Configuring certificate-based tunneling for IBM Verse clients on Android enterprise

You can set up certificate-based tunneling for IBM Verse clients using Standalone Sentry on Android enterprise devices. Certificate -based tunneling only supports SyncML traffic. Certificate-based tunneling does not require Ivanti Tunnel or AppConnect.

Before you begin 

Ivanti EPMM must be set up for Android enterprise. For more information, see Ivanti EPMM Device Management Guide for Android and Android Enterprise devices.

Ivanti EPMM must be set up as an independent root CA. See the “Configuring Ivanti EPMM as an independent root CA (Self-Signed)” section in the Ivanti EPMM Device Management Guide for Android and Android Enterprise devices for information on how to create a local CA and the corresponding Local certificate enrollment setting.

Add the following for Subject Alternative Names in the Local certificate enrollment setting:

Type: Uniform Resource Identifier


The URI scheme, cbt,, is case insensitive. is the hostname and can be anything.

Ensure that the Local certificate enrollment setting is applied to a label containing the Android enterprise devices which will use certificate-based tunneling.

Standalone Sentry must be enabled for AppTunnel and set up to do device authentication using Identity certificates. Upload the Ivanti EPMM local self-signed CA in Standalone Sentry settings in the  Ivanti EPMM Admin Portal.

Both Pass Through and Kerberos are supported for server authentication.


1. In the Ivanti EPMM Admin Portal, go to Services > Sentry.
2. Click the edit icon for a Standalone Sentry that is enabled for AppTunnel and configured to use Identity certificates for device authentication.
3. In the AppTunnel Configuration section, add an AppTunnel service in Services.



Service Name

Enter a name for the service in the following format:


The FQDN is for the external hostname assigned to Ivanti Standalone Sentry.


Server Auth

Select Pass Through.

Server List

Enter the backend resource’s host name or IP address (usually an internal host name or IP address). Include the port number on the backend resource that Ivanti Standalone Sentry can access.

You can enter multiple servers. Standalone Sentry uses a round-robin distribution to load balance. That is, it sets up the first tunnel with the first resource, the next with the next resource, and so on. Separate each resource name with a semicolon.;

TLS Enabled

Select if the servers listed in the Server List field require SSL.


Select if you want to direct the AppTunnel service traffic through the proxy server.

You must also have configured Server-side Proxy or Advanced Traffic Control (ATC).

Server SPN List

Enter the Service Principal Name (SPN) for each server, separated by semicolons.

4. Click Save.