Example setup with conditional rules

In the setup described in this section, traffic from managed apps using AppTunnel (AppConnect apps using AppTunnel and managed apps using Ivanti Tunnel) on an iPhone or iPad, and all traffic from laptops, desktops, and Android and Windows 10 mobile devices flows through Ivanti Access.

Setup with conditional

Expected behavior with the example setup

Setup with conditional

The following outlines the example setup with conditional rules:

Configure Salesforce service provider and related IdP in Federated Pairs.

Apply Ivanti Tunnel VPN to the Salesforce app.

Configure the following rules in Conditional Access:

Table 23.   Conditional rules

Conditional rule name


Trusted App and Device on iOS


Untrusted Apps on iPhone


Untrusted Apps on iPad


General Bypass


The order of the rules matters. Rules are evaluated in the order they appear.

Expected behavior with the example setup

The following outlines the expected behavior with the example setup:

Traffic from the managed Salesforce app on an iPhone and on an iPad will be allowed through Ivanti Access. This setup allows apps such as Web@Work that use AppTunnel to also authenticate to Salesforce.

All other traffic from iPhone and iPad will not be allowed through Ivanti Access.

Therefore, on an iPad or iPhone, only traffic from the managed Salesforce app and any apps that use AppTunnel will have access to Salesforce.

This setup allows users on other devices to continue to access Salesforce. Other devices include desktops, laptops, and Windows 10 and Android mobile devices.

For additional examples, seeKB article.