Configuring Email+ with MobileIron Tunnel for Android Enterprise

Configure Email+ with MobileIron Tunnel to setup access to Exchange server through Exchange Web Services (EWS) protocol and to support Email+ configuration when VPN access is required.

Before you begin 

The following steps describe how to configure AppTunnel with Standalone Sentry.


  1. In the Core Admin Portal, go to Services > Sentry > Add New > Standalone Sentry.

  2. In the New Standalone Sentry window, enter the Sentry Hostname / IP name.

  3. Select the Enable AppTunnel check box, and deselect Enable ActiveSync .

    If Enable AppTunnel is enabled, other Sentry services such as Kerberos Proxy and Email+ Notification Service are disabled.

  4. In the Device Authentication Configuration section:

    • Select Identity Certificate from the drop-down menu.

    • Upload Local CA to the Trusted Root Certificate Upload field.

  5. In the AppTunnel Configuration section, add <IP_ANY> as AppTunnel service in Services.
  6. In the Core Admin Portal, go to Services > Sentry > Standalone Sentry and click on Manage Certificate for configuring Standalone Sentry.
  7. In the Manage Certificate window, from the Certificate Options drop-down menu select Upload Certificate to add public certificate to Standalone Sentry.

Configuring MobileIron Tunnel for Email+ Android Enterprise

The following steps describe how to configure MobileIron Tunnel rules for Email+.


  1. In the Core Admin Portal, go to Apps > App Catalog > +Add.
  2. Select the MobileIron Tunnel app for Android Enterprise and click Edit.
  3. Scroll down to Configuration Choices.
  4. Click Add+ to add a new Tunnel configuration. In the Default Configuration for MobileIron Tunnel section update the following restrictions.
    Restriction Description
    Sentry Server

    Specify the FQDN for the Sentry server that is configured with the IP_ANY service. Configure Sentry Server if you selected one of the following Tunnel profile modes:

    • Sentry Profile Only

    • Sentry + Access Profile


    Enter the network routes that are allowed through Tunnel. Use CIDR format. Each entry in the list is separated by a semicolon (;). IPv4 only.

    This enables split tunneling where only specific traffic can be taken through Tunnel.

    The routes configured only impact apps that use Tunnel. Example:;


    This is the certificate alias set up with local certificate from the same CA that was uploaded to sentry. The value is

    $CERT_ALIAS:<name-of-SCEP>$ where <name-of-SCEP> is the Certificate Enrollment setting configured in Core UI. Example: $CERT_ALIAS:scepIdentityCert$ where scepIdentityCert is the name of the SCEP configured in Core.


    Check Disable pinning

    After configuring and successfully connecting the Email+ app with MobileIron Tunnel, the Tunnel record appears in Apps > App Tunnels.