Configuring Email+ with Ivanti Tunnel for Android Enterprise

Configure Email+ with Ivanti Tunnel to setup access to Exchange server through Exchange Web Services (EWS) protocol and to support Email+ configuration when VPN access is required.

Before you begin

Configure Email+ Android Enterprise
Add Local certificate authority (CA), see Configuring Ivanti EPMM as an independent root CA (Self-Signed) section in the Ivanti EPMM Device Management Guide for Android and Android Enterprise Devices

The following steps describe how to configure AppTunnel with Standalone Sentry.

Procedure

In the Ivanti EPMM Admin Portal, go to Services > Sentry > Add New > Standalone Sentry.
In the New Standalone Sentry window, enter the Sentry Hostname / IP name.
Select the Enable AppTunnel check box, and deselect Enable ActiveSync .

If Enable AppTunnel is enabled, other Sentry services such as Kerberos Proxy and Email+ Notification Service are disabled.
In the Device Authentication Configuration section:
- Select Identity Certificate from the drop-down menu.
- Upload Local CA to the Trusted Root Certificate Upload field.
In the AppTunnel Configuration section, add <IP_ANY> as AppTunnel service in Services.
In the Ivanti EPMM Admin Portal, go to Services > Sentry > Standalone Sentry and click on Manage Certificate for configuring Standalone Sentry.
In the Manage Certificate window, from the Certificate Options drop-down menu select Upload Certificate to add public certificate to Standalone Sentry.

Configuring Ivanti Tunnel for Email+ Android Enterprise

The following steps describe how to configure Ivanti Tunnel rules for Email+.

Procedure

In the Ivanti EPMM Admin Portal, go to Apps > App Catalog > +Add.
Select the Ivanti Tunnel app for Android Enterprise and click Edit.
Scroll down to Configuration Choices.

Click Add+ to add a new Tunnel configuration. In the Default Configuration for Ivanti Tunnel section update the following restrictions.

Restriction	Description
Sentry Server	Specify the FQDN for the Sentry server that is configured with the IP_ANY service. Configure Sentry Server if you selected one of the following Tunnel profile modes: Sentry Profile Only Sentry + Access Profile
AddedRoutes	Enter the network routes that are allowed through Tunnel. Use CIDR format. Each entry in the list is separated by a semicolon (;). IPv4 only. This enables split tunneling where only specific traffic can be taken through Tunnel. The routes configured only impact apps that use Tunnel. Example: 10.0.0.0/8;101.210.48.9/32
ClientCertAlias	This is the certificate alias set up with local certificate from the same CA that was uploaded to sentry. The value is $CERT_ALIAS:<name-of-SCEP>$ where <name-of-SCEP> is the Certificate Enrollment setting configured in Ivanti EPMM UI. Example: $CERT_ALIAS:scepIdentityCert$ where scepIdentityCert is the name of the SCEP configured in Ivanti EPMM.
DisablePinning	Check Disable pinning

After configuring and successfully connecting the Email+ app with Ivanti Tunnel, the Tunnel record appears in Apps > App Tunnels.