Configuring Email+ with Ivanti Tunnel for Android Enterprise

Configure Email+ with Ivanti Tunnel to setup access to Exchange server through Exchange Web Services (EWS) protocol and to support Email+ configuration when VPN access is required.

Before you begin 

The following steps describe how to configure AppTunnel with Standalone Sentry.


  1. In the Ivanti EPMM Admin Portal, go to Services > Sentry > Add New > Standalone Sentry.

  2. In the New Standalone Sentry window, enter the Sentry Hostname / IP name.

  3. Select the Enable AppTunnel check box, and deselect Enable ActiveSync .

    If Enable AppTunnel is enabled, other Sentry services such as Kerberos Proxy and Email+ Notification Service are disabled.

  4. In the Device Authentication Configuration section:

    • Select Identity Certificate from the drop-down menu.

    • Upload Local CA to the Trusted Root Certificate Upload field.

  5. In the AppTunnel Configuration section, add <IP_ANY> as AppTunnel service in Services.
  6. In the Ivanti EPMM Admin Portal, go to Services > Sentry > Standalone Sentry and click on Manage Certificate for configuring Standalone Sentry.
  7. In the Manage Certificate window, from the Certificate Options drop-down menu select Upload Certificate to add public certificate to Standalone Sentry.

Configuring Ivanti Tunnel for Email+ Android Enterprise

The following steps describe how to configure Ivanti Tunnel rules for Email+.


  1. In the Ivanti EPMM Admin Portal, go to Apps > App Catalog > +Add.
  2. Select the Ivanti Tunnel app for Android Enterprise and click Edit.
  3. Scroll down to Configuration Choices.
  4. Click Add+ to add a new Tunnel configuration. In the Default Configuration for Ivanti Tunnel section update the following restrictions.
    Restriction Description
    Sentry Server

    Specify the FQDN for the Sentry server that is configured with the IP_ANY service. Configure Sentry Server if you selected one of the following Tunnel profile modes:

    • Sentry Profile Only

    • Sentry + Access Profile


    Enter the network routes that are allowed through Tunnel. Use CIDR format. Each entry in the list is separated by a semicolon (;). IPv4 only.

    This enables split tunneling where only specific traffic can be taken through Tunnel.

    The routes configured only impact apps that use Tunnel. Example:;


    This is the certificate alias set up with local certificate from the same CA that was uploaded to sentry. The value is

    $CERT_ALIAS:<name-of-SCEP>$ where <name-of-SCEP> is the Certificate Enrollment setting configured in Ivanti EPMM UI. Example: $CERT_ALIAS:scepIdentityCert$ where scepIdentityCert is the name of the SCEP configured in Ivanti EPMM.


    Check Disable pinning

    After configuring and successfully connecting the Email+ app with Ivanti Tunnel, the Tunnel record appears in Apps > App Tunnels.