We have recently deployed an IPSEC, certificate-authenticated Cisco VPN solution, with the on demand VPN feature.
This was to facilitate a transparent secure access solution for a customer who required the VPN connection to be activated automatically when connecting to certain sites or services.
We achieved the desired outcome by setting up a Cisco IPSEC VPN and PKI infrastructure using Cisco ASA endpoints. This was delivered in conjunction with Apple's MDM solution running on OS X to deploy the certificates and settings to end user iOS devices over wireless.
The result is a seamless and transparent secure access configuration for client devices, with automated configuration for the Apple devices in this instance. From the user's perspective, this really is a zero-touch solution.