Description of configurations in Ivanti EPMM

This section provides a more detailed description of the configuration steps referenced in Overview of configuration on Ivanti EPMM. The following configurations are described:

Configuring SCEP settings

Create a SCEP setting if your Exchange server and the EWS service require certificate authentication. You will reference the name of SCEP setting in the AppConnect configuration for Email+ to generate the login certificate for Email+, so that the Exchange server and EWS trust the device.


  1. In the Admin Portal, go to Policies & Configs > Configurations.
  2. Select Add New > Certificate Enrollment > SCEP.
  3. In the New SCEP Setting window, configure the settings based on your SCEP requirements.
  4. Click Save to save the SCEP setting.
  5. Click OK to dismiss the prompt indicating the successful creation of your SCEP setting.
  6. You will reference this SCEP setting in the AppConnect app configuration for Email+ using the key email_login_certificate.
  • “Configuring SCEP” in the Ivanti EPMM Device Management Guide for iOS and macOS Devices.

Configuring an AppTunnel service

You create an AppTunnel service in Standalone Sentry as part of an AppTunnel setup.

Before you begin 

Ensure that you have a Standalone Sentry that is set up for AppTunnel and the necessary device authentication is also configured. See “Configuring Standalone Sentry for app tunneling” in the Ivanti Sentry Installation Guide.


  1. In the Ivanti EPMM Admin Portal, go to Services > Sentry.
  2. Edit the entry for the Standalone Sentry that supports AppTunnel.
  3. In the App Tunneling Configuration section, under Services, click + to add a new service.
  4. Use the following guidelines to configure an AppTunnel service:



    Service Name

    Select <ANY>.

    The Service Name is used in the AppConnect app configuration for Email+.

    Server List

    Select the Standalone Sentry

    TLS Enabled




    Server SPN List


  5. Click Save.

Updating the AppConnect app configuration for Ivanti Email+

Update the AppConnect app configuration for Email+ for iOS, so that Email+ on iOS devices is authorized to get real-time notifications from CNS.


  1. In the Ivanti EPMM Admin Portal, go to Policy & Configs > Configurations.
  2. Select the AppConnect app configuration you created for Email+.
  3. Click Edit.
  4. Add an AppTunnel rule that points to the Standalone Sentry on which you configured the AppTunnel service.
    1. For URL Wildcard, enter the Exchange server’s IP address or FQDN.
  5. For Identity Certificate, select the Certificate Enrollment setting you configured for Standalone Sentry. You would have created the Certificate Enrollment setting as part of the Standalone Sentry setup for identity certificate with Pass through.
  6. Add the necessary key-value pairs.
  7. Click Save.
  8. Ensure that the configuration is applied to the labels that contain the devices to which you want to push the configuration. The updated AppConnect app configuration for Email+ for iOS will be sent to devices at the next sync interval.

See Key-value pairs for real-time push notifications for a list of key-value pairs.