AppConnect apps and authentication to enterprise app servers
You can set up AppConnect apps to provide device users a seamless authentication experience to your enterprise applications. In such a setup, users do not have to enter any credentials when accessing enterprise applications from an AppConnect app from a device managed by MobileIron Core. When users launch an AppConnect app the Ivanti UEM client on the managed device authenticates the user. After the user is authenticated, the user can access the enterprise application without having to enter any credentials.
The following methods are available to support this capability:
- Authentication using Kerberos Constrained Delegation
- Certificate authentication for Android AppConnect apps
- Certificate authentication for iOS AppConnect apps
- Authentication through Access
Authentication using Kerberos Constrained Delegation
You can use Kerberos Constrained Delegation (KCD) for authenticating a user to an enterprise server.
To use this feature, the app must do the following:
- Use the AppTunnel feature, configured for authenticating the user to the enterprise server using Kerberos Constrained Delegation (KCD).
- Interact with an enterprise server that supports authentication using KCD.
AppConnect-enabled ActiveSync email apps such as, Email+ for Android, and Email+ for iOS do not use AppTunnel. You configure the Standalone Sentry for authenticating the user to the ActiveSync server using KCD.
All AppConnect apps can use this feature, including:
- Android third-party AppConnect apps
- iOS third-party AppConnect apps built with the AppConnect for iOS SDK or the AppConnect for iOS Cordova Plugin
- Web@Work
- Docs@Work
Ivanti does not support KCD with CIFS-based content servers.
Certificate authentication for Android AppConnect apps
An Android AppConnect app can send a certificate to identify and authenticate the app user to an enterprise server when using AppTunnel with TCP tunneling.
Certificate authentication using AppConnect with TCP tunneling for Android secure apps.
Certificate authentication for iOS AppConnect apps
An iOS AppConnect app can send a certificate to identify and authenticate the app user to an enterprise service.
Certificate authentication from AppConnect apps to enterprise services.
Authentication through Access
For an AppConnect app, in a Access deployment with Core or Ivanti Neurons for MDM, if an enterprise cloud service is set up in Access,
- Authentication to the cloud service goes through Access.
- If AppTunnel rules are configured in the AppConnect app configuration, data traffic goes through AppTunnel, however authentication traffic goes through Tunnel to Access.
- In addition, with zero sign-on, device users can get passwordless access to cloud services on their managed devices.
-
If Enable MobileIron Access is selected in the AppConnect app configuration, AppTunnel traffic is trusted by Access. The AppConnect app does not require Tunnel to authenticate through Access.
- For information about Access and how to set up Access, see the Access Guideon the Access Landing Page.
- For information about Enable Mobile Access, see AppConnect app configuration field description.