This happens under very specific circumstances.
1. Non-Interactive App Mode is enabled under Settings>SEP Mobile App>NonInteractive App Mode
2. Sensitive Corporate Resources are configured under Settings>Security>Sensitive Corporate Resources
3. Block access to defined Sensitive Corporate Resources is checked under Settings>Security>Compliance
After enrolling iOS devices with these settings enabled, enrolled iOS devices will have be initially non-compliant and unable to access sensitive corporate resources as the Selected Resources Protection (SRP) VPN will be enabled. After the initial security assessment completes, the device will become compliant, but the SRP VPN will not automatically disengage and allow connections to the Sensitive Corporate Resources. The SRP VPN can be manually disabled.