AppConnect app configuration

An AppConnect app configuration specifies:

  • app-specific configuration for the app.
  • AppTunnel settings for the app.

IMPORTANT: For each AppConnect app, make sure only one AppConnect app configuration applies to each device.

The following describe how to configure an AppConnect app configuration:

Automatically created AppConnect app configuration

When you upload an AppConnect app to the Core App Catalog, Core creates an AppConnect app configuration automatically as follows:

  • For Android AppConnect apps:

    Core always takes this automatic action. If the app has specified configuration requirements, Core uses that configuration. Otherwise, Core creates an AppConnect app configuration with no configuration values.

  • For iOS AppConnect apps built using the AppConnect for iOS SDK or Cordova Plugin:

    Core takes this automatic action only if an in-house app has specified configuration requirements in its IPA file. This automatic action does not occur when you specify an Apple App Store AppConnect app as a recommended app.

  • For wrapped iOS AppConnect apps:

    Core does not take this automatic action.

The following table lists the name of the automatically created AppConnect app configuration.

Table 12.   Name of automatically-created AppConnect app configuration

OS of the AppConnect app

Name of automatically-created AppConnec app configuration

For iOS AppConnect apps

Default <bundle ID of app> Configuration

For Android AppConnect apps

Default <package ID of app> Configuration

In the Admin Portal, on Policies & Configs > Configurations, the name of the app, not the name of the AppConnect app configuration, displays in the name column.

Automatically provided key-value pairs

MobileIron Core takes a special action for some iOS AppConnect apps in the Apple App Store that you specify as recommended apps. The special action occurs when you enter the bundle ID of one of these apps in the Application field of an app configuration and then save the app configuration. Core automatically populates the key-value pairs for the recommended app. Core does not overwrite any key-value pairs that you manually added. You can then edit the app configuration to change the provided key-value pairs, if necessary.

Configuring an AppConnect app configuration

If an AppConnect app configuration is not automatically created, create the configuration on the Core Admin Portal.


  1. In the Admin Portal, select Policy & Configs > Configurations.
  2. Select Add New > AppConnect > App Configuration to create an AppConnect app configuration.
  3. Update the form as needed.
  4. Click Save.
  5. Select the new AppConnect app configuration.
  6. Select More Actions > Apply To Label.
  7. Select the labels to which you want to apply this AppConnect app configuration.
  8. Click Apply.

IMPORTANT: Be sure to apply one of the labels that you selected to the device.

Checking the device’s labels

The following describes how to check a device's labels.


  1. Go to Devices & Users > Devices.
  2. Select the device.
  3. In the Device Details Pane, select Label Membership.

Adding a device to a label

The following describes how to add a device to a label.


  1. Go to Devices & Users > Devices.
  2. Select the device.
  3. Select More Actions > Apply To Label.
  4. Select the labels to apply to the device.
  5. Click Apply.

AppConnect app configuration field description

Use the following guidelines to create or edit an AppConnect app configuration.

Table 13.   AppConnect app configuration fields




Enter brief text that identifies this AppConnect app configuration.

Note the following:

If MobileIron Core automatically created this AppConnect app configuration:

  • You cannot edit the name.

  • The name is not the same as the name that appears in the name column in Policy & Configs > Configurations.


Enter additional text that clarifies the purpose of this AppConnect app configuration.



Select an Android AppConnect app from the Core App Catalog.


Select an iOS AppConnect app from the Core App Catalog or enter the bundle ID of an iOS AppConnect app. A bundle ID that you enter is case sensitive.

Note the following:

The drop-down selection includes an iOS AppConnect app only if both of the following statements are true:

  • The app was added to the Core App Catalog as an in-house app.
  • The app specifies default app-specific configurations.

Client TLS

If the app is using certificate pinning, select Enable Client TLS Configuration and choose the appropriate Client TLS configuration from the drop-down.

Certificate pinning for AppConnect apps

AppTunnel Rules

Configure AppTunnel rules settings for this app.

First, configure the Standalone Sentry to support AppTunnel. See Configuring AppConnect and AppTunnel.

When the app tries to connect to the URL and port configured here, the Sentry creates a tunnel to the app server.

This section is not available when the AppConnect app configuration is for the Secure Apps Manager. The Secure Apps Manager is the app required for Android devices running AppConnect apps. AppTunnel configuration is not applicable to the Secure Apps Manager.

Enable MobileIron Access

The setting is available only if Access is configured in the Admin Portal in Services > Access. Otherwise, the setting is grayed out.

If the option is selected, Access trusts the HTTPS traffic via AppTunnel. Tunnel is not needed in this setup.

For information about Access and how to set up the service with MobileIron Core, see the Access Guide.

If Enable Split Tunneling using MobileIron Tunnel is selected, HTTPS authentication traffic, which would have previously used AppTunnel to Access, goes through Tunnel instead.

Enable Split Tunneling using MobileIron Tunnel

iOS only. Requires [email protected] 12.3.0 and Tunnel 4.1.0 for iOS.

Before enabling the option, ensure that Tunnel is deployed and a Tunnel VPN configuration is applied to the AppConnect app. For information about deploying Tunnel for iOS, see the Ivanti Tunnel for iOS Guide.

Select the option if the AppConnect app will transition to using WKWebView or the app currently uses WKWebView and any of the following is also true:

  • AppTunnel rules are configured to tunnel app data.
  • Enable MobileIron Access is selected.

Enabling the option allows the configured AppTunnel rules to be managed through Tunnel rather than through AppTunnel

For information about the UIWebView API deprecation, see UIWebView Deprecation and AppConnect Compatibility.

Rules configured in the Tunnel VPN configuration impact whether app data to the enterprise resource is tunneled.

Consider the following case:

  • You have an AppTunnel rule set up to tunnel app data to an enterprise resource.

  • Tunnel VPN is configured to disconnect if the enterprise Wi-Fi is available.

    In the above case, data from the app to the enterprise resource will not be tunneled if the device switches to the enterprise Wi-Fi network.

To add an AppTunnel rule, click Add+ .

To delete an AppTunnel rule, click the X at the end of the row.


Select a Sentry configured for AppTunnel from the drop-down list.


Select a service name from the drop-down list.

This service name specifies an AppTunnel service configured in the AppTunnel Configuration section of the specified Sentry.

If you entered a URL with wildcards in the URL Wildcard field, you can only select <ANY> or <CIFS_ANY> as the service. The <ANY> or <CIFS_ANY> service must be configured in the AppTunnel Configuration section of the Sentry configured for AppTunnel.

If the service on the Sentry is configured with its Server Auth set to Kerberos, the AppConnect app uses Single Sign On. That is, the device user does not enter any further credentials when the app accesses its enterprise app server.

URL Wildcard

Enter one of the following:

  • an app server’s hostname
  • a hostname with wildcards. The wildcard character is *.

If the app requests to access this hostname, the Sentry tunnels the app data to an app server. The Sentry and Service fields that you specify in this AppTunnel Rule row determine the target app server.

Note the following:

  • The app data is tunneled only if the app’s request matches this hostname and the port number specified in the Port field of this AppTunnel row.
    Exception: For iOS apps using AppConnect releases prior to AppConnect for iOS SDK 2.5 and AppConnect for iOS Wrapper 2.7, only the hostname, not the port number determines whether the app data is tunneled.

  • A hostname with wildcards works only with the service <ANY>, <TCP_ANY>, or <CIFS_ANY>. Unlike services with specific service names, these services do not have associated app servers. The Sentry tunnels the data to the app server that has the URL that the app specified.

  • The order of these AppTunnel Rule rows matters. If you specify more than one AppTunnel Rule row, the first row that matches the hostname (and port, for Android) that the app requested is chosen. That row determines the Sentry and Service to use for tunneling.

  • Do not include a URI scheme, such as http:// or
    https://, in this field.


Enter the port number that the app requests to access.

The app data is tunneled only if the app’s request matches the hostname in the URL Wildcard field and this port number.

Exception: For iOS apps using AppConnect releases prior to AppConnect for iOS SDK 2.5 and AppConnect for iOS Wrapper 2.7, only the hostname, not the port number determines whether the app data is tunneled.

Note the following:

  • If you do not enter a port number, the port in the app’s request is not used to determine whether data is tunneled.

  • Entering a port number in this field is required when both of the following are true:

  • The hostname in the URL Wildcard field does not contain a wildcard.

  • The service is not <ANY> or <CIFS_ANY>.

Identity Certificate

Select the Certificate Enrollment setting that you created for AppTunnel. This selection determines the certificate that the device presents to the Standalone Sentry for authentication.

“Device and server authentication” in the Sentry Guide for Core.


Specify app-specific configuration settings as key-value pairs.

To add a key-value pair, click Add+ .

To delete a key-value pair, click the X at the end of the row.


Enter the key. The key is any string that the app recognizes as a configurable item.

For example: userid, appURL


Enter the value. The value is either:

  • a string



The string can have any value that is meaningful to the app. It can also include one or more of these MobileIron Core variables:


Custom attribute variables are also supported:

$CUSTOM_DEVICE_<attribute name>$

$CUSTOM_USER_<attribute name>$

If you do not want to provide a value, enter $NULL$. The $NULL$ value tells the app that the app user will need to provide the value.

If you specify $PASSWORD$, also enable Save User Password under Settings > System Settings > Users & Devices > Registration. However, only devices that register after you enable Save User Password will receive the password.

  • a Certificate Enrollment or Certificate setting

    For client-provided certificate enrollment settings, [email protected] for iOS or Secure Apps Manager for Android, not Core, provides the certificate to the app.

    Certificate Enrollment and Certificate settings that you configured in Policy & Configs > Configurations appear in the drop-down list. When you choose a Certificate Enrollment or Certificate setting, MobileIron Core sends the contents of the certificate as the value.

    If the certificate is password-encoded, Core automatically sends another key-value pair. The key’s name is the string <name of key for certificate>_MI_CERT_PW. The value is the certificate’s password.