Configuring Ivanti Tunnel in Ivanti Neurons for MDM

Ivanti Tunnel creates a secure connection between the managed device and Ivanti Access for authenticating users accessing enterprise cloud resources.

Before you begin 

  • Add a Certificate Authority and create an Identity Certificate setting in Ivanti Neurons for MDM.
    • Add the Certificate Authority in Admin > Certificate Authority.
    • Create an Identity Certificate setting in Configuration > Add > Identity Certificate.
      For Certificate Distribution, select Dynamically Generated and for Source, select the certificate you configured in Admin > Certificate Authority.
  • If you were using a Sentry profile to configure Ivanti Access in Ivanti Neurons for MDM, reconfigure your setup to use an Access profile before deploying Ivanti Tunnel 3.1.0 for iOS through the most recently released version as supported by Ivanti. To set up an Access profile, see Configuring Ivanti Access in Ivanti Neurons for MDM.
  • For Android enterprise, app configuration is done when adding the app to the UEM for distribution. The following procedure applies to all supported OS except Android enterprise. However, configuration information provided in this procedure also applies when you configure Android enterprise. For information on how to add Ivanti Tunnel for Android enterprise to Ivanti Neurons for MDM, see the relevant section in the Ivanti Tunnel Guide.

    If you are configuring Ivanti Tunnel for Android enterprise and using Access Profile only, Ivanti recommends adding configuring AllowedAppList to specify the apps for which authentication traffic goes through Ivanti Tunnel.

Procedure 

  1. In Cloud, go to Configurations > +Add.
  2. Search for Ivanti Tunnel and click Ivanti Tunnel.
  3. Select the OS type for the configuration.
  4. Create a separate Ivanti Tunnel configuration for each OS type.
  5. Enter a name for the configuration.
  6. Select one of the following:
    1. Access Profile Only - Select if Ivanti Tunnel traffic goes only to Access.
    2. Sentry + Access Profile - Select if Ivanti Tunnel VPN supports both traffic to Access for authentication to enterprise cloud resources and through Standalone Sentry to on-premise enterprise resources. This option is available for iOS and Android only.

    Figure 1. Profile mode selection

  7. If you selected Sentry + Access Profile for profile mode, select the Sentry profile and the iOS or Android service you created in the Sentry profile.
  8. For Ivanti Tunnel for Android configuration, do the following:
    1. For Client Cert. Alias, for Ivanti Tunnel for Android only, select the same certificate configuration you select for SCEP Identity.
    2. For SCEP Identity, select the Identity Certificate configuration you created for Ivanti Tunnel.
  9. For Ivanti Tunnel for Windows 10 configuration, do the following:
    1. For SCEP Identity, select the Identity Certificate configuration you created for Ivanti Tunnel.
    2. For Define Ivanti Tunnel App Settings, select Advanced.
    3. Enter the following key-value pairs:

      Key

      Value

      AppTriggerList/0/App/Id

      App Id that will trigger Ivanti Tunnel.

      Example:

      %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

      TrafficFilterList/0/App/Id

      App Id that will tunnel traffic through Ivanti Tunnel.

      Example:

      %PROGRAMFILES% (x86)\Google\Chrome\Application\chrome.exe

      RouteList/0/Address

      If your Cloud tenant is *.access-na1.mobileiron.com enter:
      18.232.253.154

      If your Cloud tenant is *.access-eu1.mobileiron.com enter:
      18.194.253.44

      RouteList/0/PrefixSize

      32

      TrafficFilterList/0/RoutingPolicyType

      SplitTunnel

      RouteList/1/Address

      If your Ivanti Neurons for MDM tenant is *.access-na1.mobileiron.com enter:
      18.232.30.29

      If your Ivanti Neurons for MDM tenant is *.access-eu1.mobileiron.com enter:
      18.194.99.243

      RouteList/1/PrefixSize

      32

  10. Leave all defaults as is and click Next.

    If you are configuring Ivanti Neurons for MDM and Ivanti Tunnel for Android enterprise and using Access Profile only, Ivanti recommends adding configuring AllowedAppList to specify the apps for which authentication traffic goes through Ivanti Tunnel.

  11. Select the distribution for the configuration and click Done.
  12. In Ivanti Access,
    1. Navigate to the UEM tab.
    2. Select the Ivanti Neurons for MDM UEM and click the Sync UEM button.
    3. Enter the credentials and click Verify and Done.

    This step is required to pull the Ivanti Tunnel certificates from the UEM and established trust between Ivanti Tunnel and Ivanti Access.

Next steps 

1. Add Ivanti Tunnel to Ivanti Neurons for MDM. For information on how to add Ivanti Tunnel to Ivanti Neurons for MDM, see the relevant section in the Ivanti Tunnel Guide for the device OS.
2. Set up SP and IdP federated pairs.

See Service provider (SP) metadata and Identity provider (IdP) metadata.

For more information about configuring and distributing Ivanti Tunnel see the Ivanti Tunnel Guide for the OS.