AppConnect apps and authentication to enterprise app servers

You can set up AppConnect apps to provide device users a seamless authentication experience to your enterprise applications. In such a setup, users do not have to enter any credentials when accessing enterprise applications from an AppConnect app from a device managed by MobileIron Core. When users launch an AppConnect app the Ivanti UEM client on the managed device authenticates the user. After the user is authenticated, the user can access the enterprise application without having to enter any credentials.

The following methods are available to support this capability:

Authentication using Kerberos Constrained Delegation

You can use Kerberos Constrained Delegation (KCD) for authenticating a user to an enterprise server.

To use this feature, the app must do the following:

  • Use the AppTunnel feature, configured for authenticating the user to the enterprise server using Kerberos Constrained Delegation (KCD).
  • Interact with an enterprise server that supports authentication using KCD.

AppConnect-enabled ActiveSync email apps such as, Email+ for Android, and Email+ for iOS do not use AppTunnel. You configure the Standalone Sentry for authenticating the user to the ActiveSync server using KCD.

All AppConnect apps can use this feature, including:

  • Android third-party AppConnect apps
  • iOS third-party AppConnect apps built with the AppConnect for iOS SDK or the AppConnect for iOS Cordova Plugin
  • Web@Work
  • Docs@Work

Ivanti does not support KCD with CIFS-based content servers.

Certificate authentication for Android AppConnect apps

An Android AppConnect app can send a certificate to identify and authenticate the app user to an enterprise server when using AppTunnel with TCP tunneling.

Certificate authentication using AppConnect with TCP tunneling for Android secure apps.

Certificate authentication for iOS AppConnect apps

An iOS AppConnect app can send a certificate to identify and authenticate the app user to an enterprise service.

Certificate authentication from AppConnect apps to enterprise services.

Authentication through Access

For an AppConnect app, in a Access deployment with Core or Ivanti Neurons for MDM, if an enterprise cloud service is set up in Access,

  • Authentication to the cloud service goes through Access.
  • If AppTunnel rules are configured in the AppConnect app configuration, data traffic goes through AppTunnel, however authentication traffic goes through Tunnel to Access.
  • In addition, with zero sign-on, device users can get passwordless access to cloud services on their managed devices.
  • If Enable MobileIron Access is selected in the AppConnect app configuration, AppTunnel traffic is trusted by Access. The AppConnect app does not require Tunnel to authenticate through Access.