AppTunnel configuration troubleshooting display in [email protected]

[email protected] displays AppTunnel configuration information for the app that it received from MobileIron Core. This information helps troubleshoot your AppTunnel configuration when an app is not successfully tunneling URL requests to its app server. Check the display’s fields to make sure that your AppTunnel configuration has been sent to the device and is what you intended.

Some highlights of the displayed AppTunnel configuration are:

  • Whether [email protected] has received the AppTunnel configuration from Core.
  • Whether the client certificate, identifying the device user to the Standalone Sentry, has expired.
  • The list of AppTunnel rules that indicate which URL requests should be tunneled.

Navigating to the AppTunnel configuration troubleshooting display

Procedure 

1. Open [email protected] on the device.
2. Tap Settings.
3. Tap Secure Apps. (Screenshots from [email protected] 9.1)

4. Tap the secure app you are interested in.

5. Tap AppTunnel.

If AppTunnel is None, no AppTunnel configuration is available for the app on [email protected] See AppTunnel configuration troubleshooting checklist.

Troubleshooting with the AppTunnel configuration display fields

Use the AppTunnel configuration display if URL requests that you configured for AppTunnel are not being tunneled. Check the display’s fields to make sure that your AppTunnel configuration has been sent to the device and is what you intended.

Some screenshots are from [email protected] 9.1.

Figure 1. AppTunnel display

 

Table 52.   AppTunnel display fields and troubleshooting actions

Field name

Description

Troubleshooting actions

Header Line Count

HTTP/S request header information for Sentry

If the value is zero, the device is not receiving the AppTunnel information from MobileIron Core.

Verify your AppTunnel configuration as specified in AppTunnel configuration troubleshooting checklist.

If the value is still zero, contact Ivanti Technical Support.

Client Certificate Password

Whether the client certificate that identifies the device user to Sentry is password-enabled.

When using a SCEP certificate, the value should be YES.

Client Certificate

Whether a valid client identity is available. This client identity is used to authenticate the app to the Sentry.

Tap to see the identity’s certificate information, including whether the certificate has expired.

If the value is None, check the AppConnect app configuration for the app. Make sure you specified an identity certificate.

In the Admin Portal for MobileIron Core:

1. Go to Policies & Configs > Configurations.
2. Select the AppConnect app configuration for the app (Setting Type is APPCONFIG) and Click Edit.
3. If you have not created an AppConnect app configuration, select Add New > AppConnect > Configuration.
4. In the AppTunnel Rules section, in the Identity Certificate field, specify a valid client certificate.
5. Click Save.

 

Make sure you have applied the appropriate labels to the AppConnect app configuration.

Sentries

The Sentries that are configured for AppTunnel for this app.

Tap to see the list of Sentries. Make sure they are what you expect this app to use for AppTunnel.

Rules

The AppTunnel rules configured on the app’s AppConnect app configuration.

If None, you have not configured AppTunnel rules on the AppConnect app configuration.

In the Admin Portal for MobileIron Core:

1. Go to Policies & Configs > Configurations.
2. Select the AppConnect app configuration for the app (Setting Type is APPCONFIG) and Click Edit.
3. If you have not created an AppConnect app configuration, select Add New > AppConnect > Configuration.
4. Edit the AppTunnel Rules section.
5. Click Save.

 

Make sure you have applied the appropriate labels to the AppConnect app configuration.

Client Certificate display

Check the client certificate fields, including whether the certificate has expired.

If necessary, tap on a field to view the entire string.

 

Table 53.   Client certificate display fields and troubleshooting actions

Field name

Description

Troubleshooting actions

Subject

You can compare the certificate values to the values on the Core Admin Portal:

1. Go to Logs > Certificate Management.
2. Select the certificate of interest for the user.
3. Click View.

 

Specifying a trusted root certificate in the Standalone Sentry

Specifying a valid client certificate in the AppConnect app configuration

Common Name

 

Organizational Unit

 

Issuer

 

Common Name

 

Serial Number

 

Version

 

Validity

Not Valid After

Expiration date

Make sure that the certificate has not expired.

Not Valid Before

Initial date

Make sure that the certificate is valid.

Specifying a trusted root certificate in the Standalone Sentry

The client identity is issued from a Trusted Root Certificate.The Standalone Sentry must be configured with the Trusted Root Certificate for device authentication to the Sentry.

To configure Standalone Sentry with the Trusted Root Certificate, in the Admin Portal for MobileIron Core:

1. Go to Services > Sentry.
2. Select the Standalone Sentry.
3. Click Edit.
4. Make sure Enable AppTunnel is selected.
5. In the Device Authentication Configuration section, select Identity Certificate.
6. Click Choose File to navigate to and select the Trusted Root Certificate.
7. Click Upload Certificate.
8. Click View Certificate to verify the certificate.
9. Click Save.

“Device and server authentication support for Standalone Sentry” in the Sentry Guide for Core.

Specifying a valid client certificate in the AppConnect app configuration

If the client certificate is not valid, specify a valid client identity certificate in the AppConnect app configuration.

In the Admin Portal for MobileIron Core:

1. Go to Policies & Configs > Configurations.
2. Select the AppConnect app configuration for the app (Setting Type is APPCONFIG) and Click Edit.
3. If you have not created an AppConnect app configuration, select Add New > AppConnect > Configuration.
4. In the AppTunnel Rules section, in the Identity Certificate field, specify a valid client certificate.
5. Click Save.

Make sure you have applied the appropriate labels to the AppConnect app configuration.

Rules display

This display shows each AppTunnel rule configured on the app’s AppConnect app configuration. The following table shows the display fields for each rule and the corresponding fields in the AppConnect app configuration:

 

Table 54.   AppTunnel rules display fields and troubleshooting actions

Field name

Description

Troubleshooting actions

Pattern

Corresponds to the URL Wildcard field of the AppConnect app configuration.

 

Make sure the field contains the hostname that the app is trying to access. The pattern can contain the wildcard *.

The app data is tunneled only if the hostname and port number in the app’s request matches the Pattern field and Port field.

Exception: For iOS apps using AppConnect releases prior to AppConnect for iOS SDK 2.5 and AppConnect for iOS Wrapper 2.7, only the request’s hostname, not the port number, determines whether the app data is tunneled.

Port

Corresponds to the Port field of the AppConnect app configuration.

Make sure the field contains the port number that the app is trying to access.

The app data is tunneled only if the hostname and port number in the app’s request matches the Pattern field and Port field.

Exception: For iOS apps using AppConnect releases prior to AppConnect for iOS SDK 2.5 and AppConnect for iOS Wrapper 2.7, only the request’s hostname, not the port number, determines whether the app data is tunneled.

Service

Corresponds to the Service field of the AppConnect app configuration.

The value specifies an AppTunnel service configured in the AppTunnel Configuration section of the specified Sentry.

Make sure the service corresponds to an AppTunnel service on the Sentry that accesses the intended app server.

In the Admin Portal for MobileIron Core:

1. Go to Services > Sentry.
2. Select the appropriate Sentry and click Edit.
3. In the AppTunnel Configuration section, make sure the Server List for the service includes the intended app server.

Sentry ID

The MobileIron Core internal ID for the Sentry.

Only for use by Ivanti Technical Support.

Sentry display

This display lists the Sentries that are configured for AppTunnel for this app. Make sure they are what you expect.

Table 55.   Sentries display fields and troubleshooting actions

Field name

Description

Troubleshooting actions

ID

The MobileIron Core internal ID for the Sentry.

For use only by Ivanti Technical Support.

Host

Sentry host name

Make sure this Sentry is one you intended for AppTunnel for this app.

Port

Port opened to MobileIron Core.

 

Protocol Version

Protocol version between the Sentry and MobileIron Core

For use only by Ivanti Technical Support.

Certificate

This is the certificate that the AppConnect Library in the app uses to know that the Sentry used for AppTunnel is a trusted server.

A valid pinned Sentry certificate must be available for tunneling.

Tap to see certificate information, including whether the certificate has expired.

To view the Sentry certificate in the Admin Portal for MobileIron Core.

1. Go to Services > Sentry.
2. Find the line for the appropriate Sentry.
3. Click View Certificate.

“Managing certificates for Standalone Sentry” in the Sentry Guide for Core.

Sentry Certificate display

Make sure this is the certificate you intended for devices to use to know that the Sentry used for AppTunnel is a trusted server. Check the certificate fields, including whether the certificate has expired. You sometimes have to scroll down the screen to see all the fields.

Note the following:

If necessary, tap on a field to view the entire string.

Scroll down to see additional fields.

Table 1. Sentry certificate display fields and troubleshooting actions

Field name

Description

Troubleshooting actions

Subject

You can compare the certificate values to the values on the Core Admin Portal:

1. Go to Services > Sentry.
2. Find the line for the appropriate Sentry.
3. Click View Certificate.

 

Uploading a valid Sentry certificate to Standalone Sentry

Common Name

 

Country

 

Email Address

 

Organization

 

Organizational Unit

 

State/Province

 

Issuer

Common Name

 

Country

 

Organization

 

Organizational Unit

 

Serial Number

 

State/Province

 

Version

 

Validity

Not Valid After

Expiration date

Make sure that the certificate has not expired.

Not Valid Before

Initial date

Make sure that the certificate is valid.

Uploading a valid Sentry certificate to Standalone Sentry

If the certificate is not valid, upload a valid certificate.

In the Admin Portal for MobileIron Core:

1. Go to Services > Sentry.
2. Find the line for the appropriate Sentry.
3. Click Manage Certificate.
4. Select Upload Certificate.
5. Click Browse.
6. Select the certificate and click Upload Certificate.
7. Click View Certificate to verify the certificate.

“Standalone Sentry certificate” in the Sentry Guide for Core.

AppTunnel configuration troubleshooting checklist

If an app is not successfully tunneling to its app server, check the following in the MobileIron Core Admin Portal:

 

Table 56.   AppTunnel configuration troubleshooting checklist

Admin Portal location

Troubleshooting actions

Settings > Additional Products > Licensed Products

Make sure you have enabled the appropriate products.

Make sure you have selected App Tunnel for Third-party and In-house apps, if you are using AppTunnel for any app besides [email protected]

Policies & Configs > Policies

AppConnect global policy

Check the AppConnect global policy configuration:

1. In the AppConnect field, make sure you have selected Enabled.
2. Make sure AppConnect global policy is applied to a label belonging to the device. If you are using the default AppConnect global policy, this step is not necessary.
3. If you do not create an AppConnect container policy for the app, select Authorize for Apps without an AppConnect container policy.

Services > Sentry

Make sure the Standalone Sentry is configured with a certificate that devices use to know that the Sentry used for AppTunnel is a trusted server.

To view the Sentry certificate in the Admin Portal for MobileIron Core.

1. Go to Services > Sentry.
2. Find the line for the appropriate Sentry.
3. Click View Certificate.

Services > Sentry

Make sure the Standalone Sentry is configured for AppTunnel for the app:

1. Make sure Enable AppTunnel is selected.
2. In Device Authentication Configuration, make sure the correct, valid Trusted Root Certificate is uploaded.
3. In AppTunnel Configuration, make sure you have configured the Services.

Policies & Configs > Configurations

AppConnect container policy

Check the AppConnect container policy for the app. Make sure it is applied to a label belonging to the device.

You do not need an AppConnect container policy if the AppConnect global policy selects Authorize for Apps without an AppConnect container policy.

Policies & Configs > Configurations

AppConnect app configuration

Check the AppConnect app configuration for the app:

1. Make sure the AppTunnel Rules point to the intended Sentry and service.
2. For Identity Certificate, make sure you have selected the correct certificate, issued from the trusted root Certificate Authority indicated by the Trusted Root Certificate uploaded to the Sentry.
3. Make sure the certificate has not expired and that its initial validity date is in the past.
4. Make sure AppConnect app configuration is applied to a label belonging to the device.