | Minimal (no unprotected access granted) | Higher (data may flow over unsecured network) | |
| Use Case Suitability | Sensitive environments (e.g. enterprise, compliance-driven) | Less sensitive contexts (e.g. casual browsing) | |
In a “fail-close” scenario without a beemNet connection, access to both the Internet and corporate resources—such as business applications—is highly restricted. If the beemNet connection remains unencrypted, most corporate resources will likely stay inaccessible, limiting access. From the user's viewpoint, this may resemble a total loss of connectivity, including Internet access. Technically, the beem administrator determines which resources remain accessible during such conditions.
Unprotected Internet Access Requests in “Fail-Close” Mode
During a “fail-close” scenario, beem administrators may grant users temporary unprotected Internet access for a limited, predefined duration. To request access, users must submit a brief written explanation within the beem app, justifying the need. These documented exceptions help organizations comply with internal policies and external regulations.
User Experience During “Fail-Close” Scenarios
From the user's perspective, a fail-close scenario results in either restricted access when both protection and encryption are unavailable, or limited access where protection remains, but encryption is missing.
Limited access provides protected Internet connectivity and allows partial access to corporate resources such as business applications. The beem Essential and Basic Security Editions will apply SPI in these conditions. Depending on administrator configurations, the Security Editions Plus and Premium can also apply DPI.
Conversely, restricted access denies Internet connectivity and grants minimal, if any, access to corporate assets. Upon user request, temporary unprotected Internet access may be granted for a limited duration, subject to policy.
INFO
It is essential to emphasize that valid authentication is a prerequisite for both restricted and limited access. Without proper authentication, no resources can be accessed under any circumstances.