Application-triggered VPN for Windows devices

Administrators can choose to specify what applications trigger a VPN connection and what applications do not. Ivanti EPMM exposes all key-value pairs for app triggers and app filters rules to provide administrators with the ability to manually add AppTrigger rules separately from rather than TrafficFilter rules, rather than automatically being added whenever a TrafficFilter rule was applied to an application.

Previous to the Ivanti EPMM release, Ivanti EPMM automatically added an AppTrigger rule whenever adding the TrafficFilter rule, without also including the AppTrigger in the Admin Portal. As of, if you set up VPN profiles in previous releases these profiles will not change, but Ivanti EPMM automatically adds the AppTrigger rule that it added in the background with the TrafficFilter rule. Both are included in the Policies & Configs > Configurations > Add New > VPN > Custom Data table.

With this separation between AppTrigger and TrafficFilter rules, you can remove a rule if you do not want to trigger the VPN on an application. While existing profiles will not change, you can modify existing rules or configure them to separate between trigger and filter.

Configuring VPNs triggers

Use these steps to set up VPN triggers by connecting AppTrigger with TrafficFilter rules.

To configure VPN triggers:

  1. Log into the Admin Portal.
  2. Go to Policies and Configs > Configurations.
  3. Click Add New > VPN.
  4. Scroll to the Custom Data section.
  5. Enter a TrafficFilter rule in the KEY column.
  6. Enter the application to trigger the VPN in the VALUE column.
  7. Enter an AppTrigger to pair with the TrafficFilter.
  8. Enter the same application in the VALUE column.
  9. Click Save.

How to set up exclusions for VPN traffic

If the VPN configuration is set up to send all traffic through VPN, you can configure exclusions.

To exclude traffic from using VPN:

  1. In the Admin Portal, go to Policies and Configs > Configurations.
  2. Click Add New > VPN, or select an existing VPN setting to Edit.
  3. Ensure that Send All Traffic is checked.
  4. In the Excluded Secured Resources (Windows Phone only) section, click Add +.

    Create a separate entry for each domain name, IP range, or app.

  5. Enter the following information:



    Secured Resources

    Enter one of the following:

    • Domain name: Apps connecting to the domain name will be excluded from using the VPN connection. Wildcard '*' prefix is required.

    Example: *

    We also strongly suggest to add * to the exclusion list. This excludes the use of VPN when the device connects to Ivanti EPMM. If your Ivanti EPMM domain is not in the exclusion list, and the device fails to establish a VPN connection, the device will not be able to connect to Ivanti EPMM.

    • Valid IP range: Enter IP range. Apps connecting to an IP address in the range will be excluded from using the VPN connection. You must enter a valid IP range.


    • App GUI ID: Enter the GUID for the app. Traffic from the app will be excluded from using the VPN connection.


    Enter a description for the secure resource.

  6. Click Save.

How to get the app GUID for a Windows Phone 8.1 device app

To get the app GUID for a 8.1 app:

  1. Go to the Windows Phone 8.1 app store.
  2. Search and click on the app for which you want the app GUID.

    The app GUID is the numbers and letters in the tail end of the URL, in the address bar of the app details page.